[CXF-9004]Jetty12 : always use pre-saved HTTP_REQUEST from InMessage …

…to populate SecurityContext
apache · Apr 19, 2024 · 132d44f · 132d44f
1 parent 02f9b3c
commit 132d44f
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/AbstractHTTPDestination.java
@@ -408,14 +408,22 @@ private boolean isWSAddressingReplyToSpecified(Exchange ex) {
 
         SecurityContext httpSecurityContext = new SecurityContext() {
             public Principal getUserPrincipal() {
-                try {
-                    return req.getUserPrincipal();
-                } catch (Exception ex) {
-                    return null;
-                }
+                //ensure we use req from the one saved in inMessage
+                //as this could be the cachedInput one in oneway and 
+                //ReplyTo is specified when ws-addressing is used
+                //which means we need to switch thread context
+                //and underlying transport might discard any data on the original stream
+                HttpServletRequest reqFromInMessage = (HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+                return reqFromInMessage.getUserPrincipal();
             }
             public boolean isUserInRole(String role) {
-                return req.isUserInRole(role);
+                //ensure we use req from the one saved in inMessage
+                //as this could be the cachedInput one in oneway and 
+                //ReplyTo is specified when ws-addressing is used
+                //which means we need to switch thread context
+                //and underlying transport might discard any data on the original stream
+                HttpServletRequest reqFromInMessage = (HttpServletRequest)exchange.getInMessage().get(HTTP_REQUEST);
+                return reqFromInMessage.isUserInRole(role);
             }
         };