[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283771#comment-14283771
]
Christian Schneider commented on CXF-6206:
------------------------------------------
I agree that a SOAP Fault and a 500 response code should be good for
WS-Security. So probably we do not need any special handling for it as this is
the default handling of exceptions anyway.
I also think that we should make REST work with Subject.doAs() as only then
further security processing based on a JAAS login can occur. Depending how
difficult this is to do with the current REST implementation this can take a
while though. So it would be great if Sergey or anyone else familiar with our
rest impl can make this happen. I do not know enough about it to do that myself.
About standardizing the JAAS security. I agree with Niels that it would be nice
to have it in one place. So you can simply add the JAASLoginFeature to e.g. the
bus and have SOAP as well as REST secured with it. Of course Sergey is also
correct that the JAASLoginInterceptor should not become much more complicated.
What I could imagine is that we simply limit and define exactly what
JAASLoginInterceptor is responsible for. What I could imagine is that it only
forwards existing credentials from the cxf message to JAAS and produces defined
exceptions in case of failures. Collecting the credentials as well as
converting the exception to a response should be done outside the
JAASLoginInterceptor. I think with these limitations it should stay fairly
simple while still being the central place to do the JAAS handling.
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
