Actually I was too quick declaring victory. I read through the code of JAASAuthenticationFeature and also the JAXRS specific JAASAuthenticationFilter I have been using. Both actually delegate to the JAASLoginInterceptor and hence one should use one OR the other.
Adding both will simply make the JAASLoginInterceptor registered as a provider in the JAASAuthenticationFeature take precedence over the REST JAASAuthenticationFilter. The JAASLoginInterceptor will not redirect with a 401 in REST style but just fail with an awful error message. Interestingly the secret to the JAASAuthenticationFilter not being able to set the underlying security context is this line in the constructor of the REST filter (JAASAuthenticationFilter.java:66 3.0.2): interceptor.setUseDoAs(false); This will effectively disable the execution of the remainder of the exchange under a privileged action that creates the AccessControlContext as per JAASLoginInterceptor.java:139. if (useDoAs) { Subject.doAs(subject, new PrivilegedAction<Void>() { ... When I sheepishly change the value of the setUseDoAs to true during the object instantiation in the filter, the whole execution fails with below stack trace. So something in the CXF JAXRS filtering mechanism is broken that would set parameterorg.apache.cxf.jaxrs.model.OperationResourceInfo on the exchange. The line that fails with the NPE is JAXRSInvoker.java:358 OperationResourceInfo ori = exchange.get(OperationResourceInfo.class); Looks like a bug in the CXF JAXRS implementation if you ask me. Or it is inherently not possible due to the JAXRS filter being executed inside the `JAXRSInInterceptor` itself. I think I need to move this discussion to the CXF mailing list. 2015-01-19 22:05:24,527 | INFO | qtp2023231351-73 | LoggingInInterceptor | 80 - org.apache.cxf.cxf-core - 3.0.2 | Inbound Message ---------------------------- ID: 51 Address: http://localhost:8181/cxf/echo/jaas/t1 Http-Method: GET Content-Type: Headers: {Accept=[*/*], Authorization=[Basic a2FyYWY6a2FyYWY=], Content-Type=[null], Host=[localhost:8181], User-Agent=[curl/7.28.1]} -------------------------------------- 2015-01-19 22:05:48,066 | WARN | qtp2023231351-73 | PhaseInterceptorChain | 80 - org.apache.cxf.cxf-core - 3.0.2 | Interceptor for {http://test.jaas.fleurida.com/}EchoServiceImpl has throw n exception, unwinding now java.lang.NullPointerException at org.apache.cxf.jaxrs.JAXRSInvoker.getResourceProvider(JAXRSInvoker.java:358)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:92)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:146)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2] at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_71] at javax.security.auth.Subject.doAs(Subject.java:356)[:1.7.0_71] at org.apache.cxf.interceptor.security.JAASLoginInterceptor.handleMessage(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.jaxrs.security.JAASAuthenticationFilter.filter(JAASAuthenticationFilter.java:111)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1624)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[80:org.apache.cxf.cxf-core:3.0.2] at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:243)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:197)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:149)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:290)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)[84:org.apache.geronimo.specs.geronimo-servlet_3.0_spec:1.0] at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:503)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[98:org.ops4j.pax.web.pax-web-jetty:3.1.2] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411] On Mon, Jan 19, 2015 at 8:16 PM, Niels Bertram <niels...@gmail.com> wrote: > Hi Christian, > > oh yes I can see, adding the JAASAuthenticationFeature to the cxf bus is > required *in addition *to adding the JAASLoginInterceptor. I was not > getting desired result after Phase 1 so that makes sense. > > I added a very simple example to GitHub > <https://github.com/bertramn/jaas-auth-rest-example> for anyone > interested. > > Thanks a lot for help, much appreciated! > > Kind Regards, > Niels >