cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niels Bertram (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 13:02:35 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283796#comment-14283796
] 

Niels Bertram commented on CXF-6206:
------------------------------------


Sergey, Isn't setting up the Subject in the JAAS execution context the whole idea of using
doAs? If we take authentication on Weblogic and Oracle Service Bus for instance, you can always
get the authenticated subject from the underlying security manager. I Would say making sure
the JAASAuthenticationFilter supports JAAS doAs would add better portability to any REST service
than having to write glue code in the resource bean around the fact that the thead continues
anonymous execution. Just saying.

> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message