@Secured service methods and spring ws

I have the following project structure:

base project (service layer, model) web project webservice project

where both the web project and the web service project depend on the base project and use services provided by it.

I make heavy use of the Spring Framework which means the Services are Spring Beans with methods secured by the @Secured Annotation and Spring Security. I created an Voter extending the AbstractAclVoter that checks client permissions.

The web project uses Spring MVC and the web service project Spring WS with @Endpoint Annotations and the XwsSecurityInterceptor.

Here is my problem:

The permissions are checked if a call comes from a web project controller or in JUnit tests of the base project but requests from the web service project are not checked for 开发者_StackOverflow中文版the correct permission - my Voter is not called!

• Has this something to do with the XwsSecurityInterceptor?
• Do I need the DelegatingFilterProxy in the web service project too? (I have no ContextLoaderListener there because everything is configured by the MessageDispatcherServlet config)

Your user authentication object with populated Granted Authority is available only in the web context not in your web services project. When you make a call to your web service application, you don't have the same security context over there. So your security tags won't work over there.

Spring Security integrates as a servlet filter in the web application. So I would assume that the DelegatingFilterProxy will need to be added to web.xml for the web services project so that it can process the requests going to that application.