Re: [PR] [CAMEL-22977]DefaultCxfBinding: also populate credentials [camel]

Thu, 12 Feb 2026 05:07:50 -0800 


Croway commented on code in PR #21427:
URL: https://github.com/apache/camel/pull/21427#discussion_r2798803083


##########
components/camel-cxf/camel-cxf-soap/src/main/java/org/apache/camel/component/cxf/jaxws/DefaultCxfBinding.java:
##########
@@ -368,18 +372,118 @@ private static void propagateSecuritySubject(Exchange 
camelExchange, Message cxf
         SecurityContext securityContext = 
cxfMessage.get(SecurityContext.class);
         if (securityContext instanceof LoginSecurityContext
                 && ((LoginSecurityContext) securityContext).getSubject() != 
null) {
+            Subject subject = ((LoginSecurityContext) 
securityContext).getSubject();
+            // attach certs to the subject instance
+            addInboundX509CertificatesToSubject(cxfMessage, subject);
             camelExchange.getIn().getHeaders().put(CxfConstants.AUTHENTICATION,
-                    ((LoginSecurityContext) securityContext).getSubject());
+                    subject);
         } else if (securityContext != null) {
             Principal user = securityContext.getUserPrincipal();
             if (user != null) {
                 Subject subject = new Subject();
                 subject.getPrincipals().add(user);
+                // attach certs to the subject instance
+                addInboundX509CertificatesToSubject(cxfMessage, subject);
                 
camelExchange.getIn().getHeaders().put(CxfConstants.AUTHENTICATION, subject);
             }
         }
     }
 
+    private static void addInboundX509CertificatesToSubject(Message 
cxfMessage, Subject subject) {
+        if (cxfMessage == null || subject == null) {
+            return;
+        }
+        // If it’s read-only, don’t break the route; just skip.
+        if (subject.isReadOnly()) {
+            return;
+        }
+
+        final Object recv = cxfMessage.get(WSHandlerConstants.RECV_RESULTS);
+        if (recv == null) {
+            return;
+        }
+
+        // We only need the cert objects.
+        Collection<X509Certificate> certs = null;
+
+        if (recv instanceof Map) {
+            Object v = ((Map<?, ?>) 
recv).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+            if (v instanceof Collection) {

Review Comment:
   would it be possible to use something like `v instanceof Collection coll` to 
avoid casting?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to