I created the Axis web service as a Java 6 application running on Tomcat 7. For security, the Spring Security 2.0.1 framework is integrated.
For security reasons, the service endpoint must be protected by basic authentication. However, the WSDL document must be publicly available.
I created the Spring Security Configuration as follows:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"> <http> <intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" /> <intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" /> <http-basic /> </http> <authentication-provider> <user-service> <user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" /> <user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" /> </user-service> </authentication-provider> </beans:beans>
The problem is that regardless of the order of the intercept-redirect lines, the line
<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
always applied and the string
<intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />
ignored. I would suggest that you can somehow control the behavior, for example. by defining the order (so that Spring Security chooses either the first or last matching rule) or the specifics of the rules, so that Spring Security chooses the most specific rule, that is, the one with "wsdl" at the end of this case. How can I exclude WSDL document authentication while enabling authentication to actually use WS?
source share