[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285435#comment-14285435
]
Sergey Beryozkin commented on CXF-6206:
---------------------------------------
Christian, +1 to shipping such an interceptor, IMHO it is the cleanest
non-intrusive solution.
Niels, to be honest your analysis has a fair bit of speculation, are you
claiming that all the web services that do not use JAAS to autheticate and rely
on a security context being availbale on the current thread are broken because
their developers do not care about the security, it is just nonsense. Just use
JAASLoginInterceptor if you do need doAs interposing by any means, hower I do
not recommend yoru or other users mess with a JAAS API directly in their code
because it may be non-portable and also brittle which would break as soon as
JAAS uses a different strategy for representing user principals
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
