cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Schneider (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 12:28:35 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283771#comment-14283771
] 

Christian Schneider commented on CXF-6206:
------------------------------------------

I agree that a SOAP Fault and a 500 response code should be good for WS-Security. So probably
we do not need any special handling for it as this is the default handling of exceptions anyway.

I also think that we should make REST work with Subject.doAs() as only then further security
processing based on a JAAS login can occur. Depending how difficult this is to do with the
current REST implementation this can take a while though. So it would be great if Sergey or
anyone else familiar with our rest impl can make this happen. I do not know enough about it
to do that myself.

About standardizing the JAAS security. I agree with Niels that it would be nice to have it
in one place. So you can simply add the JAASLoginFeature to e.g. the bus and have SOAP as
well as REST secured with it. Of course Sergey is also correct that the JAASLoginInterceptor
should not become much more complicated.

What I could imagine is that we simply limit and define exactly what JAASLoginInterceptor
is responsible for. What I could imagine is that it only forwards existing credentials from
the cxf message to JAAS and produces defined exceptions in case of failures. Collecting the
credentials as well as converting the exception to a response should be done outside the JAASLoginInterceptor.
I think with these limitations it should stay fairly simple while still being the central
place to do the JAAS handling.


> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message