Skip to content

Securing Web Services

Jump to bottom Edit New page
Ryan Heaton edited this page Sep 17, 2015 · 1 revision

Note: The following applies mostly to Enunciate version 1.x

Securing Web Services

Security is a complicated matter. This is especially true with Web services. Enunciate's role in Web service security is to provide for the ability to plug in an existing security framework and then get out of the way.

This document will show how to apply security to your Web service endpoints using Spring Security. This document is not intended to be a reference for Spring Security, only to demonstrate how to apply Spring Security to your Web services using Enunciate.

Step 1: Configure the Servlet Filter

Spring Security basically works by passing the HTTP request through a servlet filter. Once you go through the Spring Security documentation you'll understand how to create a minimal security configuration like this one:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:beans="http://www.springframework.org/schema/beans"
            xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

 <http auto-config='true'>
   <intercept-url pattern="/**" access="ROLE_USER" />
   <http-basic />
 </http>

 <authentication-manager>
   <authentication-provider>
     <user-service>
       <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
       <user name="bob" password="bobspassword" authorities="ROLE_USER" />
     </user-service>
   </authentication-provider>
 </authentication-manager>

 <!--hook up the spring security filter chain-->
 <beans:alias name="springSecurityFilterChain" alias="securityFilter"/>

</beans:beans>

This configures a security filter named securityFilter that will secure all requests with HTTP Basic Auth. There are two users configured, "jimi" and "bob".

Put this in a file called spring-security.xml and put it at the root of your classpath.

Step 2: Configure Enunciate

From here, it's just a matter of configuring Enunciate to apply your security filter. This is done in the enunciate configuration file:

<enunciate ...>

 <webapp>
   <globalServletFilter name="securityFilter" classname="org.springframework.web.filter.DelegatingFilterProxy"/>
 </webapp>

 <modules>
   <spring-app>
     <springImport uri="classpath:/spring-security.xml"/>
   </spring-app>
 </modules>
</enunciate>

What we've done here is made sure that spring notices our security configuration (by "importing" spring-security.xml) and then told Enunciate to apply the servlet filter to all of our web service endpoints (using a global servlet filter).

The org.springframework.web.filter.DelegatingFilterProxy is a spring filter that will delegate logic to a bean named "securityFilter" (the name of the filter).

© 2023 Web Cohesion

Clone this wiki locally