On Wed, Apr 26, 2017 at 6:19 PM, Romain Manni-Bucau <rmannibucau(a)gmail.com>
wrote:
Here you can get a PrincipalFacade which limits MyPrincipal to
getName()
>> only, this is perfectly valid per spec.
>>
>
> Nope, I spec'ed this such that securityContext.getCallerPrincipal() MUST
> return the *exact* principal type that was set by the authentication
> mechanism.
>
Yep and my statement is still true. You can still wrap the context in a
filter and break that so a user can't rely on it.
I'm not sure if I understand that correctly. You can't really wrap the
security context in a filter. The security context is a CDI bean, not an
instance that's passed along from one filter to the other.
You can decorate the context and then return whatever from the
getCallerPrincipal() method, but that doesn't mean the original
getCallerPrincipal() method doesn't return what it's spec'ed to return, is
it?
Kind regards,
Arjan Tijms