Mar 12th, 2009, 05:49 PM
Mandating a secure channel for web services
I have an application that presents a Web UI and a SOAP service. My
SOAP service uses WS-Security to authenticate (i.e. NOT HTTP authentication), but must be restricted to only be accessed over HTTPS.
I was planning to use the Spring Security <http>/<intercept-url> elements to control access to both of these, but am running into problems locking down access to the web service.
I wanted to do something like
<intercept-url pattern="/myWebService" filters="none" requires-channel="https"/>
<intercept-url pattern="/.*" requires-channel="https"/>
to allow forms-based login (via basic-auth) to the web UI, but no HTTP-based auth to the web service, and also to ensure that all SOAP requests must come in on a secure channel.
Unfortunately this doesn't seem to work; it allows HTTP or HTTPS access to the web service.
My guess is this is because the filters="none" directive is removing all filters from the list for that URL, including the channel filter that would have been set up by requires-channel="https".
What I really want to say is that all filters are disabled with the exception of the channel filter, for the web service URL. How can I do that?