[jbossws-issues] [JBoss JIRA] Updated: (JBWS-3143) SubjectCreatingInterceptor incompatible with PolicyBasedWSS4JInInterceptor
Willem Salembier (JIRA)
jira-events at lists.jboss.org
Mon Oct 4 14:38:39 EDT 2010
[ https://jira.jboss.org/browse/JBWS-3143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Willem Salembier updated JBWS-3143:
-----------------------------------
Description: The JAAS authentication does not work when using embedded WS-SecurityPolicies (was: 1. Create a web service with an embedded SecurityPolicy https + usernametoken.
2. Configure JAAS authentication as explained here: http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#Authentication_and_authorization
Because org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor inherits from WSS4JInInterceptor and sets the SECURITY_PROCESSED attribute, the checks in the PolicyBasedWSS4JInInterceptor are skipped. Result is a lot of policy failures.
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedSupportingTokens
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken)
Steps to Reproduce:
1. Create a web service with an embedded SecurityPolicy https + usernametoken.
2. Configure JAAS authentication as explained here: http://community.jboss.org/wiki/JBossWS-StackCXFUserGuide#Authentication_and_authorization
Because org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor inherits from WSS4JInInterceptor and sets the SECURITY_PROCESSED attribute, the checks in the PolicyBasedWSS4JInInterceptor are skipped. Result is a lot of policy failures.
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedSupportingTokens
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> SubjectCreatingInterceptor incompatible with PolicyBasedWSS4JInInterceptor
> --------------------------------------------------------------------------
>
> Key: JBWS-3143
> URL: https://jira.jboss.org/browse/JBWS-3143
> Project: JBoss Web Services
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: jbossws-cxf
> Affects Versions: jbossws-cxf-3.4.0.Beta2
> Reporter: Willem Salembier
> Fix For: jbossws-cxf-3.4.0
>
>
> The JAAS authentication does not work when using embedded WS-SecurityPolicies
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbossws-issues
mailing list