cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niels Bertram (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails
Date Wed, 21 Jan 2015 11:44:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285534#comment-14285534
] 

Niels Bertram commented on CXF-6206:
------------------------------------

Yes it does work now for my intends and purposes. The only annoying thing is that {{org.apache.cxf.phase.PhaseInterceptorChain.java:386}}
is logging a stack trace for failed auth attempts at WARN level. Not sure if this is desirable
given there may be lots and lots of these rolling through the logs, especially if someone
gets attacked. Do you know if this can be configured without affecting logging of genuine
exceptions?

> JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic
auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate header.
> I experimented with turning the AuthenticationException into a 401 response in the http
transport. Not sure where to take auth type and realm from though. I am also not sure how
to distinguish basic auth from WSS Security UsernameToken. As in the second case 401 is probably
not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message