[jira] Commented: (CXF-1680) Map ws-security principals into WebServiceContext.getUserPrincipal() call

[Glen Mazza (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-1680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609977#action_12609977
 ] 

Glen Mazza commented on CXF-1680:
---------------------------------

Possibly, but there's lots of moving parts to keep in mind if you do this.  At 
Sun it seems somewhat to appear[1]  that the Principal is supposed to be just 
the username/password used in basic authentication instead of the username 
token or other token profiles.  Further, you would have to take into account 
what the other method in WSC, isUserInRole(), would mean if the principal were 
not the basic auth user but a username or X509 token user--isUserinRole() and 
getUserPrincipal() should be in sync with each other.

Also be sure to take into account intermediaries/proxy services routing to 
business services--in some cases, the former or the latter will not have access 
to the username or x509 token, and perhaps should not either.  Finally, that 
this method needs to return "null" if authentication failed[2]--would such a 
rule be implementable with the token profiles?

Just to be further hated, what if both username token profiles and basic auth 
is used--which would take precedence?

Another possible architectural concern here is that WS-Security is a SOAP 
extension, implemented via SOAP headers.  Architecturally, SOAP knows nothing 
about WS-Security--it's just an extension like any other.  Thinking of it from 
that perspective, it could be considered strange for WebServiceContext to make 
direct references then to an extension, to "hardcode" in a sense, a specific 
extension.

Glen

[1] http://forums.java.net/jive/thread.jspa?messageID=244668&tstart=0
[2] 
http://java.sun.com/javase/6/docs/api/javax/xml/ws/WebServiceContext.html#getUserPrincipal()


> Map ws-security principals into WebServiceContext.getUserPrincipal() call
> -------------------------------------------------------------------------
>
>                 Key: CXF-1680
>                 URL: https://issues.apache.org/jira/browse/CXF-1680
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Daniel Kulp
>            Assignee: Daniel Kulp
>             Fix For: 2.1.2, 2.0.8
>
>
> When using ws-security x509 or username token profiles, the Principal objects 
> should be retrievable via the WebServiceContext.getUserPrincipal() call.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.