[
https://issues.apache.org/jira/browse/CXF-5126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrei Shakirin updated CXF-5126:
---------------------------------
Component/s: WS-* Components
JAX-RS Security
> Creation of SecurityContext from JAAS Subject causes incorrect Principal for
> Kerberos authentication
> ----------------------------------------------------------------------------------------------------
>
> Key: CXF-5126
> URL: https://issues.apache.org/jira/browse/CXF-5126
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security, WS-* Components
> Reporter: Andrei Shakirin
> Assignee: Andrei Shakirin
>
> CXF-4931 introduced functionality to create SecurityContext from JAAS Subject
> if it is available.
> The problem is that in case of Kerberos authentication, STS validates client
> Kerberos ticket using own Kerberos account. In this case JAAS Subject will
> contain Principal from STS Kerberos account and ws-security Principal is
> client Kerberos Principal. SecurityContext must be initialized using client
> Kerberos Principal and not STS one.
> Moreover, sometimes JAAS Subject contains more than one Principal and it is
> very difficult to decide in CXF which one should be selected.
> Propose:
> 1. Check for Kerberos Principal and use ws-security Principal instead of JAAS
> Subject in this case.
> 2. Introduce property to switch-off using JAAS Subject Principal for
> SecurityContext.
> Regards,
> Andrei.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
