[jbossws-issues] [JBoss JIRA] (JBWS-3430) SubjectCreatingPolicyInterceptor does not perform authentication for CXF SecurityContext principals

Alessio Soldano (JIRA) jira-events at lists.jboss.org
Thu Feb 9 08:35:48 EST 2012


Alessio Soldano created JBWS-3430:
-------------------------------------

             Summary: SubjectCreatingPolicyInterceptor does not perform authentication for CXF SecurityContext principals
                 Key: JBWS-3430
                 URL: https://issues.jboss.org/browse/JBWS-3430
             Project: JBoss Web Services
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: jbossws-cxf
            Reporter: Alessio Soldano
            Assignee: Alessio Soldano
             Fix For: jbossws-cxf-4.0.2


The SubjectCreatingPolicyInterceptor is used for proper JBossAS<-->Apache CXF authentication integration (JAAS) as when a subject is created, the principal needs to be checked with the JBoss AS security layer.
In some usecases, though, the subject is not currently created by the JBoss security layer after having checked the credentials; in such cases (for instance when using UT as supporting token) Apache WSS4J sets its implementation of principal into the wsse results that are processed by CXF, which in turn sets that into the WebServiceContext (WSS4JInInterceptor::doResults), hence bypassing the JBoss authentication/authorization.
We need to have the SubjectCreatingPolicyInterceptor extended to deal with those usecases too (IOW when there's no CXF UsernameToken attached to the Message, but there's a SecurityContext instead).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


More information about the jbossws-issues mailing list