[
https://issues.apache.org/jira/browse/CXF-4666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506666#comment-13506666
]
Sergey Beryozkin commented on CXF-4666:
---------------------------------------
To be honest I'm not sure we can do anything about it and as such I would not
treat it as a bug.
How about the following (Christian suggested something like that awhile back):
Postpone using Spring security at the servlet level and use CXF
JAASLoginInterceptor instead, or may be for JAX-RS -
org.apache.cxf.jaxrs.security.JAASAuthenticationFilter. It is very easy to use
- just let it know the jaas context name and that is it.
Effectively it simply postpones the servlet-level authentication till later,
once the call reaches CXF chain.
It will return org.apache.cxf.security.LoginSecurityContext - this is what the
default UserSubject creation checks.
You can also check for some other Subject properties with LoginSecurityContext.
Next you can map LoginSecurityContext to Spring Security specific context and
let it proceed...
That is the only I can suggest to be honest - would it work for you ?
By the way, as far as CXF-4656 is concerned, what other properties, apart from
the principal name and its roles you are interested ?
> [OAuth2] securityContext problem on createSubject
> -------------------------------------------------
>
> Key: CXF-4666
> URL: https://issues.apache.org/jira/browse/CXF-4666
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Steven Tippetts
>
> This is probably just ignorance on my part, but when I override the
> createSubject method in the RedirecationBasedGrantService.java file, the
> securityContext parameter that is passed in is of type
> AbstractHTTPDestination$2. This parameter contains my authentication token,
> but I don't know how to get at it, so I'm having to go to the
> SecurityContextHolder to get the context instead of just using the parameter.
> I'm just using standard Spring authentication, so it seems like many other
> people would also have AbstractHTTPDestination$2 as the security type, which
> causes roles to be missed in the OAuthUtils.createSubject method.
> I'm sure I missed some details so please let know your questions and thanks
> for your help.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
