[jbossws-issues] [JBoss JIRA] (JBWS-3541) SubjectCreatingInterceptor.createSubject does not return principals in the correct order

Matt Wringe created JBWS-3541: --------------------------------- Summary: SubjectCreatingInterceptor.createSubject does not return principals in the correct order Key: JBWS-3541 URL: https://issues.jboss.org/browse/JBWS-3541 Project: JBoss Web Services Issue Type: Bug Security Level: Public (Everyone can see) Reporter: Matt Wringe SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one. * Create a Subject representing a current user and its roles. * This Subject is expected to contain at least one Principal representing a user * and optionally followed by one or more principal Groups this user is a member of. org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error. The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials. SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly. Note: I am not trying to argue that the ordering _should_ matter and I do think its probably better for cxf to not require the ordering. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira