Support multiple authenticate headers

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / RemoteAuthUtils.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java
index 4a8f18fcd811a11b516597e827d173542a441c50..3c436ba1fc40edd772e161d65ea1c70bc5f39cea 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/RemoteAuthUtils.java
@@ -161,11 +161,15 @@ public class RemoteAuthUtils {
 
                // response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "basic
                // realm=\"" + httpAuthRealm + "\"");
-               if (hasAcceptorCredentials() && !forceBasic && !negotiateFailed)// SPNEGO
-                       remoteAuthResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.getHeaderName(), HttpHeader.NEGOTIATE);
-               else
+               if (hasAcceptorCredentials() && !forceBasic && !negotiateFailed) {// SPNEGO
+                       remoteAuthResponse.addHeader(HttpHeader.WWW_AUTHENTICATE.getHeaderName(), HttpHeader.NEGOTIATE);
+                       // TODO make it configurable ?
+                       remoteAuthResponse.addHeader(HttpHeader.WWW_AUTHENTICATE.getHeaderName(),
+                                       HttpHeader.BASIC + " " + HttpHeader.REALM + "=\"" + realm + "\"");
+               } else {
                        remoteAuthResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.getHeaderName(),
                                        HttpHeader.BASIC + " " + HttpHeader.REALM + "=\"" + realm + "\"");
+               }
 
                // response.setDateHeader("Date", System.currentTimeMillis());
                // response.setDateHeader("Expires", System.currentTimeMillis() + (24 *