cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niels Bertram (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Tue, 20 Jan 2015 14:21:35 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283842#comment-14283842
] 

Niels Bertram edited comment on CXF-6206 at 1/20/15 2:21 PM:
-------------------------------------------------------------

Yes sure I can open another JIRA but essentially Christian opened this one based on our discussion
on the Karaf forum.

I made a change to the JAXRS filter to show what would need to be supported:
[https://github.com/bertramn/cxf/commit/94d6725352823a2d055d4556046eab3feeabf580]

( BTW the above change will not work because the doAs somehow causes a NPE in JAXRSInvoker.java:358
)

I also created an example project to show what I am trying to do (a JAXRS service using CXF
3.0.4-SNAPSHOT on Karaf 3.0.2):
[https://github.com/bertramn/jaas-auth-rest-example]

The JSR250 reference is to use the {{@javax.annotation.security.RolesAllowed}} annotations
together with container auth (in this case aires blueprint) which requires a valid JAAS security
context ... which does not exist if the doAs is hard wired disabled in the JAASAuthenticationFilter.

Something like this:
{code:java}
@GET
@Path("/jaas/{echotoken}")
@RolesAllowed("admin")
public Response echo(@PathParam("echotoken") String message) {

	Token token = new Token(message);

	// get access to subject in OSGi
	AccessControlContext acc = AccessController.getContext();
	if (acc == null) {
		token.appendError("access control context is null");
	}

	Subject subject = Subject.getSubject(acc);
	if (subject == null) {
		token.appendError("subject is null");
	} else {
		Set<Principal> principals = subject.getPrincipals();
		for (Principal principal : principals) {
			if (principal instanceof UserPrincipal) {
				token.setPrincipal(principal.getName());
			}
		}
	}

	return Response.ok(token).build();

}
{code}

Does that make sense? Niels



was (Author: niels.bertram):
Yes sure I can open another JIRA but essentially Christian opened this one based on our discussion
on the Karaf forum.

I made a change to the JAXRS filter to show what would need to be supported:
[https://github.com/bertramn/cxf/commit/94d6725352823a2d055d4556046eab3feeabf580]

I also created an example project to show what I am trying to do (a JAXRS service using CXF
3.0.4-SNAPSHOT on Karaf 3.0.2):
[https://github.com/bertramn/jaas-auth-rest-example]

The JSR250 reference is to use the {{@javax.annotation.security.RolesAllowed}} annotations
together with container auth (in this case aires blueprint) which requires a valid JAAS security
context ... which does not exist if the doAs is hard wired disabled in the JAASAuthenticationFilter.

Something like this:
{code:java}
@GET
@Path("/jaas/{echotoken}")
@RolesAllowed("admin")
public Response echo(@PathParam("echotoken") String message) {

	Token token = new Token(message);

	// get access to subject in OSGi
	AccessControlContext acc = AccessController.getContext();
	if (acc == null) {
		token.appendError("access control context is null");
	}

	Subject subject = Subject.getSubject(acc);
	if (subject == null) {
		token.appendError("subject is null");
	} else {
		Set<Principal> principals = subject.getPrincipals();
		for (Principal principal : principals) {
			if (principal instanceof UserPrincipal) {
				token.setPrincipal(principal.getName());
			}
		}
	}

	return Response.ok(token).build();

}
{code}

Does that make sense? Niels


> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message