Announcement Announcement Module
No announcement yet.
Spring WebServices with Spring Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring WebServices with Spring Security

    I have a requirement of Exposing Spring beans to multiple users. They are local users and public users (public users access via Web service)
    I have roles defined for each users, as the spring beans method access should be a role based access.

    To achieve above
    1. will Spring security & Spring web services are the better approach? and if yes,
    2. how can I integrate spring security with Spring web services (so that method should be accessed based on role)?
    3. How do I maintain user sessions while accessing the methods (for local users as well as web services client)?
    4. Do we need to pass user id and passowrd for every method call (for web services)?

  • #2
    I am new to Spring as well as Spring Community.
    I really appreciate if some one can help me in this regard.


    • #3
      I don't know the answers to all of your questions. However, I've implemented a webservice with the spring-ws/spring-security combination. There are some evolving standards to maintain state for a (soap) webservice (for instance: WS-SecureConversation).

      Those aren't supported (yet?) by spring-ws, so you'll have to pass username and password with each request. You can easily do so with a SecurityInterceptor at the client side:
      <bean id="securityInterceptor" class="">
          <property name="policyConfiguration" value="classpath:xwss-config.xml"/>
          <property name="callbackHandler" ref="springSecurityHandler"/>
      <bean id="springSecurityHandler" class=""/>
      On the server side you'll have to have an interceptor in your endpointmapping which'll try to authenticate against the defined authentication bean.
      Last edited by evandongen; Jul 1st, 2010, 05:09 AM. Reason: forgot the springSecurityHandler definition


      • #4
        Could you please elobarate on how do i specify the username and password from the soap message. should the authentication details be from the header or within the body. and do i have to pass j_username and j_password?

        please clarify.

        Thank you in advance for your help and time.