@Secured service methods and spring ws

Question

I have the following project structure:

base project (service layer, model) web project webservice project

where both the web project and the web service project depend on the base project and use services provided by it.

I make heavy use of the Spring Framework which means the Services are Spring Beans with methods secured by the @Secured Annotation and Spring Security. I created an Voter extending the AbstractAclVoter that checks client permissions.

The web project uses Spring MVC and the web service project Spring WS with @Endpoint Annotations and the XwsSecurityInterceptor.

Here is my problem:

The permissions are checked if a call comes from a web project controller or in JUnit tests of the base project but requests from the web service project are not checked for the correct permission - my Voter is not called!

• Has this something to do with the XwsSecurityInterceptor?
• Do I need the DelegatingFilterProxy in the web service project too? (I have no ContextLoaderListener there because everything is configured by the MessageDispatcherServlet config)

Answer 1

Your user authentication object with populated Granted Authority is available only in the web context not in your web services project. When you make a call to your web service application, you don't have the same security context over there. So your security tags won't work over there.

Answer 2

Spring Security integrates as a servlet filter in the web application. So I would assume that the DelegatingFilterProxy will need to be added to web.xml for the web services project so that it can process the requests going to that application.