First of all, I'm not 100% sure what I'm asking is a right thing to do or not. So please free feel to correct me if I'm wrong.
Using Spring Security, I've developed a REST API backend which users can log in using some custom entry. If my users authenticate themselves using my custom API, there will be a session created for them and the rest of API entries will be accessible to them, considering their role and ACL.
At the same time, these APIs are designed so they can provide services to other software. So I thought it makes sense to enable some HTTP Basic Authentication as well. Later on, I might be working on digest as well. And if some request is authenticated using one of these methods, there will be no session created for them. And they'll need re-authenticate for every single request. It's a stateless API.
So far everything is great. The users and other systems can make use of the same sets of APIs. But the problem is when a user's session is expired. Or when some user starts using the backend services before he logs in. In such cases, the right strategy is to redirect the user to a login page and ask them to authenticate themselves. But since I've enabled the HTTP Basic Authentication, calling a REST API which needs authentication (while the user is not authenticated) leads to a browser popup asking for the username and password.
Of course, the user can enter the credentials and keep using the system. But I don't like this way of authentication for my users. First of all, the authentication credentials will stick and I consider it a security risk. They are easily be saved into the browser without informing the user they are. And it's hard to get rid of the saved credentials. The user can leave the computer without even knowing that his username and password are saved.
So my question is, is it possible to have Basic Authentication enabled but at the same time, prevent the browser from knowing it? Or even better, acting on it?
I suspect that if I prevent the WWW-Authenticate response header on the way back, I might be able to do so. But then, I'm not sure of the ramifications of such a decision. Also, I don't know how to remove that header from the response for all of the APIs.
