Spring payloadvalidatinginterceptor example
However, in this paper we will look at a Spring-WS provided implementation of WS-Security.WS-Security is an OASIS specification [REF-7] that describes an abstract message security model to protect the message content from being disclosed (confidentiality) or modified without detection (integrity) and to enable authentication of a user name token embedded in the SOAP message.Since we are only going to use a simple username-password authentication security mechanism, therefore, our security policy as shown in Example 3, defines that all incoming SOAP messages must have a username token with a password digest in it.This interceptor validates incoming messages according to the policy defined in 'security Policy.xml'.In this article we'll go over the security configuration using Spring's support for WS-Security providing message-level authentication, and optionally message confidentiality and message integrity services, ORM (Object-Relational Mapping) to deal with persistence at the object level, and DAO for data access to a relational database storing user-credential information.Next, we'll look at how Spring automatically generates the WSDL document using the data contract created earlier and, lastly, the client configuration required to invoke and consume the Web service.A critical component of setting up the application for XWS-Security is to setup the appropriate database infrastructure for the type of security (XML Digital Signature, XML Encryption and/or Username Token verification) to be used in conjunction with a combination of keystore files, truststore files and a username-password table.In order to keep things simple I'll use only Username token verification, which essentially specifies a process for sending a username token embedded (and optionally encrypted) within the message, which the configured infrastructure, as in our case, will then verify against user credentials stored in a HSQL datastore's username-password table to pass authentication.
Example 2 shows the application's security context configuration file.
Since these bean wirings are relevant only to the Web service's endpoint configuration, message routing and exception handling (all within the scope of the Spring-WS module [REF-3]), they are stored within a configuration file aptly called application
In this article we secure the service by authenticating the incoming Web service request containing a username token to user-credential information stored within a database and authorize access to the secured endpoint only to a particular role that the user must belong to.
Rizwan Ahmed Biography The author is an IT Systems Architect and has about 10 years of experience in the public and private sector architecting technology, systems and security solutions.
He holds a Bachelor's degree in engineering from the Indian Institute of Technology and a Masters degree from the Florida State University.
The "ws Security Interceptor" is one such interceptor implementing the Spring-WS Endpoint Interceptor interface, and provides message-level security on the SOAP message en-route to the endpoint.