This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/main by this push:
new f25e3e0056 CXF-9200: Regression with respect to security context
propagation (#2890)
f25e3e0056 is described below
commit f25e3e0056a8525731aac76d4b2910ff3ab47f17
Author: Andriy Redko <[email protected]>
AuthorDate: Wed Feb 18 17:16:02 2026 -0500
CXF-9200: Regression with respect to security context propagation (#2890)
* CXF-9200: Regression with respect to security context propagation
* Address code review comments
---
.../transport/http/AbstractHTTPDestination.java | 23 ++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
index 812bcd87d2..b96814b876 100644
---
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
+++
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
@@ -416,17 +416,21 @@ public abstract class AbstractHTTPDestination
inMessage.put(Message.FIXED_PARAMETER_ORDER, isFixedParameterOrder());
inMessage.put(Message.ASYNC_POST_RESPONSE_DISPATCH, Boolean.TRUE);
- final HttpServletRequest reqFromInMessage =
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
- final SecurityContext httpSecurityContext = new SecurityContext() {
- private final Principal principal =
reqFromInMessage.getUserPrincipal();
-
+ SecurityContext httpSecurityContext = new SecurityContext() {
public Principal getUserPrincipal() {
//ensure we use req from the one saved in inMessage
//as this could be the cachedInput one in oneway and
//ReplyTo is specified when ws-addressing is used
//which means we need to switch thread context
//and underlying transport might discard any data on the
original stream
- return principal;
+ try {
+ HttpServletRequest reqFromInMessage =
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+ return reqFromInMessage.getUserPrincipal();
+ } catch (final NullPointerException ex) {
+ // It may happen the underlying HTTP request is already
recycled and getUserPrincipal()
+ // may fail with NPE, see please jetty/jetty.project#12080
fe
+ return null;
+ }
}
public boolean isUserInRole(String role) {
//ensure we use req from the one saved in inMessage
@@ -434,7 +438,14 @@ public abstract class AbstractHTTPDestination
//ReplyTo is specified when ws-addressing is used
//which means we need to switch thread context
//and underlying transport might discard any data on the
original stream
- return reqFromInMessage.isUserInRole(role);
+ try {
+ HttpServletRequest reqFromInMessage =
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+ return reqFromInMessage.isUserInRole(role);
+ } catch (final NullPointerException ex) {
+ // It may happen the underlying HTTP request is already
recycled and isUserInRole()
+ // may fail with NPE, see please jetty/jetty.project#12080
fe
+ return false;
+ }
}
};
