You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2012/11/29 19:54:59 UTC

[jira] [Commented] (CXF-4666) [OAuth2] securityContext problem on createSubject

    [ https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506666#comment-13506666 ] 

Sergey Beryozkin commented on CXF-4666:
---------------------------------------

To be honest I'm not sure we can do anything about it and as such I would not treat it as a bug. 

How about the following (Christian suggested something like that awhile back): 

Postpone using Spring security at the servlet level and use CXF JAASLoginInterceptor instead, or may be for JAX-RS - org.apache.cxf.jaxrs.security.JAASAuthenticationFilter. It is very easy to use - just let it know the jaas context name and that is it.
Effectively it simply postpones the servlet-level authentication till later, once the call reaches CXF chain.

It will return org.apache.cxf.security.LoginSecurityContext - this is what the default UserSubject creation checks.
You can also check for some other Subject properties with LoginSecurityContext.

Next you can map LoginSecurityContext to Spring Security specific context and let it proceed...

That is the only I can suggest to be honest - would it work for you ?

By the way, as far as CXF-4656 is concerned, what other properties, apart from the principal name and its roles you are interested ?


  

 




                
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
>                 Key: CXF-4666
>                 URL: https://issues.apache.org/jira/browse/CXF-4666
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.0
>            Reporter: Steven Tippetts
>
> This is probably just ignorance on my part, but when I override the createSubject method in the RedirecationBasedGrantService.java file, the securityContext parameter that is passed in is of type AbstractHTTPDestination$2. This parameter contains my authentication token, but I don't know how to get at it, so I'm having to go to the SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other people would also have AbstractHTTPDestination$2 as the security type, which causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks for your help.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira