I'm using Apache 2.0 as a reverse proxy for an external web application. My problem is that the external web application allows Microsoft NTLM and Basic Authentication for authentication, but my company's policy is to avoid NTLM. So I need to alter the response header so that the NTLM part is removed. How can I do that with Apache 2.0? I guess I'm looking for something like smart filtering, but that's only available in Apache 2.1.
Details:
When the user should authenticate, the HTTP response contains three headers:
[tt]
Negotiate
NTLM
Basic realm="abcd.efg"
[/tt]
What I want to do is to remove the first two, so that the client only sees Basic Authentication. How can I do that?
A simple solution that I came up with was to use the headers module and ALWAYS set the response header to Basic Authentication (removes all the original headers). However, that solution is not perfect as the authentication header shouldn't be there when the user is already authenticated. Always setting the header makes the authentication dialog pop-up every now and then.
Is there a better way? Worst case scenario would be to write my own module, but maybe there's an easier way?
Thanks!
Details:
When the user should authenticate, the HTTP response contains three headers:
[tt]
Negotiate
NTLM
Basic realm="abcd.efg"
[/tt]
What I want to do is to remove the first two, so that the client only sees Basic Authentication. How can I do that?
A simple solution that I came up with was to use the headers module and ALWAYS set the response header to Basic Authentication (removes all the original headers). However, that solution is not perfect as the authentication header shouldn't be there when the user is already authenticated. Always setting the header makes the authentication dialog pop-up every now and then.
Is there a better way? Worst case scenario would be to write my own module, but maybe there's an easier way?
Thanks!