cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niels Bertram (JIRA)" <>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 14:17:35 GMT


Niels Bertram commented on CXF-6206:

Yes sure I can open another JIRA but essentially Christian opened this one based on our discussion
on the Karaf forum.

I made a change to the JAXRS filter to show what would need to be supported:

I also created an example project to show what I am trying to do (a JAXRS service using CXF
3.0.4-SNAPSHOT on Karaf 3.0.2):

The JSR250 reference is to use the {{}} annotations
together with container auth (in this case aires blueprint) which requires a valid JAAS security
context ... which does not exist if the doAs is hard wired disabled in the JAASAuthenticationFilter.

Something like this:
public Response echo(@PathParam("echotoken") String message) {

	Token token = new Token(message);

	// get access to subject in OSGi
	AccessControlContext acc = AccessController.getContext();
	if (acc == null) {
		token.appendError("access control context is null");

	Subject subject = Subject.getSubject(acc);
	if (subject == null) {
		token.appendError("subject is null");
	} else {
		Set<Principal> principals = subject.getPrincipals();
		for (Principal principal : principals) {
			if (principal instanceof UserPrincipal) {

	return Response.ok(token).build();


Does that make sense? Niels

> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>                 Key: CXF-6206
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.

This message was sent by Atlassian JIRA

View raw message