[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283786#comment-14283786
]
Sergey Beryozkin commented on CXF-6206:
---------------------------------------
Hi Christian,
But no one is using CXF SecurityContext directly neither in JAXWS nor JAXRS
implementations, they have JAX-WS or JAX-RS SecurityContext injected; hence I'm
saying that if we start recommending people use JAAS API then we will need to
warn them that it may/might become non-portable: for example, if a CXF JAX-RS
user migrates to Jersey or RestEasy which offers some other JAAS support
(possibly at the container level) then we can not guarantee those container
will run the chain in the context of JAAS doAs. See what I mean ?
+1 to making the submission of credentials to JAAS more flexible.
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
