[jira] [Comment Edited] (CXF-6206) JAASLoginInterceptor: Return proper unauthorized response when JAAS login with basic auth fails

[Niels Bertram (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283842#comment-14283842
 ] 

Niels Bertram edited comment on CXF-6206 at 1/20/15 2:21 PM:
-------------------------------------------------------------

Yes sure I can open another JIRA but essentially Christian opened this one 
based on our discussion on the Karaf forum.

I made a change to the JAXRS filter to show what would need to be supported:
[https://github.com/bertramn/cxf/commit/94d6725352823a2d055d4556046eab3feeabf580]

( BTW the above change will not work because the doAs somehow causes a NPE in 
JAXRSInvoker.java:358 )

I also created an example project to show what I am trying to do (a JAXRS 
service using CXF 3.0.4-SNAPSHOT on Karaf 3.0.2):
[https://github.com/bertramn/jaas-auth-rest-example]

The JSR250 reference is to use the {{@javax.annotation.security.RolesAllowed}} 
annotations together with container auth (in this case aires blueprint) which 
requires a valid JAAS security context ... which does not exist if the doAs is 
hard wired disabled in the JAASAuthenticationFilter.

Something like this:
{code:java}
@GET
@Path("/jaas/{echotoken}")
@RolesAllowed("admin")
public Response echo(@PathParam("echotoken") String message) {

        Token token = new Token(message);

        // get access to subject in OSGi
        AccessControlContext acc = AccessController.getContext();
        if (acc == null) {
                token.appendError("access control context is null");
        }

        Subject subject = Subject.getSubject(acc);
        if (subject == null) {
                token.appendError("subject is null");
        } else {
                Set<Principal> principals = subject.getPrincipals();
                for (Principal principal : principals) {
                        if (principal instanceof UserPrincipal) {
                                token.setPrincipal(principal.getName());
                        }
                }
        }

        return Response.ok(token).build();

}
{code}

Does that make sense? Niels



was (Author: niels.bertram):
Yes sure I can open another JIRA but essentially Christian opened this one 
based on our discussion on the Karaf forum.

I made a change to the JAXRS filter to show what would need to be supported:
[https://github.com/bertramn/cxf/commit/94d6725352823a2d055d4556046eab3feeabf580]

I also created an example project to show what I am trying to do (a JAXRS 
service using CXF 3.0.4-SNAPSHOT on Karaf 3.0.2):
[https://github.com/bertramn/jaas-auth-rest-example]

The JSR250 reference is to use the {{@javax.annotation.security.RolesAllowed}} 
annotations together with container auth (in this case aires blueprint) which 
requires a valid JAAS security context ... which does not exist if the doAs is 
hard wired disabled in the JAASAuthenticationFilter.

Something like this:
{code:java}
@GET
@Path("/jaas/{echotoken}")
@RolesAllowed("admin")
public Response echo(@PathParam("echotoken") String message) {

        Token token = new Token(message);

        // get access to subject in OSGi
        AccessControlContext acc = AccessController.getContext();
        if (acc == null) {
                token.appendError("access control context is null");
        }

        Subject subject = Subject.getSubject(acc);
        if (subject == null) {
                token.appendError("subject is null");
        } else {
                Set<Principal> principals = subject.getPrincipals();
                for (Principal principal : principals) {
                        if (principal instanceof UserPrincipal) {
                                token.setPrincipal(principal.getName());
                        }
                }
        }

        return Response.ok(token).build();

}
{code}

Does that make sense? Niels


> JAASLoginInterceptor: Return proper unauthorized response when JAAS login 
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
>                 Key: CXF-6206
>                 URL: https://issues.apache.org/jira/browse/CXF-6206
>             Project: CXF
>          Issue Type: Improvement
>          Components: Core, Transports
>            Reporter: Christian Schneider
>            Assignee: Christian Schneider
>             Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login 
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate 
> header.
> I experimented with turning the AuthenticationException into a 401 response 
> in the http transport. Not sure where to take auth type and realm from 
> though. I am also not sure how to distinguish basic auth from WSS Security 
> UsernameToken. As in the second case 401 is probably not correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)