You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2008/07/02 19:15:45 UTC
[jira] Commented: (CXF-1680) Map ws-security principals into
WebServiceContext.getUserPrincipal() call
[ https://issues.apache.org/jira/browse/CXF-1680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609977#action_12609977 ]
Glen Mazza commented on CXF-1680:
---------------------------------
Possibly, but there's lots of moving parts to keep in mind if you do this. At Sun it seems somewhat to appear[1] that the Principal is supposed to be just the username/password used in basic authentication instead of the username token or other token profiles. Further, you would have to take into account what the other method in WSC, isUserInRole(), would mean if the principal were not the basic auth user but a username or X509 token user--isUserinRole() and getUserPrincipal() should be in sync with each other.
Also be sure to take into account intermediaries/proxy services routing to business services--in some cases, the former or the latter will not have access to the username or x509 token, and perhaps should not either. Finally, that this method needs to return "null" if authentication failed[2]--would such a rule be implementable with the token profiles?
Just to be further hated, what if both username token profiles and basic auth is used--which would take precedence?
Another possible architectural concern here is that WS-Security is a SOAP extension, implemented via SOAP headers. Architecturally, SOAP knows nothing about WS-Security--it's just an extension like any other. Thinking of it from that perspective, it could be considered strange for WebServiceContext to make direct references then to an extension, to "hardcode" in a sense, a specific extension.
Glen
[1] http://forums.java.net/jive/thread.jspa?messageID=244668&tstart=0
[2] http://java.sun.com/javase/6/docs/api/javax/xml/ws/WebServiceContext.html#getUserPrincipal()
> Map ws-security principals into WebServiceContext.getUserPrincipal() call
> -------------------------------------------------------------------------
>
> Key: CXF-1680
> URL: https://issues.apache.org/jira/browse/CXF-1680
> Project: CXF
> Issue Type: Improvement
> Reporter: Daniel Kulp
> Assignee: Daniel Kulp
> Fix For: 2.1.2, 2.0.8
>
>
> When using ws-security x509 or username token profiles, the Principal objects should be retrievable via the WebServiceContext.getUserPrincipal() call.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.