cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Polar Humenn <>
Subject Re: HTTP Basic Authentication Is there hope?
Date Mon, 12 Feb 2007 19:13:02 GMT
Glynn, Eoghan wrote:
>> I can construct a complex graph of interceptors on the server 
>> side to send the 401 and the proper realm information.
> A complex graph of interceptors just to send a 401?
> Can you describe what server-side interceptors chains you needed to
> achieve this? If something so simple as rejecting an incoming request
> with an auth challenge requires some complex choreography in the
> server-side interceptors chains, then we are surely doing something very
> wrong in our interceptor/dispatch architecture
Well, I tell you what I did.  I am still somewhat naive about this so, 
please tell me if I have gone astray. This is where I was learning about 
interceptors, and when handleMessage and handleFault gets called. I 
think I'm better informed at that now, but I still may be lacking in 
some aspects.

I set up one Inbound interceptor on the RECEIVE phase to check for the 
authorization information if present and validate it. If it wasn't there 
or validated I throw a Fault, which was subclassed to HTTPBAFault, which 
held the realm identifier.

This Inbound InterceptorChain unwinds through the InboundChain. In 
handleFault() I tried setting the response code, but that was 
ineffective, as I realized I was not really manipulating a response 
here. so I know I couldn't do this entirely in one interceptor. Fair enough.

Throwing the Fault, I found, automatically generates a response message, 
which seems to know its a"fault" message with a response code of 500 and 
heads out in an Outbound Fault Interceptor Chain using handleMessage() 

I set up a second interceptor that gets installed (dynamically?) on the 
OutFaultInterceptor chain on the USER_STREAM phase. I discoverd some 
state saved on the message in the previous interceptor chain, which was 
the actual HTTPBAFault I threw, which I discovered is available through 
a Message.getContent(Exception.class) call. Then I changed the response 
code from 500 to a 401 and had to add the Authorization header with the 
realm information.

I am not sure if I got the phases right for this sort of thing (I played 
with these with varying degrees of success and failure), or even if I 
took the right approach. I  may be relying on some technique or 
information that is coincidental and not guaranteed.


View raw message