[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283789#comment-14283789
]
Niels Bertram commented on CXF-6206:
------------------------------------
I can actually add to this, I was "assuming" that the JAAS security context was
set when I added JAASAuthenticationFilter to my jaxrs server config. This was
not the case when I tried it out.
For my use case I want to authenticate a user at the REST front end but then
process the messages further in Camel or other OSGi services. I would hate to
add {{@Context SecurityContext context}} to every REST method and then poke
around in there to get the principal name and groups/roles. JAAS and
specifically doAs() is much more suitable.
Also as I pointed out before, if anyone is trying to use JSR250 annotations on
the REST service in conjunction with JAASAuthenticationFilter would actually
get a nasty surprise (due to the missing Subject).
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
