Hi Christian, Using authz actually does not make any difference to the response someone will get when not authenticated. The JAASAuthenticationFilter will continue to press for credentials with a HTTP 401 response code. Where the JAASAuthenticationFeature will just fail with an ugly error message and a 500 server error.
For sanity I took your Karaf-Tutorial and added a few REST annotations to the JAXWS service and also wedged a jaxrs:server configuration into the blueprint. Authentication and authorization seems to work ok as long as there is a valid auth header in the HTTP request: $ curl -H "Accept: application/json" -X GET -u karaf:karaf http://localhost:8181/cxf/rest/person {"person":[{"id":1,"name":"Chris"}]} But trying to access the resource unauthenticated and asking to get a application/json response explicitly the only thing I get back is a bunch of XML garbage: $ curl -H "Accept: application/json" -X GET http://localhost:8181/cxf/rest/person<ns1:XMLFault xmlns:ns1="http://cxf.apache.org/bindings/xformat";><ns1:faultstring xmlns:ns1="http://cxf.apache.org/bindings/xformat";>org.apache.cxf.interceptor.security.AuthenticationException: Authentication required but no user or password was supplied</ns1:faultstring></ns1:XMLFault> Here I would expect a HTTP 401 response instead of XML and a HTTP 500 Server Error. As said before, for a proper REST experience one would need to use JAASAuthenticationFilter but this component should not be disabling the useDoAs on the JAASLoginInterceptor. Cheers, Niels On Mon, Jan 19, 2015 at 11:10 PM, Christian Schneider < ch...@die-schneider.net> wrote: > Have you tried to use only the JAASAuthenticationFeature > together with blueprint authz for Rest? > > Maybe it works better. > > Christian > >
