I have successfully implemented authentication/authorization security for SOAP requests using Spring Security with Spring WS and the Wss4jSecurityInterceptor which acts on the request during SOAP message processing.
Now I would like to use the intercept-url mechanism in Spring Security to redirect non-secure requests (port 80) to the secure channel (port 443). I have not found any documentation on doing this so I have tried what seemed to be the way it should be done based on the Spring Security documentation for a normal webapp. From what I am running into, it doesn't appear that this is supported, but I may be doing something wrong.
The first step in intercepting requests for Spring Security is to add a Spring DelegatingFilterProxy to the web.xml. The DelegatingFilterProxy is supposed to delegate to a springSecurityFilterChain bean that is implicitly created in the application context when the security namespace is used. However, when I add the filter to the web.xml the DelegatingFilterProxy throws an IllegalStateException because it is unable to find the WebApplicationContext:
My web.xml contains the standard Spring WS MessageDispatcherServlet declaration and the standard Spring Security filter declaration:
java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?
My application context is provided in the WEB-INF directory as myapp-servlet.xml and everything works fine when the filter is not present.
Am I missing something (should I be explicitly adding a ContextLoaderListener to the web.xml), or is this just not supported? If not, should it be, or is there an alternative way I should be doing this. I will probably end up using a global redirect in my Tomcat configuration, but I would like to not have to rely on that.