I'm trying to specify the Wss4JSecurityInterceptor on the different inbound gateways of my application. Initially I did this by specifying the interceptor on the UriEndpointMapping that maps the endpoints for each of my inbound gateways. Although it works well, it does imply that the interceptor is applied to all endpoints that are mapped. A more fine grained solution would be to specify a security interceptor on the level of each inbound gateway (allowing me to have different security scenarios for the webservices exposed). Unfortunately I didn't see an interceptor property on the inbound gateway.
I probably can get around this by adding the interceptor to the request channel the inbound gateway is connected to. Although I haven't tried this yet, it somehow feels wrong. With the UriEndpointMapping the interceptor becomes active before it reaches the gateway, whereas the solution where it gets added to the request-channel probably implies that it gets activated after it leaves the gateway. Am I missing something? Is there a better way to specify the (security) interceptor on my inbound gateways?