The airline sample uses different endpoint mapping (marshalling endpoint, payload endpoint and annotation endpoint).
I have one endpoint; PayloadRootAnnotationMethodEndpointMapping using JAXB2 Marshalling.
By configuring two different URLs, results in two MessageDispatchers servlets for each instance a configuration file.
There by we now have created a fallback mechanism on one URL, because we have a lot of different clients (users).
Some users wants to do SOAP authentication (WS-Security) and other users can only do BASIC authentication.
We use the MethodSecurityInterceptor from Acegi to handle the authentication and authorization.
So when there is no (authenticated) authentication object in the security context, this results in an AuthenticationException wich maps to a SOAP fault. When configuring the application in this way there can not be a security leak (i think).
I do not want to change the default behaviour of the XwsSecurityInterceptor, but is it possible to configure the interceptor to skip the validating?
The AcegiPlainTextPasswordValidationCallbackHandler can also be configured to ignore authentication failures, this is also a possible security leak then?
Well let me know what you think?