SubjectCreatingInterceptor.createSubject(String name, String password, boolean isDigest, String nonce, String created) has to return the user principal first, and any other principals after this one.
From org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor (which the SubjectCreatingInterceptor extends):
- Create a Subject representing a current user and its roles.
- This Subject is expected to contain at least one Principal representing a user
- and optionally followed by one or more principal Groups this user is a member of.
org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor checks that the first entry is the user entry, if not it throws an error.
The problem is that this method, by its definition, requires the user principal to be first, but the ordering of the credentials doesn't matter to whatever populates the credentials.
SubjectCreatingInterceptor.createSubject has to check the order and rearrange the principals before return the results. Otherwise its not implementing the abstract method properly.
Note: I am not trying to argue that the ordering should matter and I do think its probably better for cxf to not require the ordering.