Web Scripts ignores correct credential provided by user, continues to use expired or invalid ALF_TICKET and at the same time repeatedly prompts for another credential input
[Steps to reproduce]
1. In a browser, go to any GET web script with an expired or invalid ALF_TICKET in the URL parameter. For example:
2. The browser would prompt you to enter an admin username and password for Basic HTTP Authentication in a pop up screen, so enter an admin username and password and click OK.
The browser repeatedly prompts for an username and password even after the user has correctly entered a valid admin credential. The system ignores the user's credential input and continues to use the expired or invalid ALF_TICKET.
Alfresco does not ignore credential entered by user and does not prompt for a credential over and over again.
ALF_TICKET provided by Alfresco is a convenient way for users to not to have to re-authenticate via Basic HTTP Authentication every time a web script page is requested, however, users may also bookmark a Web Script URL with an ALF_TICKET parameter. Upon clicking the URL after the session expired, the browser just repeatedly prompts for his credential without actually taking him to the page.
The issue can be easily rectified by modifying BasicHttpAuthenticatorFactory.java as shown in the attachment BasicHttpAuthenticatorFactory_proposal.java. When the code checks for the ALF_TICKET and found it has expired, it should also check whether the user has provided an authentication credential via the browser pop-up screen. If it has, it should try to do a secondary authentication against the credential provided.
The problem here is that a pop-up screen is thrown at the user for his credential, but Alfresco ignores it, and hence goes the point of asking for one in the first place.