Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.4.23.CR1, 7.4.23.GA
Affects Version/s: None
Component/s: Web Services
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
?
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/jbossws/jbossws-cxf/pull/583
Steps to Reproduce:

Hide

Test coverage: Test coverage development is planned for the next CP, manual verification only for this release.
Platform specific: no
Performance specific: no
Planned testing: Full regression testing for webservices will be executed, and the fix will be verified using the added reproducer

Show
Test coverage: Test coverage development is planned for the next CP, manual verification only for this release. Platform specific: no Performance specific: no Planned testing: Full regression testing for webservices will be executed, and the fix will be verified using the added reproducer
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When the webservice endpoint security is authenticated with a custom Realm and RealmIdentity which always returns null PasswordCredential like :

public class SampleRealmIdentity implements RealmIdentity {

    private final Principal principal;
    private final String password;
    private final Set<String> roles;

    public SampleRealmIdentity(Principal principal, String password, Set<String> roles) {
        this.principal = principal;
        this.password = password;
        this.roles = roles;
    }
 ... 
 
    @Override
    public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException {
       // do not return credentials
       return null;
    }

    @Override
    public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
       if (evidence instanceof PasswordGuessEvidence) {
          PasswordGuessEvidence guess = (PasswordGuessEvidence) evidence;
          return Arrays.equals(password.toCharArray(), guess.getGuess());
       }
       return false;
    }
   ...
}

    @Override
    public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
       return AuthorizationIdentity.basicIdentity(getAttributes());
    }
}

The authentication is always failed as the SubjectCreator expects a null value PasswordCredential.

clones

JBWS-4438 Authentication always failed when the webservice security is configured with a custom realm

Resolved

is cloned by

JBEAP-28985 [GSS](8.0.z) JBWS-4438 - Authentication always failed when the webservice security is configured with a custom realm

Verified

is incorporated by

JBEAP-28905 (7.4.z) Upgrade jbossws-cxf from 5.4.14.Final-redhat-00001 to 5.4.15.Final-redhat-00001

Closed

Assignee:: Petr Beran

Reporter:: Jim Ma

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/01/16 8:01 AM

Updated:: 2025/08/02 3:26 PM

Resolved:: 2025/03/06 7:19 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates