[CXF-3444] WSS4JInIntereptor does not always set the 'best' Principal as SecurityContext Principal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.3.3
Fix Version/s: 2.4, 2.3.4
Component/s: WS-* Components
Labels:
None

Description

David Zhang reports:

"At the end of the method is a for-loop over the wssEngineResults. If withCallbacks is false then the UsernameToken should be put in the message. *The Problem is, the first Principal found is not the UsernameTokenPrincipal but the DerivedKeyPrincipal*. This triggers creation of a security context and breakes the for-loop. The second wssEngineResult would have been the UsernameTokenPrincipal."

The actual problem is that a Principal such as WSUsernameTokenPrincipal which is more likely to help at the SecurityContext level is not set as a SecurityContext principal.

This does not happen when a public key was used to encrypt the token.

The solution is simply try to ignore a DerivedKey principal (used solely for encrypting) if possible, when setting SecurityContext. All the principals will still be available on the message as before.

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Sergey Beryozkin

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 06/Apr/11 16:08

Updated:: 18/Apr/11 12:44

Resolved:: 06/Apr/11 16:39