[jbossws-issues] [JBoss JIRA] (JBWS-3541) SubjectCreatingInterceptor.createSubject does not return principals in the correct order

Matt Wringe (JIRA) jira-events at lists.jboss.org
Tue Oct 9 09:43:03 EDT 2012 

    [ https://issues.jboss.org/browse/JBWS-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12724993#comment-12724993 ] 

Matt Wringe commented on JBWS-3541:
-----------------------------------

I have fixed it in my code my overriding the faulty method to return things in the correct order. I could check your patch later to see if it also works if I find some time this week.

I don't know why this is being assigned to me.
                
> SubjectCreatingInterceptor.createSubject does not return principals in the correct order
> ----------------------------------------------------------------------------------------
>
>                 Key: JBWS-3541
>                 URL: https://issues.jboss.org/browse/JBWS-3541
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-cxf
>            Reporter: Matt Wringe
>            Assignee: Matt Wringe
>             Fix For: jbossws-cxf-4.1
>
>         Attachments: JBWS-3541.diff
>
>
> SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one.
> From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (which the SubjectCreatingInterceptor extends):
> * Create a Subject representing a current user and its roles. 
> * This Subject is expected to contain at least one Principal representing a user
> * and optionally followed by one or more principal Groups this user is a member of.
> org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error.
> The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials.
> SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly.
> Note: I am not trying to argue that the ordering _should_ matter and I do think its probably better for cxf to not require the ordering.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list