You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Stuart Charlton (JIRA)" <ji...@apache.org> on 2015/05/15 16:21:00 UTC
[jira] [Commented] (CXF-6401) Change the order that the set of
security results are searched to create a security context
[ https://issues.apache.org/jira/browse/CXF-6401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14545555#comment-14545555 ]
Stuart Charlton commented on CXF-6401:
--------------------------------------
Hi Colm,
I'm not sure this fixed the issue. I've run this through a debugger and the SAML Principal is indeed created, but then the loop continues to run and the WSConstants.ST_SIGNED or WSConstants.ST_UNSIGNED principal is overridden by WSConstants.SIGN.
Perhaps what you want is a labelled break to get out of the outer loop , i.e.
index a08251c..140d522 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -560,6 +560,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
resultPriorities.add(WSConstants.SIGN);
resultPriorities.add(WSConstants.UT_NOPASSWORD);
+ outer:
for (Integer resultPriority : resultPriorities) {
if (resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals) {
continue;
@@ -582,7 +583,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
createSecurityContext(msg, useJAASSubject, result, utWithCallbacks);
if (context != null) {
msg.put(SecurityContext.class, context);
- break;
+ break outer;
}
}
}
> Change the order that the set of security results are searched to create a security context
> -------------------------------------------------------------------------------------------
>
> Key: CXF-6401
> URL: https://issues.apache.org/jira/browse/CXF-6401
> Project: CXF
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 3.1.1, 3.0.6
>
>
> Right now we search the list of security results from WSS4J from the last result backwards, and stop when we meet a result that can be used to create a security context. However, we should instead create a list of desired tokens/actions with a priority to each one. So for example, if a (signed) SAML token is in the security header, this should have a higher priority than say a Signature, as the likely intention of the service logic is that the SAML Token encapsulates the user identity.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)