cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Schneider (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 12:45:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283782#comment-14283782
] 

Christian Schneider commented on CXF-6206:
------------------------------------------

I did not say that it can not work without doAs but without it you can not use standard JAAS
api to access the security context. Using the CXF SecurityContext makes the user code depend
on CXF which is not ideal if there is a standard way that provides the same result.  Of course
we should still populate the CXF SecurityContext for backwards compatiblity. 


> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message