How to do for authorize endpoints for anonymous user with spring security

Question

I am working on a SOAP webservice with spring boot and spring security with basic authentication. The authentication works, but I would like to authorize anonymous user to access at many endpoints. I don't know how to do. I think to create 2 wsdl, one for endpoints with authentication and another for endpoints without authentication. Is it possible ? Else is it possible to annotate an endpoint with something like @PreAuthorize(permitAll) or customize spring security ?

What is the proper way to do and how ?

Thanks in advance.

I tried this :

    @PayloadRoot(namespace = NAMESPACE_URI, localPart = "createAuthorRequest")
@ResponsePayload
@PreAuthorize("permitAll()")
public CreateAuthorResponse createAuthor(
        @RequestPayload CreateAuthorRequest request
) throws WSException {
    return authorService.createAuthor(request);
}

or customize spring security :

           public void configure(HttpSecurity httpSecurity) throws Exception {

    httpSecurity
    .httpBasic()
            .and()
         .authorizeRequests().antMatchers(HttpMethod.POST, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .antMatchers(HttpMethod.GET, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .antMatchers(HttpMethod.PUT, "/ws/createAuthor", "/ws/createAuthorRequest", "/ws/createAuthor**").permitAll()
            .anyRequest().authenticated()

            .and()
            .csrf().disable().headers().frameOptions().disable();

But it doesn't change. With SOAP, I don't know how to get the name of endpoint called. Here the log of spring security :

    2019-05-29 22:49:39.060  INFO 8228 --- [io-8080-exec-10] Spring Security Debugger                 : 

************************************************************

Request received for POST '/ws':

org.apache.catalina.connector.RequestFacade@7445a104

servletPath:/ws
pathInfo:null
headers: 
accept-encoding: gzip,deflate
content-type: text/xml;charset=UTF-8
soapaction: ""
content-length: 516
host: localhost:8080
connection: Keep-Alive
user-agent: Apache-HttpClient/4.1.1 (java 1.5)

Answer 1

is it possible to annotate an endpoint with something like @PreAuthorize(permitAll)

if you are using @PreAuthorize in your controllers, you can just add @PreAuthorize("permitAll()").

---

or customize spring security ?

In you custom security config., add all the endpoints that you want to be available in public or with no authorization in antMatchers then set it to permitAll.

Sample:

@Configuration
@EnableWebSecurity
public class SecSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                // permit all access to these endpoints.
                .antMatchers("/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
                // any other request needs to be authenticated
                .anyRequest().authenticated();
        }
}

---

You may also specify the httpmethod to that you want to permit by adding the method as parameter before the list endpoints.

.antMatchers(HttpMethod.GET, "/endpoint1", "/endpoint2", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.PUT, "/endpoint1", "endpoint3/**").permitAll()
.antMatchers(HttpMethod.POST, "endpoint3/**").permitAll()