The current JAASLoginInterceptor has only a very simple handling of the
authentication error. We know that this should be improved.
I have experimented a bit with some changes in http and core to turn an
AuthenticationException into a proper http unauthorized response. I am
unsure how to handle some cases though.
So for example the JAASLoginInterceptor can also handle a WSS Security
UserNameToken. In this case though I guess we would not like to return a
401.
I opened an issue https://issues.apache.org/jira/browse/CXF-6206 to
track this. You are welcome to help define the best solution. We have to
make this quite solid before doing actual changes to not disturb other
cases.
Christian
On 20.01.2015 01:14, Niels Bertram wrote:
Hi Christian,
Using authz actually does not make any difference to the response
someone will get when not authenticated. The
|JAASAuthenticationFilter| will continue to press for credentials with
a HTTP 401 response code. Where the |JAASAuthenticationFeature| will
just fail with an ugly error message and a 500 server error.
For sanity I took your Karaf-Tutorial and added a few REST annotations
to the JAXWS service and also wedged a jaxrs:server configuration into
the blueprint. Authentication and authorization seems to work ok as
long as there is a valid auth header in the HTTP request:
$ curl -H"Accept: application/json" -X GET -u
karaf:karafhttp://localhost:8181/cxf/rest/person
{"person":[{"id":1,"name":"Chris"}]}
But trying to access the resource unauthenticated and asking to get a
|application/json| response explicitly the only thing I get back is a
bunch of XML garbage:
$ curl -H"Accept: application/json" -X GEThttp://localhost:8181/cxf/rest/person
<ns1:XMLFault xmlns:ns1="http://cxf.apache.org/bindings/xformat";><ns1:faultstring
xmlns:ns1="http://cxf.apache.org/bindings/xformat";>org.apache.cxf.interceptor.security.AuthenticationException:
Authentication required but no user or password was supplied</ns1:faultstring></ns1:XMLFault>
Here I would expect a HTTP 401 response instead of XML and a HTTP 500
Server Error. As said before, for a proper REST experience one would
need to use |JAASAuthenticationFilter| but this component should not
be disabling the |useDoAs| on the |JAASLoginInterceptor|.
Cheers,
Niels
On Mon, Jan 19, 2015 at 11:10 PM, Christian Schneider
<[email protected] <mailto:[email protected]>> wrote:
Have you tried to use only the |JAASAuthenticationFeature|
together with blueprint authz for Rest?
Maybe it works better.
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
