[jbossws-issues] [JBoss JIRA] (JBWS-3541) SubjectCreatingInterceptor.createSubject does not return principals in the correct order

Alessio Soldano (JIRA) jira-events at lists.jboss.org
Fri Sep 14 09:11:32 EDT 2012 

    [ https://issues.jboss.org/browse/JBWS-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12718657#comment-12718657 ] 

Alessio Soldano commented on JBWS-3541:
---------------------------------------

Any chance you can provide more info on the scenario you used to reproduce this issue? 
                
> SubjectCreatingInterceptor.createSubject does not return principals in the correct order
> ----------------------------------------------------------------------------------------
>
>                 Key: JBWS-3541
>                 URL: https://issues.jboss.org/browse/JBWS-3541
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-cxf
>            Reporter: Matt Wringe
>            Assignee: Alessio Soldano
>             Fix For: jbossws-cxf-4.1
>
>
> SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one.
> From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (which the SubjectCreatingInterceptor extends):
> * Create a Subject representing a current user and its roles. 
> * This Subject is expected to contain at least one Principal representing a user
> * and optionally followed by one or more principal Groups this user is a member of.
> org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error.
> The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials.
> SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly.
> Note: I am not trying to argue that the ordering _should_ matter and I do think its probably better for cxf to not require the ordering.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list