cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 12:53:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283786#comment-14283786
] 

Sergey Beryozkin commented on CXF-6206:
---------------------------------------

Hi Christian, 
But no one is using CXF SecurityContext directly neither in JAXWS nor JAXRS implementations,
they have JAX-WS or JAX-RS SecurityContext injected; hence I'm saying that if we start recommending
people use JAAS API then we will need to warn them that it may/might become non-portable:
for example, if a CXF JAX-RS user migrates to Jersey or RestEasy which offers some other JAAS
support (possibly at the container level) then we can not guarantee those container will run
the chain in the context of JAAS doAs. See what I mean ? 

+1 to making the submission of credentials to JAAS more flexible.

> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message