[
https://issues.apache.org/jira/browse/CXF-6206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285534#comment-14285534
]
Niels Bertram commented on CXF-6206:
------------------------------------
Yes it does work now for my intends and purposes. The only annoying thing is
that {{org.apache.cxf.phase.PhaseInterceptorChain.java:386}} is logging a stack
trace for failed auth attempts at WARN level. Not sure if this is desirable
given there may be lots and lots of these rolling through the logs, especially
if someone gets attacked. Do you know if this can be configured without
affecting logging of genuine exceptions?
> JAASLoginInterceptor: Return proper unauthorized response when JAAS login
> with basic auth fails
> -----------------------------------------------------------------------------------------------
>
> Key: CXF-6206
> URL: https://issues.apache.org/jira/browse/CXF-6206
> Project: CXF
> Issue Type: Improvement
> Components: Core, Transports
> Reporter: Christian Schneider
> Assignee: Christian Schneider
> Fix For: 3.1.0
>
>
> Currently we return a Fault with a AuthenticationException when JAAS login
> fails.
> The proper response would be a 401 status with a suitable WWW-Authenticate
> header.
> I experimented with turning the AuthenticationException into a 401 response
> in the http transport. Not sure where to take auth type and realm from
> though. I am also not sure how to distinguish basic auth from WSS Security
> UsernameToken. As in the second case 401 is probably not correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
