I have an application (Pentaho) which uses ACEGI as a security framework. I need it to expose a BASIC secured URL. I configured it properly and when I request the URL, the response includes a WWW-Authenticate header. My browser sends back a valid and verified Authentication header, but somewhere in the process, it gets stripped off the request object. Debugging ACEGI shows that the header never got to the application.
How is it possible that a header gets removed ? Does JBoss 4.2.1-GA have a mechanism that intercepts the authentication headers ?
(BTW. I'm pretty sure that application web.xml is not configured to use BASIC auth. Can anyone help me to confirm that ?)