cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 12:38:35 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283774#comment-14283774
] 

Sergey Beryozkin edited comment on CXF-6206 at 1/20/15 12:37 PM:
-----------------------------------------------------------------

Christain, JAASLoginInterceptor sets a SecurityContext and it is a fundamental property of
this interceptor. Lets not affect it.
Besides people have successfully used it before in REST chains without the doAs interposition,
so based on that I do not agree that it can not properly work without doAs.

It appears the only thing doAs provides for is that the service can get to JAAS Subject via
the JAAS Api, but I've never heard anyone complaining about the fact they can't do it now,
in many cases people prefer working with JAX-RS SecurityContext. Using JAAS Api in the service
will very likely make such services non-portable because I'm not aware of the requiremements
that it has to work across multiple containers




was (Author: sergey_beryozkin):
Christain, JAASLoginInterceptor sets a SecurityContext and it is a fundamental property of
this interceptor. Lets not affect it.
Besides people have successfully used it before in REST chains without the doAs interposition,
so based on that I do not agree that it can not properly work without doAs.

It appears the only thing doAs provides for is that the service can get to JAAS Subject via
the JAAS Api, but I've never heard anyone complaining about the fact they can't do it now,
in many cases people prefer working with JAX-RS SecurityContext. Using JAAS Api in the service
is very likely make such services non-portable because I'm not aware of the requiremements
that it has to work across multiple containers



> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message