[
https://issues.apache.org/jira/browse/CXF-5864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14058702#comment-14058702
]
Akitoshi Yoshida commented on CXF-5864:
---------------------------------------
hi,
I am slightly concerned with this change.
The consequence of this change means that some services that are previously not
accessible by default will suddenly be accessible after being upgraded to this
newer version?
If so, should this at least be explicitly mentioned in the release note to warn
those who unknowingly assumed the previous behaviour?
regards, aki
> Anonymous users are denied to call unprotected methods since 2.6.3
> ------------------------------------------------------------------
>
> Key: CXF-5864
> URL: https://issues.apache.org/jira/browse/CXF-5864
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.6.3
> Reporter: metatech
> Assignee: Sergey Beryozkin
> Fix For: 2.6.15, 2.7.12, 3.0.1
>
> Attachments: patch.txt
>
>
> Since CXF-4495 (contained in CXF 2.6.3), anonymous users are denied to call
> unprotected methods.
> The method "handleMessage" of the class "AbstractAuthorizingInInterceptor"
> now checks that the UserPrincipal is not null.
> Any call results now into a AccessDeniedException.
> {code}
> Caused by: org.apache.cxf.interceptor.security.AccessDeniedException:
> Unauthorized
> at
> org.apache.cxf.interceptor.security.AbstractAuthorizingInInterceptor.handleMessage(AbstractAuthorizingInInterceptor.java:57)
> ~[cxf-rt-core-2.6.3.jar:2.6.3]
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
