Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-3430

SubjectCreatingPolicyInterceptor does not perform authentication for CXF SecurityContext principals

    Details

      Description

      The SubjectCreatingPolicyInterceptor is used for proper JBossAS<-->Apache CXF authentication integration (JAAS) as when a subject is created, the principal needs to be checked with the JBoss AS security layer.
      In some usecases, though, the subject is not currently created by the JBoss security layer after having checked the credentials; in such cases (for instance when using UT as supporting token) Apache WSS4J sets its implementation of principal into the wsse results that are processed by CXF, which in turn sets that into the WebServiceContext (WSS4JInInterceptor::doResults), hence bypassing the JBoss authentication/authorization.
      We need to have the SubjectCreatingPolicyInterceptor extended to deal with those usecases too (IOW when there's no CXF UsernameToken attached to the Message, but there's a SecurityContext instead).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                asoldano Alessio Soldano
                Reporter:
                asoldano Alessio Soldano
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: