(cxf) branch main updated: [CXF-9004]Jetty12 : always use pre-saved HTTP_REQUEST from InMessage to populate SecurityContext (#1823)

Fri, 19 Apr 2024 13:17:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

ffang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/main by this push:
     new dc08a738df [CXF-9004]Jetty12 : always use pre-saved HTTP_REQUEST from 
InMessage to populate SecurityContext (#1823)
dc08a738df is described below

commit dc08a738df3e10f133f4dc149c2cdbdf56ed8350
Author: Freeman(Yue) Fang <freeman.f...@gmail.com>
AuthorDate: Fri Apr 19 16:17:40 2024 -0400

    [CXF-9004]Jetty12 : always use pre-saved HTTP_REQUEST from InMessage to 
populate SecurityContext (#1823)
---
 .../cxf/transport/http/AbstractHTTPDestination.java  | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
index c0771430de..566e05a1b3 100644
--- 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
+++ 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
@@ -408,14 +408,22 @@ public abstract class AbstractHTTPDestination
 
         SecurityContext httpSecurityContext = new SecurityContext() {
             public Principal getUserPrincipal() {
-                try {
-                    return req.getUserPrincipal();
-                } catch (Exception ex) {
-                    return null;
-                }
+                //ensure we use req from the one saved in inMessage
+                //as this could be the cachedInput one in oneway and 
+                //ReplyTo is specified when ws-addressing is used
+                //which means we need to switch thread context
+                //and underlying transport might discard any data on the 
original stream
+                HttpServletRequest reqFromInMessage = 
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+                return reqFromInMessage.getUserPrincipal();
             }
             public boolean isUserInRole(String role) {
-                return req.isUserInRole(role);
+                //ensure we use req from the one saved in inMessage
+                //as this could be the cachedInput one in oneway and 
+                //ReplyTo is specified when ws-addressing is used
+                //which means we need to switch thread context
+                //and underlying transport might discard any data on the 
original stream
+                HttpServletRequest reqFromInMessage = 
(HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+                return reqFromInMessage.isUserInRole(role);
             }
         };

Reply via email to