Auth header is not working anymore

Enonic version: 7.6.1
OS: Linux

It seems like it is not possible to use Authorization header when sending requests to XP. Not sure about all pages, but services are not authorized this way. The question is - is it a bug, or is it a change, that is done, and applications, which used auth header should be changed to use cookie?

The easiest way to reproduce this is to use postman and send a request to service using “Basic Auth” and no cookies.


This was not a documented feature and was removed for security reasons in 7.6.0: Release Enonic XP Runtime 7.6.0 · enonic/xp · GitHub

All versions after that to not have basic auth enabled on port 8080.


Thank you for a reply.

What is the best approach to replace auth header with native id provider now? Is it best to send user credentials as request params/body and login via auth lib? Or is it better to get the JSESSIONID cookie and send it with the request? Or is there any other method?

This depends on your use case. Since you are using basic-auth, I suspect you have some scripts using it. Does the management api (4848) cover your needs? If so you should use that since that still supports basic auth.

If this is not, then you can use some ID provider to obtain a session in XP and use that session.

Thanks for clarification.

Also one more thing - it seems like http client lib does not support sending requests with cookies. Since auth does not work with it now too, it might make sense to implement cookie support for it.

My idea is to login and get the auth cookie. When it’s done make a request to a service.

What do you mean it does not supporting sending cookies? Cookes are passed to servers as regular http headers: Cookie - HTTP | MDN