[jbossws-issues] [JBoss JIRA] (JBWS-3541) SubjectCreatingInterceptor.createSubject does not return principals in the correct order

SubjectCreatingInterceptor.createSubject does not return principals in the correct order ---------------------------------------------------------------------------------------- Key: JBWS-3541 URL: https://issues.jboss.org/browse/JBWS-3541 Project: JBoss Web Services Issue Type: Bug Security Level: Public(Everyone can see) Components: jbossws-cxf Reporter: Matt Wringe Fix For: jbossws-cxf-4.1 SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one. From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (which the SubjectCreatingInterceptor extends): * Create a Subject representing a current user and its roles. * This Subject is expected to contain at least one Principal representing a user * and optionally followed by one or more principal Groups this user is a member of. org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error. The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials. SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly. Note: I am not trying to argue that the ordering _should_ matter and I do think its probably better for cxf to not require the ordering.