I'm working on a demo application using spring boot. so the idea is to create a soap webservice and add a basic http authentication to it. I followed some tutorials on the net but it doesn't help me to solve the issue.

at first i created a simple soap webservice and i tested it using soapui. it works perfectly. when i added the spring security to the classpath i succeeded to open the wsdl provided by my app (using my browser and the login form provided by spring by default). but it failed to consume the webservice using soapui even after adding the authencation headers.

here is my app config.

<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web-services</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
  </dependency>
</dependencies>

application.yml

spring:
  security:
    basic:
      enabled: true
    user:
      name: client
      password: password

WebServiceConfig.java

@EnableWs
@Configuration
public class WebServiceConfig extends WsConfigurerAdapter {

@Bean
public ServletRegistrationBean<Servlet> messageDispatcherServlet(ApplicationContext applicationContext) {
    MessageDispatcherServlet servlet = new MessageDispatcherServlet();
    servlet.setApplicationContext(applicationContext);
    return new ServletRegistrationBean<>(servlet, "/ws/library/*");
}

@Bean(name = "books")
public Wsdl11Definition defaultWsdl11Definition() {
    SimpleWsdl11Definition wsdl11Definition = new SimpleWsdl11Definition();
    wsdl11Definition.setWsdl(new ClassPathResource("/book.wsdl"));
    return wsdl11Definition;
}
}

BookEndpoint.java

@Endpoint
public class BookEndpoint {

@PayloadRoot(
        namespace = "http://www.cleverbuilder.com/BookService/",
        localPart = "GetBook")
@ResponsePayload
public GetBookResponse getBook(@RequestPayload GetBook book) {

    ObjectFactory factory = new ObjectFactory();
    GetBookResponse response = factory.createGetBookResponse();
    response.setID("A"+book.getID());
    return response;
}
}

the request generated by soapui is as follows:

POST http://localhost:8080/ws/library/BookService HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://www.cleverbuilder.com/BookService/GetBook"
Authorization: Basic Y2xpZW50OnBhc3N3b3Jk
Content-Length: 280
Host: localhost:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Cookie: JSESSIONID=77EF4FFB2B5A52EC21A47C230624B6DE
Cookie2: $Version=1

<soapenv:Envelope     xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"     xmlns:book="http://www.cleverbuilder.com/BookService/">
<soapenv:Header/>
<soapenv:Body>
  <book:GetBook>
     <ID>85</ID>
  </book:GetBook>
</soapenv:Body>
</soapenv:Envelope>

and the server response :

HTTP/1.1 401 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
WWW-Authenticate: Basic realm="Realm"
Content-Length: 0
Date: Mon, 22 Apr 2019 09:08:43 GMT

and the logged error is :

Voter: org.sp[email protected]77114100, returned: -1
ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]

can anyone help me please ?

1 Answers

0
Amdouni Mohamed Ali On Best Solutions

The problem was the crsf protection. I was able to resolve the problem by disabling it. Here's my the config that i added.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http
            .csrf()
            .disable();
    }
}