我创建了一个Axis Web服务作为在Tomcat 7上运行的Java 6应用程序。为了安全起见,Spring Security 2.0.1框架已经集成。
出于安全考虑,应使用基本身份验证来保护服务端点。但是,WSDL文档应该是公开的。
我已经创建了这样的Spring安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http>
<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
<intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />
<http-basic />
</http>
<authentication-provider>
<user-service>
<user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
<user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
</user-service>
</authentication-provider>
</beans:beans>
问题在于无论拦截线的顺序如何,行
<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
似乎总是应用行
<intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />
被忽略。我原以为人们可以以某种方式控制行为,例如:通过指定顺序(以便Spring Security选择第一个或最后一个匹配规则)或规则的特殊性,以便Spring Security选择最具体的规则,即在这种情况下最后使用“wsdl”的规则。如何排除WSDL文档的身份验证,同时启用身份验证以实际使用WS?
答案 0 :(得分:4)
我通过更改配置的http部分来使用正则表达式而不是Ant Path Matcher来解决问题。完整的工作配置如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http path-type="regex">
<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
<intercept-url pattern="/services/InitechAuthenticationService\\?wsdl" filters="none" />
<http-basic />
</http>
<authentication-provider>
<user-service>
<user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
<user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
</user-service>
</authentication-provider>
</beans:beans>
变化: