Re: [PR] CXF-9200: Regression with respect to security context propagation [cxf]

Wed, 18 Feb 2026 11:07:53 -0800 


rzo1 commented on code in PR #2890:
URL: https://github.com/apache/cxf/pull/2890#discussion_r2823956495


##########
rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java:
##########
@@ -416,25 +416,36 @@ private boolean isWSAddressingReplyToSpecified(Exchange 
ex) {
         inMessage.put(Message.FIXED_PARAMETER_ORDER, isFixedParameterOrder());
         inMessage.put(Message.ASYNC_POST_RESPONSE_DISPATCH, Boolean.TRUE);
 
-        final HttpServletRequest reqFromInMessage = 
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
-        final SecurityContext httpSecurityContext = new SecurityContext() {
-            private final Principal principal = 
reqFromInMessage.getUserPrincipal();
-
+        SecurityContext httpSecurityContext = new SecurityContext() {
             public Principal getUserPrincipal() {
                 //ensure we use req from the one saved in inMessage
                 //as this could be the cachedInput one in oneway and 
                 //ReplyTo is specified when ws-addressing is used
                 //which means we need to switch thread context
                 //and underlying transport might discard any data on the 
original stream
-                return principal;
+                try {
+                    HttpServletRequest reqFromInMessage = 
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+                    return reqFromInMessage.getUserPrincipal();
+                } catch (final RuntimeException ex) {

Review Comment:
   I don’t think it’s appropriate to catch every RuntimeException at this 
point. In TomEE's MP JWT integration, calling `getUserPrincipal()` triggers 
validation of the Bearer token from the HTTP Authorization header. If the token 
is missing or invalid, an exception is thrown (for example in TomEE: 
`org.apache.tomee.microprofile.jwt.MPJWTFilter$MissingAuthorizationHeaderException:
 No authorization header provided. Can't validate the JWT.`).
   
   Would it be possible to catch it more explicitly for the Jetty case?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to