[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283774#comment-14283774
]
Sergey Beryozkin commented on CXF-6206:
---------------------------------------
Christain, JAASLoginInterceptor sets a SecurityContext and it is a fundamental
property of this interceptor. Lets not affect it.
Besides people have successfully used it before in REST chains without the doAs
interposition, so based on that I do not agree that it can not properly work
without doAs.
It appears the only thing doAs provides for is that the service can get to JAAS
Subject via the JAAS Api, but I've never heard anyone complaining about the
fact they can't do it now, in many cases people prefer working with JAX-RS
SecurityContext. Using JAAS Api in the service is very likely make such
services non-portable because I'm not aware of the requiremements that it has
to work across multiple containers
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
