Securing a SOAP webservice but leaving wsdl open to anonymous

[scSynergy <ro...@scsynergy.de>]

Hi,
I have been trying to secure my SOAP webservices with Apache Shiro but I am
stuck: I managed to either restrict everything or nothing, but what I want
is to have everything secured except for access to the wsdl which should be
open to unrestricted access.
/SoapService?wsdl should be open to anybody without requiring
authentication, while everything else should be restricted to authenticated
users
Here is what I tried and did not work:
/SoapService?wsdl  = noSessionCreation, ssl[8443], anon
/SoapService/** = noSessionCreation, ssl[8443], authcBasic

or /SoapService\?wsdl  = noSessionCreation, ssl[8443], anon
or /SoapService\\?wsdl  = noSessionCreation, ssl[8443], anon
or /SoapService\\\?wsdl  = noSessionCreation, ssl[8443], anon
or /SoapService\\\\?wsdl  = noSessionCreation, ssl[8443], anon
or **wsdl = noSessionCreation, ssl[8443], anon
or /*wsdl = noSessionCreation, ssl[8443], anon
or /SoapService*/ = noSessionCreation, ssl[8443], anon
or /SoapService** = noSessionCreation, ssl[8443], authcBasic

And lots of other combinations which I do not quite remember. Trouble is:
The documentation states Apache Shiro uses Ant path expressions for the
[urls] section. But Ant itself does a horrific job at explaining how its
path expressions work, i. e. they do not explain how they match a literal
'?' but leave us to guessing.

Has anybody managed to secure his / her webservice through Shiro but leave
the wsdl unrestricted and would kindly care to share?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Securing-a-SOAP-webservice-but-leaving-wsdl-open-to-anonymous-tp7580446.html
Sent from the Shiro User mailing list archive at Nabble.com.