Alessio Soldano created JBWS-3430:
Summary: SubjectCreatingPolicyInterceptor does not perform authentication for
CXF SecurityContext principals
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: Alessio Soldano
Assignee: Alessio Soldano
Fix For: jbossws-cxf-4.0.2
The SubjectCreatingPolicyInterceptor is used for proper JBossAS<-->Apache CXF
authentication integration (JAAS) as when a subject is created, the principal needs to be
checked with the JBoss AS security layer.
In some usecases, though, the subject is not currently created by the JBoss security layer
after having checked the credentials; in such cases (for instance when using UT as
supporting token) Apache WSS4J sets its implementation of principal into the wsse results
that are processed by CXF, which in turn sets that into the WebServiceContext
(WSS4JInInterceptor::doResults), hence bypassing the JBoss authentication/authorization.
We need to have the SubjectCreatingPolicyInterceptor extended to deal with those usecases
too (IOW when there's no CXF UsernameToken attached to the Message, but there's a
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
For more information on JIRA, see: http://www.atlassian.com/software/jira