Spring Boot/Security/Apache CXF SOAP service access restriction

Question

I have created Apache CXF SOAP webservice in Spring Boot as per below config:

@Bean
public ServletRegistrationBean wsDispatcherServlet() {
 return new ServletRegistrationBean(new CXFServlet(), "/service/*");
}

@Bean
public Endpoint pegaEndpoint() {
 EndpointImpl endpoint = new EndpointImpl(springBus, "/service/");
 endpoint.publish("ws");
 return endpoint;
}

Now I want to use httpBasic authentication to call a web service, but at the same time I want the WSDL to be publicly accessible. Is that possible to configure with Spring Security? I have below code in Java Configuration class for security, but it doesnt really work - the basic authentication is enforced on both web service calls and wsdl accessed by http://localhost:8080/service/ws?WSDL

Can Spring Security differentiate based on the URL param? Or can I set a WSDL location to be different that the URL used to call the web service?

@Autowired
private void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().                                                                                  
        antMatchers("/service/**").hasRole("USER").and().httpBasic().and().
        csrf().disable();
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/service/ws?wsdl");
}

score 1 · Answer 1 · answered Dec 13 '16 at 16:01

1

I ended up doing below. Apparently ant matchers dont recognize any URL parameters so I used regex one:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().regexMatchers("/service/ws\\?WSDL");
}

answered Dec 13 '16 at 16:01

Zyga

2,367
3
22
32

can you please look at my question. https://stackoverflow.com/questions/72578781/soap-web-service-is-sending-response-even-when-the-request-does-not-have-okta-to – M S Kulkarni Jun 12 '22 at 02:55

score 0 · Answer 2 · answered Dec 13 '16 at 15:30

Permit all on the wsdl should do it -

        http
            .authorizeRequests()
                .antMatchers("/service/ws?wsdl").permitAll()
                .antMatchers("/service/**").hasRole("USER").and().httpBasic().and().
        csrf().disable();

Spring Boot/Security/Apache CXF SOAP service access restriction

2 Answers2