You can make your application code check the authorization header, get the username from there and do authorization based on that.