You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Stuart Charlton (JIRA)" <ji...@apache.org> on 2015/05/15 16:21:00 UTC

[jira] [Commented] (CXF-6401) Change the order that the set of security results are searched to create a security context

    [ https://issues.apache.org/jira/browse/CXF-6401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14545555#comment-14545555 ] 

Stuart Charlton commented on CXF-6401:
--------------------------------------

Hi Colm,  

I'm not sure this fixed the issue.   I've run this through a debugger and the SAML Principal is indeed created, but then the loop continues to run and the WSConstants.ST_SIGNED or WSConstants.ST_UNSIGNED principal is overridden by WSConstants.SIGN.   

Perhaps what you want is a labelled break to get out of the outer loop , i.e.

index a08251c..140d522 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -560,6 +560,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         resultPriorities.add(WSConstants.SIGN);
         resultPriorities.add(WSConstants.UT_NOPASSWORD);
         
+    outer:
         for (Integer resultPriority : resultPriorities) {
             if (resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals) {
                 continue;
@@ -582,7 +583,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                         createSecurityContext(msg, useJAASSubject, result, utWithCallbacks);
                     if (context != null) {
                         msg.put(SecurityContext.class, context);
-                        break;
+                        break outer;
                     }
                 }
             }

> Change the order that the set of security results are searched to create a security context
> -------------------------------------------------------------------------------------------
>
>                 Key: CXF-6401
>                 URL: https://issues.apache.org/jira/browse/CXF-6401
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>             Fix For: 3.1.1, 3.0.6
>
>
> Right now we search the list of security results from WSS4J from the last result backwards, and stop when we meet a result that can be used to create a security context. However, we should instead create a list of desired tokens/actions with a priority to each one. So for example, if a (signed) SAML token is in the security header, this should have a higher priority than say a Signature, as the likely intention of the service logic is that the SAML Token encapsulates the user identity.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)