[ https://issues.apache.org/jira/browse/CXF-5864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14056200#comment-14056200 ]
Sergey Beryozkin commented on CXF-5864: --------------------------------------- I think it was a definite weakness in this interceptor in the versions before 2.6.3 given that it allowed anonymous users without any explicit configuration. I created a patch which you can use to create a custom interceptor overriding AbstractAuthorizingInInterceptor.handleMessage. I have doubts CXF should support it by default. If Colm, others are OK with the patch then I can commit, otherwise will will close it as Won;t Fix Cheers, Sergey > Anonymous users are denied to call unprotected methods since 2.6.3 > ------------------------------------------------------------------ > > Key: CXF-5864 > URL: https://issues.apache.org/jira/browse/CXF-5864 > Project: CXF > Issue Type: Bug > Affects Versions: 2.6.3 > Reporter: metatech > Attachments: patch.txt > > > Since CXF-4495 (contained in CXF 2.6.3), anonymous users are denied to call > unprotected methods. > The method "handleMessage" of the class "AbstractAuthorizingInInterceptor" > now checks that the UserPrincipal is not null. > Any call results now into a AccessDeniedException. > {code} > Caused by: org.apache.cxf.interceptor.security.AccessDeniedException: > Unauthorized > at > org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor.handleMessage(AbstractAuthorizingInInterceptor.java:57) > ~[cxf-rt-core-2.6.3.jar:2.6.3] > {code} -- This message was sent by Atlassian JIRA (v6.2#6252)
