Hi

I have an application that presents a Web UI and a SOAP service. My
SOAP service uses WS-Security to authenticate (i.e. NOT HTTP authentication), but must be restricted to only be accessed over HTTPS.

I was planning to use the Spring Security <http>/<intercept-url> elements to control access to both of these, but am running into problems locking down access to the web service.

I wanted to do something like

<http path-type="regex">
<intercept-url pattern="/myWebService" filters="none" requires-channel="https"/>
<intercept-url pattern="/.*" requires-channel="https"/>
<form-login />
</http>

to allow forms-based login (via basic-auth) to the web UI, but no HTTP-based auth to the web service, and also to ensure that all SOAP requests must come in on a secure channel.

Unfortunately this doesn't seem to work; it allows HTTP or HTTPS access to the web service.

My guess is this is because the filters="none" directive is removing all filters from the list for that URL, including the channel filter that would have been set up by requires-channel="https".

What I really want to say is that all filters are disabled with the exception of the channel filter, for the web service URL. How can I do that?

Thanks

Alan