[
https://issues.apache.org/jira/browse/CXF-5864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14056200#comment-14056200
]
Sergey Beryozkin commented on CXF-5864:
---------------------------------------
I think it was a definite weakness in this interceptor in the versions before
2.6.3 given that it allowed anonymous users without any explicit configuration.
I created a patch which you can use to create a custom interceptor overriding
AbstractAuthorizingInInterceptor.handleMessage. I have doubts CXF should
support it by default.
If Colm, others are OK with the patch then I can commit, otherwise will will
close it as Won;t Fix
Cheers, Sergey
> Anonymous users are denied to call unprotected methods since 2.6.3
> ------------------------------------------------------------------
>
> Key: CXF-5864
> URL: https://issues.apache.org/jira/browse/CXF-5864
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.6.3
> Reporter: metatech
> Attachments: patch.txt
>
>
> Since CXF-4495 (contained in CXF 2.6.3), anonymous users are denied to call
> unprotected methods.
> The method "handleMessage" of the class "AbstractAuthorizingInInterceptor"
> now checks that the UserPrincipal is not null.
> Any call results now into a AccessDeniedException.
> {code}
> Caused by: org.apache.cxf.interceptor.security.AccessDeniedException:
> Unauthorized
> at
> org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor.handleMessage(AbstractAuthorizingInInterceptor.java:57)
> ~[cxf-rt-core-2.6.3.jar:2.6.3]
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
