Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.2.1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      In the configuration of MessageDispatcherServlet
      there is no way to restrict the endpoint access.

      The problem is that I want to create security-constraint for the Actual Service calls, but have my WSDLs open.

      I have this on web.xml:
      <servlet>
      <servlet-name>spring-ws</servlet-name>
      <servlet-class>org.springframework.ws.transport.http.MessageDispatcherServlet</servlet-class>
      ...
      </servlet>
      <servlet-mapping>
      <servlet-name>spring-ws</servlet-name>
      <url-pattern>/services/*</url-pattern>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Unsecured</web-resource-name>
      <url-pattern>/services/test.wsdl</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>HttpAuth</web-resource-name>
      <url-pattern>/services/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>ws-user</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>INTEGRAL</transport-guarantee>
      </user-data-constraint>

      </security-constraint>
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>myrealm</realm-name>
      </login-config>
      <security-role>
      <role-name>ws-user</role-name>
      </security-role>

      But when I use my client using endpoint http://myserver/myapp/services/test.wsdl, MessageDispatcher does not filter that it is a wsdl Call, and still executes my Endpoint Method.

      I would expect only returning the wsdl in this URL call.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ddiehl Daniel Conde Diehl
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: