Alessio Soldano created JBWS-3431:
-------------------------------------
Summary: JBossWS-CXF integration hides Apache CXF
WebServiceContext::getUserPrincipal implementation
Key: JBWS-3431
URL:
https://issues.jboss.org/browse/JBWS-3431
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: jbossws-cxf
Reporter: Alessio Soldano
Assignee: Alessio Soldano
Fix For: jbossws-cxf-4.0.2
The JBossWS-CXF WebServiceContextFactory implementation returns an instance of
org.jboss.ws.common.invocation.WebServiceContextAdapter wrapping the Apache CXF
WebServiceContextImpl. That overrides the getUserPrincipal() and isUserInRole(String role)
method, retrieving the information from the HttpServletRequest.
While that's usually, fine, when running WS-Security apps, Apache CXF can get the
principal through WSS4J / UsernameToken authentication; the WebServiceContextImpl has
proper logic for checking that as well as the data coming from HttpServletRequest when the
HTTPDestination is in use.
So we need to use a WebServiceContextDelegate wrapper instead of the
WebServiceContextAdapter, to avoid overriding the 2 methods above.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira