Secure and Open Methods - How?

[akutz]

I have created as Spring web service, and I want there to be both secure (authenticated) and open methods, but I am not sure how to do this using WS-Security. Both interceptors seem to place the authn/authz boundaries around the entire web service. I could easily do this with my own login() and logout() methods in combination with JAAS, but I was hoping that I could achieve this in some declarative manner. I would think that authorization requirements would force the ability to have open methods since multiple roles would necessitate method/message-level security.

Am I missing something?

Thanks!

[akutz]

XWS allows for operation-level security, but since the Spring implementation of it requires that the SecurityConfiguration element be the root of the policy file, I don't see how to make use of the operation-level security since the Operation element is not a child of the SecurityConfiguration element.

Thoughts?