From 4ebf4b522d002884e4f2c009eef62ce2c2ab9859 Mon Sep 17 00:00:00 2001
From: Anton Tananaev <anton.tananaev@gmail.com>
Date: Wed, 28 Dec 2016 05:56:10 +1300
Subject: No Authorization header for ajax

---
 src/org/traccar/api/SecurityRequestFilter.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/org/traccar')

diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java
index ca3ebf04d..7024bdbc9 100644
--- a/src/org/traccar/api/SecurityRequestFilter.java
+++ b/src/org/traccar/api/SecurityRequestFilter.java
@@ -38,6 +38,8 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
     public static final String AUTHORIZATION_HEADER = "Authorization";
     public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
     public static final String BASIC_REALM = "Basic realm=\"api\"";
+    public static final String X_REQUESTED_WITH = "X-Requested-With";
+    public static final String XML_HTTP_REQUEST = "XMLHttpRequest";
 
     public static String[] decodeBasicAuth(String auth) {
         auth = auth.replaceFirst("[B|b]asic ", "");
@@ -99,8 +101,11 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
         } else {
             Method method = resourceInfo.getResourceMethod();
             if (!method.isAnnotationPresent(PermitAll.class)) {
-                throw new WebApplicationException(
-                        Response.status(Response.Status.UNAUTHORIZED).header(WWW_AUTHENTICATE, BASIC_REALM).build());
+                Response.ResponseBuilder responseBuilder = Response.status(Response.Status.UNAUTHORIZED);
+                if (!XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH))) {
+                    responseBuilder.header(WWW_AUTHENTICATE, BASIC_REALM);
+                }
+                throw new WebApplicationException(responseBuilder.build());
             }
         }
 
-- 
cgit v1.2.3