[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285435#comment-14285435
]
Sergey Beryozkin edited comment on CXF-6206 at 1/21/15 10:00 AM:
-----------------------------------------------------------------
Christian, +1 to shipping such an interceptor, IMHO it is the cleanest
non-intrusive solution.
Niels, to be honest your analysis has a fair bit of speculation, are you
claiming that all the web services that do not use JAAS to authenticate and
rely on a security context being available on the current thread are broken
because their developers do not care about the security, it is just nonsense.
Just use JAASLoginInterceptor if you do need doAs interposing by any means,
hower I do not recommend you or other users mess with a JAAS API directly in
their code because it may be non-portable and also brittle which would break as
soon as JAAS uses a different strategy for representing user principals
was (Author: sergey_beryozkin):
Christian, +1 to shipping such an interceptor, IMHO it is the cleanest
non-intrusive solution.
Niels, to be honest your analysis has a fair bit of speculation, are you
claiming that all the web services that do not use JAAS to autheticate and rely
on a security context being availbale on the current thread are broken because
their developers do not care about the security, it is just nonsense. Just use
JAASLoginInterceptor if you do need doAs interposing by any means, hower I do
not recommend you or other users mess with a JAAS API directly in their code
because it may be non-portable and also brittle which would break as soon as
JAAS uses a different strategy for representing user principals
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
