[jbossws-issues] [JBoss JIRA] (JBWS-3541) SubjectCreatingInterceptor.createSubject does not return principals in the correct order

Alessio Soldano (JIRA) jira-events at lists.jboss.org
Fri Sep 14 09:31:34 EDT 2012 

     [ https://issues.jboss.org/browse/JBWS-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alessio Soldano updated JBWS-3541:
----------------------------------

    Attachment: JBWS-3541.diff


Attached is a patch I might ask for review at Apache CXF and then commit. That basically improves the check for the principal according to your comments. Can you check it and verify it would address your issue? Thanks.
                
> SubjectCreatingInterceptor.createSubject does not return principals in the correct order
> ----------------------------------------------------------------------------------------
>
>                 Key: JBWS-3541
>                 URL: https://issues.jboss.org/browse/JBWS-3541
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-cxf
>            Reporter: Matt Wringe
>            Assignee: Alessio Soldano
>             Fix For: jbossws-cxf-4.1
>
>         Attachments: JBWS-3541.diff
>
>
> SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one.
> From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (which the SubjectCreatingInterceptor extends):
> * Create a Subject representing a current user and its roles. 
> * This Subject is expected to contain at least one Principal representing a user
> * and optionally followed by one or more principal Groups this user is a member of.
> org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error.
> The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials.
> SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly.
> Note: I am not trying to argue that the ordering _should_ matter and I do think its probably better for cxf to not require the ordering.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list