On Thu, Jan 24, 2013 at 10:44 AM, Sergey Beryozkin <[email protected]>wrote:
> On 24/01/13 18:16, Craig McClanahan wrote: > >> Validating at the start makes sense to me. >> > > This can be optionally done if needed for the integration purposes, I > guess given that Saleforce does it this way it is probably important in > your case to get the same order (validate then authenticate) supported... > Not sure I can do it for 2.7.3 but it is realistic > > I know how that kind of thing goes :-). > > >> The key difference right now is that, when I start the Authorization Code >> Grant flow (Section 4.1) with no credentials, I want CXF to redirect to >> the >> login UI instead of returning 401. >> >> This is actually easy to do right now :-). CXF AS, being the ultimate > destination of the request enforces that the user is authenticated, AS > itself is not dealing with the end user authentication enforcement. > You have a couple of options: > 1. register NotAuthorizedExceptionMapper with AS endpoint, and convert the > exception to Respone with either some empty class or enum entity for the > runtime to be able to check the registered message writers, next register > RequestDispatcherProvider and link this class or enum to some JSP page > which will offer an authentication form: > > http://cxf.apache.org/docs/**jax-rs-redirection.html#JAX-**RSRedirection-* > *WithRequestDispatcherProvider<http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider> > > this will work OK if the auth page is generated, it is a server side > redirect. > > > 2. If the client needs to be redirected, simply convert this exception to > Response redirecting to a given page > > > 1 & 2 above can also be done from CXF RequestHandler filter or 2.0 > ContainerRequestFilter if it can detect that the message has no > authentication info available (the former - via message.get(SecurityContext. > **class), latter - via injected JAX-RS SecurityContext) > > Can you give the above a try please ? > Cheers, Sergey > > This sounds like it should do the trick -- will play with it over the next few days. Thanks! Craig > >>>>
