[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283976#comment-14283976
]
Christian Schneider commented on CXF-6206:
------------------------------------------
I experimented a bit more. Unfortunately it seems that the JAASLoginInterceptor
can not decide automatically if it should respond with 401 (for http based
auth) or 500 for ws security based auth if the user suplies no authentication
information at all.
So we need a configuration value to set this. As http auth is a transport level
thing it might be a good way to do that on the http transport level. For the
conduit we have org.apache.cxf.transport.http.auth.HttpAuthSupplier with
several implementations. For destination there is no such thing.
What we need for http auth is to supply the acceptable authentication methods
and the realm. Should we do this as parameters for the destination? Of course
we could also use a specialized interceptor. Any opinions?
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
