cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: [JAX-RS]Http Digest Authentication support?
Date Mon, 26 Jan 2009 15:07:36 GMT

On Friday, I committed code to trunk to make it do digest auth.   I'll get 
that merged to 2.1.x today and get new snapshots up.   I've only tested 
against a simple service running in tomcat right now so it would be GREAT if 
someone else gave it a quick try to make sure it works.

One note:
digest auth requires more of a "hand shake" and thus you will probably need to 
turn on request buffering.   Turning on the auto-redirect property of the 
conduit will do that.   MAY also need to turn off chunking.   Not sure on 


On Thursday 22 January 2009 8:14:05 pm krause wrote:
> Any updates on this?
> I think I have the same requirement and haven't been able to find any info
> on how to do digest authentication at the transport layer, (i.e. HTTP) with
> CXF.  I have done it using Axis, which in turn uses  HttpClient and it is
> just a matter of adding the username and password and HttpClient does the
> rest.  The only info I have found regarding digest authentication for CXF
> is related to WS-Security, wich is at a higher level but is not what I need
> (which is arguably better, since it is independent from the transport:
> http, jms, mail, etc.) .
> I have skimming through CXF documentation (and posts like this one) and it
> seems that this might be accomplished using CXF interceptors, but I don't
> have a clue on how to tap into the underlying http connection management to
> handle digest authentication.
> I also found this
> thread in which it is suggested that in order to use HttpClient as a
> transport for CXF it has to be implemented as a conduit.
> The fact that there seems to be no easy way of doing it with CXF, and that
> no one seems to have contributed an interceptor or conduit for doing this
> makes me wonder if what I'm trying to do can be accomplished some other way
> which I'm not aware of.
> There is a Jira issue  open
> for this, but there doesn't seem to be much activity.
> Any feedback would be very welcome.
> Regards
> Gabo Manuel wrote:
> > Hi All,
> >
> > I am currently trying to implement a ReST service and was hoping to put
> > some security to it. Afaik, WS-security is already not an option since I
> > am not exposing a SOAP service (am I wrong here?).
> >
> > I tried searching the forums for some hint on where to go. I was able to
> > find entries re: Http Basic and SSL. I was hoping to take advantage of
> > the username/pwd of Http Digest and use that later in the request
> > processing, e.g. check privilege on the object accessed.
> >
> > I am already inclined to create a handler/interceptor to retrieve an
> > "Authorization" header param and perform the hash calculation and
> > comparison there. I am unsure of two things:
> >
> > ...

Daniel Kulp

View raw message