[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283699#comment-14283699
]
Sergey Beryozkin commented on CXF-6206:
---------------------------------------
Hi, I guess adding AuthenticationType to AuthenticationException would solve
it, good idea.
Not sure about the specialized exception because JAASLoginInterceptor would
need to figure out if it is HTTP or not, and both BasicAuth and WS-Sec can
happen over HTTP.
The user though would know which endpoint is bound to the HTTP transport and
would register the fault interceptor - it would check AuthenticationType and if
it is BasicAuth -> 401, otherwise it will let the chain continue, default SOAP
fault...
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
