cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Freeman Fang <>
Subject Re: AbstractUsernameTokenAuthenticatingInterceptor.createSubject principal ordering
Date Mon, 20 May 2013 10:45:24 GMT
Hi Alessio,

I thought your original problem comes from that you can't tell the difference between UserPrincipal
and RolePrincipal in some containers(as I encounter similar issue in Karaf), no? If so, the
configuration way used in could be
borrowed here.

And about your question, yes, we probably should do it as the RolePrincipal may not always
implements Group interface in some cases.

Freeman(Yue) Fang

Red Hat, Inc. 
FuseSource is now part of Red Hat
Web: |
Twitter: freemanfang
weibo: @Freeman小屋 : The open source integration conference: 

On 2013-5-20, at 下午5:24, Alessio Soldano wrote:

> Hi Freeman,
> thanks for the feedback;
> On 05/20/2013 10:43 AM, Freeman Fang wrote:
>> FYI, we have which also
rely on this logic, please see the comment below
>> /**
>> * SecurityContext which implements isUserInRole using the
>> * following approach : skip the first Subject principal, and then checks
>> * Groups the principal is a member of
>> * 
> yep, while if you look at the findPrincipal method in there it does
> exactly the same I proposed with skipping Group instance to get the user
> principal.
>> And when deploy cxf endpoint in some container, though by default CXF will assume
that role Principals are represented by instances, in some containers
objects representing a user principal and role principal are implementing the same marker
interface such as Principal, Karaf is in this case.
>> To works with this scenario, in CXF we can configure 
>> <property name="roleClassifier" value="RolePrincipal"/>
>>   <property name="roleClassifierType" value="classname"/>
>> for, please take a look
at [1] to get more details.
>> [1]
> I previously missed this, thanks.
> So basically what would you propose for the
> AbstractUsernameTokenAuthenticationInterceptor? Perhaps to extract the
> user principal check to a separated protected method that could be
> overridden differently according the containers need?
> Thanks
> Alessio
> -- 
> Alessio Soldano
> Web Service Lead, JBoss

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message