[JBWS-4438]:Authentication always failed when the webservice security…

… is configured with a custom realm
jbossws · Jan 10, 2025 · adf5663 · adf5663
1 parent 3ba0247
commit adf5663
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/.../server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java b/.../server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
@@ -95,12 +95,16 @@ public Subject createSubject(SecurityDomainContext ctx, String name, String pass
             return null;
          }
          RealmIdentity identity = securityDomain.getIdentity(principal.getName());
-         if (identity.equals(RealmIdentity.NON_EXISTENT) || identity.getCredential(PasswordCredential.class) == null) {
+         if (identity.equals(RealmIdentity.NON_EXISTENT)) {
             throw MESSAGES.authenticationFailed(principal.getName());
          }
          if (isDigest && created != null && nonce != null) { // username token profile is using digest
             // verify client's digest
-            TwoWayPassword recoveredTwoWayPassword = identity.getCredential(PasswordCredential.class).getPassword(TwoWayPassword.class);
+            PasswordCredential passwordCredential = identity.getCredential(PasswordCredential.class);
+            if (passwordCredential == null) {
+               throw MESSAGES.authenticationFailed(principal.getName());
+            }
+            TwoWayPassword recoveredTwoWayPassword = passwordCredential.getPassword(TwoWayPassword.class);
             if (recoveredTwoWayPassword == null) {
                SECURITY_LOGGER.plainTextPasswordMustBeRecoverable(principal.getName(), null);
                throw MESSAGES.authenticationFailed(principal.getName());