Redirecting to a secure channel
I have successfully implemented authentication/authorization security for SOAP requests using Spring Security with Spring WS and the Wss4jSecurityInterceptor which acts on the request during SOAP message processing.
Now I would like to use the intercept-url mechanism in Spring Security to redirect non-secure requests (port 80) to the secure channel (port 443). I have not found any documentation on doing this so I have tried what seemed to be the way it should be done based on the Spring Security documentation for a normal webapp. From what I am running into, it doesn't appear that this is supported, but I may be doing something wrong.
The first step in intercepting requests for Spring Security is to add a Spring DelegatingFilterProxy to the web.xml. The DelegatingFilterProxy is supposed to delegate to a springSecurityFilterChain bean that is implicitly created in the application context when the security namespace is used. However, when I add the filter to the web.xml the DelegatingFilterProxy throws an IllegalStateException because it is unable to find the WebApplicationContext:
My web.xml contains the standard Spring WS MessageDispatcherServlet declaration and the standard Spring Security filter declaration:Code:java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered? at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:159) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1148) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:387)
My application context is provided in the WEB-INF directory as myapp-servlet.xml and everything works fine when the filter is not present.Code:<servlet> <servlet-name>myapp</servlet-name> <servlet-class>org.springframework.ws.transport.http.MessageDispatcherServlet</servlet-class> <init-param> <param-name>transformWsdlLocations</param-name> <param-value>true</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>myapp</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Am I missing something (should I be explicitly adding a ContextLoaderListener to the web.xml), or is this just not supported? If not, should it be, or is there an alternative way I should be doing this. I will probably end up using a global redirect in my Tomcat configuration, but I would like to not have to rely on that.
Reply With Quote
Originally Posted by afborroy
