[
https://issues.apache.org/jira/browse/CXF-1680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12609987#action_12609987
]
Glen Mazza commented on CXF-1680:
---------------------------------
I think the fact that isUserInRole() is not relevant for WS-Security would
imply that its sibling method getUserPrincipal() was not intended to be used
with tokens, but with just transport-layer Basic Auth usernames. Granted, the
definition of gUP() is quite vague though. Still, it would appear to be
suboptimal to have getUserPrincipal() to be flipping between two meanings,
because users are never going to know what they're getting.
Within a SEI/SIB/Provider interface, isn't there already a generic method for
slurping soap header values (whether WS-addressing, WS-RM, WS-security-related
or whatever) that can be relied upon here instead? Nice and portable across
any JAX-WS implementation, and whatever security concerns there are (i.e., in
certain cases soap header values are slurpable, in certain cases not) would be
already handled by the web service stack's general SOAP header slurping
architecture. Just a thought.
(As for the answer to your question, "no"[1], but that's another issue... ;-)
Glen
[1] http://tinyurl.com/5kcy3p
> Map ws-security principals into WebServiceContext.getUserPrincipal() call
> -------------------------------------------------------------------------
>
> Key: CXF-1680
> URL: https://issues.apache.org/jira/browse/CXF-1680
> Project: CXF
> Issue Type: Improvement
> Reporter: Daniel Kulp
> Assignee: Daniel Kulp
> Fix For: 2.1.2, 2.0.8
>
>
> When using ws-security x509 or username token profiles, the Principal objects
> should be retrievable via the WebServiceContext.getUserPrincipal() call.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
