I am developing a REST API that supports two kinds of authentication protocols:
- login form authentication – for browser based clients.
- Simple Basic authentication – for non-browser clients.
I developed a flow in which unauthenticated requests redirected to the “login form”, the problem is that this is an undesired behavior for non-borwser clients!
I thought to solve it by decide according to the “User-Agent” what to do: browsers will be redirected to the “login form” and non-browser clients will get the standard 401:Basic Authentication.
A. What do you think about this solution?
B. Is there a standard way in Java to check if the request came from browser, or do i need to develop this kind of mechanism by my own?
Thanks in advance!
Since you have total control over the client, you have many other ways to do this without checking User-Agent,
Use a different URL for client login. Our client doesn’t get HTML back so we use a different endpoint.
Pass a special parameter like client_version in the URL.
If you insist on checking user-agent, use a special string so everything else is browser.