Remove www-authentication header from response

Hi experts,

I’m using webMethods MSR 10.11. I have developed a custom UI application using Angular and I’ve deployed to my IS package’s pub folder. Using UI, I’m calling REST apis developed using wM MSR but in case of an un-authenticated call, browser shows Basic Authentication login dialog box due to www-authentication header in response.

How can I get rid of www-authentication header in response or the basic authentication dialog box?

I have tried sending “X-Request-With”: “XMLHttpRequest” in request headers, but no success.


You need to look at the permissions on the service behind your API. From Designer click on your service and in the properties panel click on permissions and set the execute ACL to ‘Anonymous’. If all the services are in the same folder you can set the permissions at the folder level.

I do want API calls to be authenticated and leverage the user accounts created on IS and session management.

You said that you want to do a un-authenticated call ?
So I’m a little lost. You will need to authenticate in advance if you want to invoke a protected API. Do this by creating a login form and then calling a function like the one below

public connect(user: string, passswrd: string): Observable<string> {

    const url: string = 'http://localhost:5555/invoke/wm.server/login'

    const headers = GLOBALS.headers()
    const data = {username: user, password: passswrd}

    return, data, { headers })
      .pipe(catchError(error => {
        return of(null)
      .pipe(map( (responseData: any) => {

        if (responseData && responseData.metadata) {
          return responseData.metadata.userType
        } else {
          return null

Apologies for the confusion. By un-authenticated I meant, user invoking an API with user session expired or without loggin in.
Thanks for sharing the snippet. I can successfully login and logout a user. However, in case user session gets expired meanwhile and they try to access one of the application pages directly (without going through login page) which then calls one of my REST APIs, I get basic authentication dialog appeared. Because of the www-authentication sent by IS in response.
Looks like after digging around a bit, I have found a solution. Generally, servers don’t send www-authentication header in response if “X-Requested-With”:“XMLHttpRequest” header is found in request. In case of IS/ MSR, the same can be achieved by sending “X-wM-AdminUI”:“true”.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.