]
Matt Wringe commented on JBWS-3541:
-----------------------------------
I have fixed it in my code my overriding the faulty method to return things in the correct
order. I could check your patch later to see if it also works if I find some time this
week.
I don't know why this is being assigned to me.
SubjectCreatingInterceptor.createSubject does not return principals
in the correct order
----------------------------------------------------------------------------------------
Key: JBWS-3541
URL:
https://issues.jboss.org/browse/JBWS-3541
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-cxf
Reporter: Matt Wringe
Assignee: Matt Wringe
Fix For: jbossws-cxf-4.1
Attachments: JBWS-3541.diff
SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest,
String nonce, String created) has to return the user principal first, and any other
principals after this one.
From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor
(which the SubjectCreatingInterceptor extends):
* Create a Subject representing a current user and its roles.
* This Subject is expected to contain at least one Principal representing a user
* and optionally followed by one or more principal Groups this user is a member of.
org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks
that the first entry is the user entry, if not it throws an error.
The problem is that this method, by its definition, requires the user principal to be
first, but the ordering of the credentials doesn't matter to whatever populates the
credentials.
SubjectCreatingInterceptor.createSubject has to check the order and rearrange the
principals before return the results. Otherwise its not implementing the abstract method
properly.
Note: I am not trying to argue that the ordering _should_ matter and I do think its
probably better for cxf to not require the ordering.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: