[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284956#comment-14284956
]
Niels Bertram commented on CXF-6206:
------------------------------------
Adding a ExceptionMapper is actually an interesting thought, I'll have a play
with that.
The reason the JAXRS server fails when using the {{JAASAuthenticationFilter}}
is actually in the chaining of interceptors. Secure execution does actually
work fine if you make the useDoAs configurable on the filter and propagate this
setting to the {{JAASLoginInterceptor}} delegate.
My theory is, if one uses JAASLoginInterceptor directly with a JAXRS server,
this interceptor will execute in the chain before the {{JAXRSInInterceptor}}
and the continuation of the in chain is already executed in a new secure thread.
When the {{JAASAuthenticationFilter}} is used, this filter is actually executed
inside the {{JAXRSInInterceptor}} and the thread switched inside the
{{JAXRSInInterceptor}}. This is because the JAASAuthenticationFilter will call
JAASLoginInterceptor which in turn switches the thread and more importantly
will continue to execute the chain while the outer {{JAXRSInInterceptor}} is on
hold thinking it will get control of the chain again for further work.
So technically the {{JAASAuthenticationFilter}} is one step too low in the
chain. Only a CXF interceptor can do a proper JAAS context change.
If you need line numbers, please let me know. But for me it finally is sinking
in that doAs will never actually work in the JAXRS filter due to the
architecture of the CXF chain and it's interceptors.
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
