InboundGateway: FilterSecurityInterceptor invoked before XwsSecurityInterceptor

I've exposed a webservice via an <int-ws:inbound-gateway> to which I've added security via the XwsSecurityInterceptor. The interceptor is registered on the UriEndpointMapping for the webservice (see code)

Code:

---


    @Bean
    public XwsSecurityInterceptor xwsSecurityInterceptor() {
            XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
            Resource policyConfiguration = new ClassPathResource("security-policy.xml");
            securityInterceptor.setPolicyConfiguration(policyConfiguration);
            securityInterceptor.setCallbackHandler(this.springPlainPasswordValidationCallbackHandler());
            return securityInterceptor;
    }

    @Bean
    public UriEndpointMapping uriEndpointMapping() {
            String urlContext = urlContext();
        UriEndpointMapping endpointMapping = new UriEndpointMapping();
        Map<String, Object> endpointMap = new HashMap<String, Object>();
        endpointMap.put(urlContext + "/ws/notification", notificationInboundGateway);
        endpointMap.put(urlContext + "/ws/attachment", attachmentInboundGateway);
        endpointMapping.setEndpointMap(endpointMap);
        EndpointInterceptor[] interceptors = {xwsSecurityInterceptor};
        endpointMapping.setInterceptors(interceptors);
        return endpointMapping;
    }

    private String urlContext() {
            StringBuilder builder = new StringBuilder();
            builder.append(environment.getProperty("ws.host"));
            builder.append(":");
            builder.append(environment.getProperty("ws.port"));
            builder.append("/");
            builder.append(environment.getProperty("ws.context.root"));
            return builder.toString();
    }

---

All of this is working fine. Now I'm trying to add authorization so that based on a set of roles I can configure permissions to my web-services. Reading the spring security reference manual I ended up in doing so via the FilterSecurityInterceptor that nicely allows me to define a matching URL plus some roles that are allowed for this.

The problem I currently encounter is that the FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor. As the FilterSecurityInterceptor needs access to the Principle – which is set on the SecurityContextHolder by the XwsSecurityInterceptor – it throws an error as it can't find it yet.

So my question is how can I make sure that the FilterSecurityInterceptor is invoked AFTER the XwsSecurityInterceptor. Am I doing something conceptually wrong? Is it a question of specifying the URLs for each interceptor in a different way?

Any help/suggestion is highly appreciated.

Thanks,

Vincent

Hi!

Quote:

---

FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor

---

Of course, it is. Because the first one is a responsibility of HTTP, but the other one is about SOAP.
So, HTTP protocol works first :).
Nevertheless, I recommend you to ask this question on the Spring-WS forum.
By the way, maybe this will be OK for your case: http://static.springsource.org/sprin...ngle/#security

Take care,
Artem

Hi Artem,

Thanks for you quick reply. I will post the question on the spring-ws forum in case your suggestion to define the interceptor on the channel doesn't work out. That being said, I feel that it will do the trick.

Thanks,

Vincent

Just tried the solution and it works perfect. That being said I found very little information on how to configure the access policy for the secured channel. For interest, the pattern refers to the ID of the channels that need to be intercepted.

Vincent

Code:

---

<int-security:secured-channels
    access-decision-manager="accessDecisionManager"
    authentication-manager="authenticationManager">
    <int-security:access-policy pattern="echo.*" receive-access="ROLE_USER" send-access="ROLE_ADMIN"/>
</int-security:secured-channels>

---

Vincent,

The reference manual includes a (brief) section covering secured channels:
http://static.springsource.org/sprin...uring-channels

If you think that could be enhanced, please feel free to open a JIRA request:
https://jira.springsource.org/browse/INT

Thanks,
Mark