From 91048612e29b484d520456ef756b2580849ebd29 Mon Sep 17 00:00:00 2001
From: Petr Beran <pberan@redhat.com>
Date: Mon, 27 Jan 2025 15:38:20 +0100
Subject: [PATCH] [JBWS-4438] Authentication always failed when the webservice
 security is configured with a custom realm

---
 .../stack/cxf/security/authentication/SubjectCreator.java   | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java b/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
index 3bc595e1a..57c8b5bf7 100644
--- a/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
+++ b/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
@@ -182,7 +182,11 @@ public Subject createSubject(SecurityDomainContext ctx, String name, String pass
             }
             if (isDigest && created != null && nonce != null) { // username token profile is using digest
                // verify client's digest
-               TwoWayPassword recoveredTwoWayPassword = identity.getCredential(PasswordCredential.class).getPassword(TwoWayPassword.class);
+               PasswordCredential passwordCredential = identity.getCredential(PasswordCredential.class);
+               if (passwordCredential == null) {
+                  throw MESSAGES.authenticationFailed(principal.getName());
+               }
+               TwoWayPassword recoveredTwoWayPassword = passwordCredential.getPassword(TwoWayPassword.class);
                if (recoveredTwoWayPassword == null) {
                   SECURITY_LOGGER.plainTextPasswordMustBeRecoverable(principal.getName(), null);
                   throw MESSAGES.authenticationFailed(principal.getName());