[cdi-dev] Types of Principal object
arjan.tijms at gmail.com
Wed Apr 26 12:28:37 EDT 2017
On Wed, Apr 26, 2017 at 6:19 PM, Romain Manni-Bucau <rmannibucau at gmail.com>
> Here you can get a PrincipalFacade which limits MyPrincipal to getName()
>>> only, this is perfectly valid per spec.
>> Nope, I spec'ed this such that securityContext.getCallerPrincipal() MUST
>> return the *exact* principal type that was set by the authentication
> Yep and my statement is still true. You can still wrap the context in a
> filter and break that so a user can't rely on it.
I'm not sure if I understand that correctly. You can't really wrap the
security context in a filter. The security context is a CDI bean, not an
instance that's passed along from one filter to the other.
You can decorate the context and then return whatever from the
getCallerPrincipal() method, but that doesn't mean the original
getCallerPrincipal() method doesn't return what it's spec'ed to return, is
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cdi-dev