cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <>
Subject [jira] Commented: (CXF-1680) Map ws-security principals into WebServiceContext.getUserPrincipal() call
Date Wed, 02 Jul 2008 17:15:45 GMT


Glen Mazza commented on CXF-1680:

Possibly, but there's lots of moving parts to keep in mind if you do this.  At Sun it seems
somewhat to appear[1]  that the Principal is supposed to be just the username/password used
in basic authentication instead of the username token or other token profiles.  Further, you
would have to take into account what the other method in WSC, isUserInRole(), would mean if
the principal were not the basic auth user but a username or X509 token user--isUserinRole()
and getUserPrincipal() should be in sync with each other.

Also be sure to take into account intermediaries/proxy services routing to business services--in
some cases, the former or the latter will not have access to the username or x509 token, and
perhaps should not either.  Finally, that this method needs to return "null" if authentication
failed[2]--would such a rule be implementable with the token profiles?

Just to be further hated, what if both username token profiles and basic auth is used--which
would take precedence?

Another possible architectural concern here is that WS-Security is a SOAP extension, implemented
via SOAP headers.  Architecturally, SOAP knows nothing about WS-Security--it's just an extension
like any other.  Thinking of it from that perspective, it could be considered strange for
WebServiceContext to make direct references then to an extension, to "hardcode" in a sense,
a specific extension.



> Map ws-security principals into WebServiceContext.getUserPrincipal() call
> -------------------------------------------------------------------------
>                 Key: CXF-1680
>                 URL:
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Daniel Kulp
>            Assignee: Daniel Kulp
>             Fix For: 2.1.2, 2.0.8
> When using ws-security x509 or username token profiles, the Principal objects should
be retrievable via the WebServiceContext.getUserPrincipal() call.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message