Basic authentication doesn't work in Spring-Boot WS Soap service

Question

I have SOAP mock service with Spring WS. I'm trying to add basic http auth. I use this configuration of web-service:

@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

@Bean
public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
    MessageDispatcherServlet servlet = new MessageDispatcherServlet();
    servlet.setApplicationContext(applicationContext);
    return new ServletRegistrationBean(servlet);
}

@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
    SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
    wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
    return wsdl11Definition;
}
}

and this configuration of spring-security:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
      .authorizeRequests().anyRequest().authenticated()
      .and().httpBasic()
      .and().authorizeRequests().antMatchers("*.wsdl").permitAll();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth
            .inMemoryAuthentication()
            .withUser("user").password("password").roles("USER");
}

but when I run spring-boot and send requests to service, it returns responses even without authentication. What I've configured wrong?

upd: Also if I run spring-boot with following changes to configuration:

//@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

//@Bean
//public ServletRegistrationBean messageDispatcherServlet(ApplicationContext applicationContext) {
//    MessageDispatcherServlet servlet = new MessageDispatcherServlet();
//    servlet.setApplicationContext(applicationContext);
//    return new ServletRegistrationBean(servlet);
//}

@Bean(name = "cards")
public Wsdl11Definition wsdlDefinition() {
    SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
    wsdl11Definition.setWsdl(new ClassPathResource("cards.wsdl"));
    return wsdl11Definition;
}
}

it works ok (requires auth for requests) but url mapping changes to [/services/*] that is not desired mapping for me. Sorry, I'm newbie with Spring.

How is this a mock service? How are you using this... Also your security setup is wrong as your `*.wsdl` will be overridden bij the previous statement that you need security for everything. (the ordering matters). — M. Deinum, Oct 24 '16 at 07:38
I mean it's soap service like in [this example](https://spring.io/guides/gs/producing-web-service/). — ipatina, Oct 24 '16 at 09:12
Also what isn't working, what are you testing (how are you testing) and how are things being loaded. You only dump some configuration and expect help but there is too little information in your question. — M. Deinum, Oct 24 '16 at 09:20
I tested in Soap UI and postman. [Here is code](https://github.com/ipatina/mock-new) of project. — ipatina, Oct 24 '16 at 09:42
In soap ui I created new SOAP project with my cards.wsdl. I send request to service without auth header and instead of error saying that I'm not authanticated it returns correct response. — ipatina, Oct 24 '16 at 09:52

score 3 · Answer 1 · answered Oct 24 '16 at 08:29

3

try,

as @denium pointed out order matters

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
      .antMatchers("*.wsdl").permitAll()
      .anyRequest().authenticated().hasRole("USER")
      .and().httpBasic();

}

answered Oct 24 '16 at 08:29

kuhajeyan

10,727
10
46
71

can you please look at my question. https://stackoverflow.com/questions/72578781/soap-web-service-is-sending-response-even-when-the-request-does-not-have-okta-to – M S Kulkarni Jun 12 '22 at 02:56

score 2 · Answer 2 · edited Jan 26 '17 at 11:59

I have just goes through the same problem and there is my solution. The permitAll() in your code is applied on already authenticated users, you need to add URL to the ignore list using method configure(WebSecurity web). And alsou I think that filtering for "*.wsdl" is not enought, I used "/**/*.wsdl"

There is my working WebSecurityConfig class

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

//Enforce basic auth
@Override
protected void configure(HttpSecurity http) throws Exception {
     http.csrf().disable()
      .httpBasic()
      .and().authorizeRequests().anyRequest().authenticated();
}

//Ignore basic auth for WSDL URL
@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/**/*.wsdl");
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    //TODO - do parametru
    auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}

score 0 · Answer 3 · answered Sep 28 '17 at 07:54

just copy paste this code your " WebServiceConfig" class

@Bean
   public SimplePasswordValidationCallbackHandler securityCallbackHandler() {
                SimplePasswordValidationCallbackHandler callbackHandler = new SimplePasswordValidationCallbackHandler();
                Properties users = new Properties();
                users.setProperty("AAA", "BBB");
                callbackHandler.setUsers(users);
                return callbackHandler;
            }

            @Bean
            public Wss4jSecurityInterceptor securityInterceptor() {
                Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
                securityInterceptor.setValidationActions("UsernameToken");
                securityInterceptor.setSecurementMustUnderstand(true);
                securityInterceptor.setSecurementUsername("setusername");
                securityInterceptor.setSecurementPassword("setpassword");
                securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
                return securityInterceptor;
            }

            @Override
            public void addInterceptors(List interceptors) {
                interceptors.add(securityInterceptor());
            }

Can we do something like this for a question I posted. Can you please look at the below. https://stackoverflow.com/questions/72578781/soap-web-service-is-sending-response-even-when-the-request-does-not-have-okta-to — M S Kulkarni, Jun 10 '22 at 23:55

score 0 · Answer 4 · answered Jun 15 '20 at 07:13

0

I had some problem. I changed ServletRegistrationBean to custom url.

new ServletRegistrationBean(servlet, "/cusom_url_mapping/*");

answered Jun 15 '20 at 07:13

Dmitrey

1
2

Basic authentication doesn't work in Spring-Boot WS Soap service

4 Answers4