Spring安全性:不要求WSDL文档需要身份验证

时间:2012-05-04 07:27:17

标签: java web-services spring-security basic-authentication

我创建了一个Axis Web服务作为在Tomcat 7上运行的Java 6应用程序。为了安全起见,Spring Security 2.0.1框架已经集成。

出于安全考虑,应使用基本身份验证来保护服务端点。但是,WSDL文档应该是公开的。

我已经创建了这样的Spring安全配置:


<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <http>
        <intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
        <intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />
        <http-basic />
    </http>

    <authentication-provider>
        <user-service>
            <user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
            <user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
        </user-service>
    </authentication-provider>

</beans:beans>

问题在于无论拦截线的顺序如何,行


<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
似乎总是应用


<intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />

被忽略。我原以为人们可以以某种方式控制行为,例如:通过指定顺序(以便Spring Security选择第一个或最后一个匹配规则)或规则的特殊性,以便Spring Security选择最具体的规则,即在这种情况下最后使用“wsdl”的规则。如何排除WSDL文档的身份验证,同时启用身份验证以实际使用WS?

1 个答案:

答案 0 :(得分:4)

我通过更改配置的http部分来使用正则表达式而不是Ant Path Matcher来解决问题。完整的工作配置如下:


<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <http path-type="regex">
        <intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
        <intercept-url pattern="/services/InitechAuthenticationService\\?wsdl" filters="none" />
        <http-basic />
    </http>

    <authentication-provider>
        <user-service>
            <user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
            <user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
        </user-service>
    </authentication-provider>

</beans:beans>

变化:

  1. 将路径类型“regex”属性添加到http
  2. 改变了吗?至 \\?在wsdl的拦截网址
相关问题
最新问题