[jira] [Comment Edited] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails

Tue, 20 Jan 2015 04:46:56 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283782#comment-14283782
 ] 

Christian Schneider edited comment on CXF-6206 at 1/20/15 12:46 PM:
--------------------------------------------------------------------

I did not say that it can not work without doAs but without it you can not use 
standard JAAS api to access the security context. Using the CXF SecurityContext 
makes the user code depend on CXF which is not ideal if there is a standard way 
that provides the same result.  Of course we should still populate the CXF 
SecurityContext for backwards compatiblity. 

Yes.. exactly I only meant the collection of the credentials. We will have to 
find a way to make this modular enough to carry any credentials a JAAS login 
may need... which is not easy for cases like digest or kerberos which require 
multiple passes.



was (Author: [email protected]):
I did not say that it can not work without doAs but without it you can not use 
standard JAAS api to access the security context. Using the CXF SecurityContext 
makes the user code depend on CXF which is not ideal if there is a standard way 
that provides the same result.  Of course we should still populate the CXF 
SecurityContext for backwards compatiblity. 


> JAASLoginInterceptor: Return proper unauthorized response when JAAS login 
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login 
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate 
> header.
> I experimented with turning the AuthenticationException into a 401 response 
> in the http transport. Not sure where to take auth type and realm from 
> though. I am also not sure how to distinguish basic auth from WSS Security 
> UsernameToken. As in the second case 401 is probably not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to