Andrei Shakirin created CXF-5126:
------------------------------------
Summary: Creation of SecurityContext from JAAS Subject causes
incorrect Principal for Kerberos authentication
Key: CXF-5126
URL: https://issues.apache.org/jira/browse/CXF-5126
Project: CXF
Issue Type: Bug
Reporter: Andrei Shakirin
CXF-4931 introduced functionality to create SecurityContext from JAAS Subject
if it is available.
The problem is that in case of Kerberos authentication, STS validates client
Kerberos ticket using own Kerberos account. In this case JAAS Subject will
contain Principal from STS Kerberos account and ws-security Principal is client
Kerberos Principal. SecurityContext must be initialized using client Kerberos
Principal and not STS one.
Moreover, sometimes JAAS Subject contains more than one Principal and it is
very difficult to decide which one should be selected.
Propose:
1. Check for Kerberos Principal and use ws-security Principal instead of JAAS
Subject in this case.
2. Introduce property to switch-off using JAAS Subject Principal for
SecurityContext.
Regards,
Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
