HttpSecurity Not Working in SOAP Web Service (Springboot)

Question

I have the following java configuration for my SOAP WebService Springboot application:

WebSecurityConfiguration;

@Configuration
@EnableWebSecurity
public class AgreementWebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Value("${spring.application.name}")
private String applicationName;

private static final String ROLE = "agreement-service";

/**
 * Defines which URL paths should be secured and which should not.
 * Specifically, the "/agreementservice-<version>/**" path is configured to require authentication.
 *
 * @param httpSecurity allows configuring web based security for specific http requests
 * @throws Exception if error is encountered when accessing the {code httpSecurity}
 */
@Override
protected void configure(final HttpSecurity httpSecurity) throws Exception {
    final String pattern = "/"+applicationName+"/**";
    httpSecurity.csrf().disable().authorizeRequests().antMatchers(pattern).hasRole(ROLE).and().httpBasic();
}

}

WebServiceConfiguration:

@EnableWs
@Configuration
public class AgreementWebServiceConfiguration extends WsConfigurerAdapter {

private static final String NAMESPACE_URI = "http://markets.sample.com/credit/schemas/agreement/messages";
private static final String URL_MAPPING = "/*";
private static final String PORT_TYPE_NAME = "AgreementResource";
private static final String LOCATION_URI = "/";
private static final String AGREEMENT_XSD_PATH = "agreement.xsd";
private static final String MASTER_AGREEMENT_XSD_PATH = "xsd/base/masterAgreement.xsd";

@Bean
public ServletRegistrationBean messageDispatcherServlet(final ApplicationContext applicationContext) {
    final MessageDispatcherServlet servlet = new MessageDispatcherServlet();
    servlet.setApplicationContext(applicationContext);
    servlet.setTransformWsdlLocations(true);
    return new ServletRegistrationBean(servlet, URL_MAPPING);
}

@Bean(name = "agreement")
public DefaultWsdl11Definition defaultWsdl11Definition(final XsdSchema agreementSchema) {
    return getWsdl11Definition(agreementSchema);
}

@Bean
public XsdSchema agreementSchema() {
    return new SimpleXsdSchema(new ClassPathResource(AGREEMENT_XSD_PATH));
}

@Bean
public XsdSchema masterAgreement() {
    return new SimpleXsdSchema(new ClassPathResource(MASTER_AGREEMENT_XSD_PATH));
}

private DefaultWsdl11Definition getWsdl11Definition(final XsdSchema agreementSchema) {
    final DefaultWsdl11Definition wsdl11Definition = new DefaultWsdl11Definition();
    wsdl11Definition.setPortTypeName(PORT_TYPE_NAME);
    wsdl11Definition.setLocationUri(LOCATION_URI);
    wsdl11Definition.setTargetNamespace(NAMESPACE_URI);
    wsdl11Definition.setSchema(agreementSchema);
    return wsdl11Definition;
}

My application is deployed in a Tomcat Server in a context path

/agreementservice-1.0.0

Having said that, I would like to authenticate any access to the above URL. However, the current configuration allows all requests in my URL. For example, I was able to access the application WSDL without prompting for any authentication:

http://localhost:8080/agreementservice-1.0.0/agreement.wsdl

The same is true when testing the web service using the SOAP UI. I was able to execute even without providing Authorization in the SOAP UI.

Answer 1

I think inside configure() method of AgreementWebSecurityConfiguration class you have to add 

    formLogin().loginPage("/login") 


and inside your LoginController or any Login class you have to add 

@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView loginPage() {
    return new ModelAndView("login");
    }