Login/Register
Spring Security with SOAP web service is working in Tomcat, but not in WebLogic
Asked Answered
spring-bootspring-securityweblogic12coktaspring-ws
H

1

2

I have created a sample SOAP Web Service project (spring boot) and trying to integrate Okta as a resource server for authentication.

I am able to deploy the application to WebLogic, but when testing the service using SOAP UI, it gives the response even when there is no Token included in the header.

When I access WSDL from a browser using my wsdl url, http://myhost:port/appservice/app.wsdl I see the 401 error, so I think it is picking up the Security config changes. But it is not working for SOAP requests, I would get response even with out Okta token.

Is it because for SOAP requests, do I need to include any interceptors on top of Security Config java file. Or am I taking a wrong path for security with SOAP. Can someone let me know what am I missing or point me to right direction. Is token validation part of WS-Security? or the authentication manager in Okta resource server enough for this?

I followed this documentation to create it.

I have read most of the SO questions related to this and spring documentation, but could not connect the missing dots. Please help me with this. After spending lot of time, I felt like I was moving in circles.

UPDATE: I have enabled spring security debug logs by doing below

  1. @EnableWebSecurity(debug=true)
  2. logging.level.org.springframework.security.web.FilterChainProxy=DEBUG

UPDATE2: I haven't made any big changes to my configuration, but when I ran the project on embedded tomcat locally, it started working. To run on Tomcat, I changed packaging from war to jar, excluded Tomcat in my POM and in my Main class, I had to remove the SpringBootServletInitializer and WebApplicationInitializer. That's it. I tested SOAP UI with the Okta bearer token and it gave me response. With out the token it did not give me response.

Spring Security not working only in case of WebLogic12c. I don't know what I am missing to include for that to work in WebLogic. when deployed through Tomcat, request is passed through all the beans in Security Filter Chain { WebAsyncManagerIntegrationFilter, SecurityContextPersistenceFilter, HeaderWriterFilter, CsrfFilter, LogoutFilter, BearerTokenAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, FilterSecurityInterceptor}

But on WebLogic, the request is passed only through first four beans in Security Filter Chain {WebAsyncManagerIntegrationFilter, SecurityContextPersistenceFilter, HeaderWriterFilter, CsrfFilter}

Hendrickson answered 10/6, 2022 at 18:58 Comment(6)
please learn to debug your spring application. Enable spring security debug logs and post the logs IN FULL here as it will explain exactly why it allowes the requestEleen
@Toerktumlare, thanks for your suggestion. I just started working on weblogic environment, I will try to implement debug logs and get back with the logs.Hendrickson
@Toerktumlare, I have added logs. But I can't figure out what's causing the SOAP request through with out token. Do I need to use something else for logs. I am thinking it might be because payloadroot and localpart is used in endpoint class and my configuration is not picking up that request.Hendrickson
The logs you have posted are not spring security logs, they are weblogic logs.Eleen
@Toerktumlare, Sorry for my ignorance, but logs looked similar in case of Tomcat too. I updated the question, can you please suggest me. I will try to implement better Logs and get back to you on that.Hendrickson
A simple google search #30855752Eleen
H
0

I just wanted to update the alternate solution I found for this problem, for completeness. Spring Security Filter chain was not working for Weblogic, where as same was working in Tomcat, even for Weblogic version 12.2.1.4.

I had followed this example, and implemented Okta filter as spring boot version was not working in Weblogic 12.2.1.4.

Thanks to @Toerktumlare, I have implemented logging with logback-spring.xml

Hendrickson answered 19/7, 2022 at 22:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.