Announcement Announcement Module
Collapse
No announcement yet.
InboundGateway: FilterSecurityInterceptor invoked before XwsSecurityInterceptor Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • InboundGateway: FilterSecurityInterceptor invoked before XwsSecurityInterceptor

    I've exposed a webservice via an <int-ws:inbound-gateway> to which I've added security via the XwsSecurityInterceptor. The interceptor is registered on the UriEndpointMapping for the webservice (see code)

    Code:
        @Bean
        public XwsSecurityInterceptor xwsSecurityInterceptor() {
        	XwsSecurityInterceptor securityInterceptor = new XwsSecurityInterceptor();
        	Resource policyConfiguration = new ClassPathResource("security-policy.xml");
        	securityInterceptor.setPolicyConfiguration(policyConfiguration);
        	securityInterceptor.setCallbackHandler(this.springPlainPasswordValidationCallbackHandler());
        	return securityInterceptor;
        }
    
        @Bean
        public UriEndpointMapping uriEndpointMapping() {
        	String urlContext = urlContext();
            UriEndpointMapping endpointMapping = new UriEndpointMapping();
            Map<String, Object> endpointMap = new HashMap<String, Object>();
            endpointMap.put(urlContext + "/ws/notification", notificationInboundGateway);
            endpointMap.put(urlContext + "/ws/attachment", attachmentInboundGateway);
            endpointMapping.setEndpointMap(endpointMap);
            EndpointInterceptor[] interceptors = {xwsSecurityInterceptor};
            endpointMapping.setInterceptors(interceptors);
            return endpointMapping;
        }
    
        private String urlContext() {
        	StringBuilder builder = new StringBuilder();
        	builder.append(environment.getProperty("ws.host"));
        	builder.append(":");
        	builder.append(environment.getProperty("ws.port"));
        	builder.append("/");
        	builder.append(environment.getProperty("ws.context.root"));
        	return builder.toString();
        }
    All of this is working fine. Now I'm trying to add authorization so that based on a set of roles I can configure permissions to my web-services. Reading the spring security reference manual I ended up in doing so via the FilterSecurityInterceptor that nicely allows me to define a matching URL plus some roles that are allowed for this.

    The problem I currently encounter is that the FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor. As the FilterSecurityInterceptor needs access to the Principle which is set on the SecurityContextHolder by the XwsSecurityInterceptor it throws an error as it can't find it yet.

    So my question is how can I make sure that the FilterSecurityInterceptor is invoked AFTER the XwsSecurityInterceptor. Am I doing something conceptually wrong? Is it a question of specifying the URLs for each interceptor in a different way?

    Any help/suggestion is highly appreciated.

    Thanks,

    Vincent

  • #2
    Hi!
    FilterSecurityInterceptor, which is NOT an endpoint interceptor, is called BEFORE the XwsSecurityInterceptor
    Of course, it is. Because the first one is a responsibility of HTTP, but the other one is about SOAP.
    So, HTTP protocol works first .
    Nevertheless, I recommend you to ask this question on the Spring-WS forum.
    By the way, maybe this will be OK for your case: http://static.springsource.org/sprin...ngle/#security

    Take care,
    Artem

    Comment


    • #3
      Hi Artem,

      Thanks for you quick reply. I will post the question on the spring-ws forum in case your suggestion to define the interceptor on the channel doesn't work out. That being said, I feel that it will do the trick.

      Thanks,

      Vincent

      Comment


      • #4
        Just tried the solution and it works perfect. That being said I found very little information on how to configure the access policy for the secured channel. For interest, the pattern refers to the ID of the channels that need to be intercepted.

        Vincent

        Code:
        <int-security:secured-channels
            access-decision-manager="accessDecisionManager"
            authentication-manager="authenticationManager">
            <int-security:access-policy pattern="echo.*" receive-access="ROLE_USER" send-access="ROLE_ADMIN"/>
        </int-security:secured-channels>

        Comment


        • #5
          Vincent,

          The reference manual includes a (brief) section covering secured channels:
          http://static.springsource.org/sprin...uring-channels

          If you think that could be enhanced, please feel free to open a JIRA request:
          https://jira.springsource.org/browse/INT

          Thanks,
          Mark

          Comment

          Working...
          X