I am trying to add security to an existing web service. I currently have several functions that are unsecured and I want to have versions of those same functions that are secured to allow calling applications to migrate to the new versions over time. The only thing that will differentiate the two sets of functions will be namespace. I would like the original set of functions to not require a secured SOAP header and the new functions to require a secured SOAP header.
I have a logging interceptor and security interceptor configured in my spring-ws-servlet and I've implemented Spring security as standard for the versions that I'm using. What I'm seeing when trying to test my application from soapUI is that all of the functions are requiring a secured SOAP header. Is there a way to require a secured SOAP header for some functions but not for others? I've included the configuration included in the spring-ws-servlet below. I am aware of how to use the @Secured annotation but I don't think I'm even getting to that point. I am currently using spring-3.0.3, spring-security-2.0.4, and spring-ws-1.5.9.
Thanks in advance for your help!
<bean class="org.springframework.ws.server.endpoint.mapp ing.PayloadRootAnnotationMethodEndpointMapping">
<description>An endpoint mapping strategy that looks for @Endpoint and @PayloadRoot annotations.</description>
<!-- <ref local="validatingInterceptor"/> -->
<!-- <ref local="performanceLoggingInterceptor"/>-->
<ref bean="securityInterceptor"/> <!-- MAKE THIS ONE LAST, NOT NECESSARY, BUT NICE -->
<bean id="loggingInterceptor" class="org.springframework.ws.server.endpoint.inte rceptor.PayloadLoggingInterceptor" />
<!-- Web Service Security Intercepter -->
<bean id="securityInterceptor" class="org.springframework.ws.soap.security.wss4j. Wss4jSecurityInterceptor">
<property name="validationActions" value="UsernameToken"/>
<property name="validationCallbackHandler" ref="springSecurityHandler" />