Spring security: excluding WSDL document from requiring authentication

Question

I have created an Axis web service as a Java 6 application running on Tomcat 7. For security the Spring Security 2.0.1 framework is integrated.

For security purposes the service endpoint should be protected with basic authentication. However, the WSDL document should be publicly available.

I have created a Spring security configuration like this:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <http>
        <intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
        <intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />
        <http-basic />
    </http>

    <authentication-provider>
        <user-service>
            <user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
            <user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
        </user-service>
    </authentication-provider>

</beans:beans>

The problem is that regardless of the order of the intercept-url lines, the line

<intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />

always seems to be applied and the line

<intercept-url pattern="/services/InitechAuthenticationService?wsdl" filters="none" />

is ignored. I would have expected that one can control the behaviour somehow, e.g. by specfiying the order (so that Spring Security selects either the first or last matching rule) or by the specificity of the rules so that Spring Security selects the most specific rule, i.e. the one with "wsdl" in the end in this case. How can I exclude the WSDL document from being authenticated, simultaneously enabling authentication for actually using the WS?

Answer 1

I solved the problem by changing the http part of the configuration to use regular expressions instead of the Ant Path Matcher. The complete working configuration is here:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

    <http path-type="regex">
        <intercept-url pattern="/services/InitechAuthenticationService*" access="ROLE_WSUSER" />
        <intercept-url pattern="/services/InitechAuthenticationService\\?wsdl" filters="none" />
        <http-basic />
    </http>

    <authentication-provider>
        <user-service>
            <user name="internal" password="${WS_USER_INTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
            <user name="external" password="${WS_USER_EXTERNAL_PASSWORD}" authorities="ROLE_WSUSER" />
        </user-service>
    </authentication-provider>

</beans:beans>

The changes:

1. added path-type "regex" attribute to http
2. changed ? to \\? in the intercept-url for wsdl