http
         .csrf().disable()
         .authorizeRequests()
          .antMatchers("/ws/**").hasRole("USER")
         .and()
          .httpBasic().authenticationEntryPoint(authEntryPoint)
         .and()
          .sessionManagement()
          .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
         ;

>curl --silent --verbose -u tom:123 http://localhost:18080/ws/info/info.wsdl
* Connected to localhost (::1) port 18080 (#0)
* Server auth using Basic with user 'tom'
> POST /ws/info HTTP/1.1
> Host: localhost:18080
> Authorization: Basic dG9tOjEyMw==
> User-Agent: curl/7.55.1
> Accept: */*
> content-type: text/xml;charset=utf-8
> Content-Length: 310
> 
} [310 bytes data]
* upload completely sent off: 310 out of 310 bytes
< HTTP/1.1 403 
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Sun, 21 Jun 2020 20:18:53 GMT
< 
{ [115 bytes data]
* Connection #0 to host localhost left intact
{"timestamp":"2020-06-21T20:18:53.466+00:00","status":403,"error":"Forbidden","message":"","path":"/ws/info"}

2020-06-21 23:18:53.465  INFO 19544 --- [io-18080-exec-4] r.r.ws.WebAuthenticationEntryPoint       : Authentication succeeded for tom, granted USER role

.antMatchers("/ws/**").hasRole("USER")

.anyRequest().authenticated()

@Component
public class WebAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
  private static final Logger log = LoggerFactory.getLogger(WebAuthenticationEntryPoint.class);

  public WebAuthenticationEntryPoint() {
    log.info("Constructed");
  }
  
  @Override
  public void commence(HttpServletRequest request, HttpServletResponse response,
      AuthenticationException authException) throws IOException {
    super.commence(request, response, authException);
  }
  @Override
  public void afterPropertiesSet() {
        setRealmName("mydomain");
        super.afterPropertiesSet();
  }
}

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

  private static final Logger log = LoggerFactory.getLogger(WebAuthenticationEntryPoint.class);
  private static List<User> users = new ArrayList();

  public CustomAuthenticationProvider() {
    log.info("Constructed");
    users.add(new User("tom", "123", "USER"));
  }

  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    String name = authentication.getName();
    Object credentials = authentication.getCredentials();
    if (!(credentials instanceof String)) {
      // Возращаем null, если мы не можем выполнить аутентификация
      return null;
    }
    String password = credentials.toString();
    Optional<User> userOptional = users.stream().filter(u -> u.match(name, password)).findFirst();
    if (!userOptional.isPresent()) {
      log.error("Authentication failed for {}", name);
      throw new BadCredentialsException("Authentication failed for " + name);
    }
    String role = userOptional.get().role;
    log.info("Authentication succeeded for {}, granted {} role", name, role);
    return new UsernamePasswordAuthenticationToken(name, password,
        Arrays.asList(new SimpleGrantedAuthority(role)));
  }

  @Override
  public boolean supports(Class<?> authentication) {
    log.info("supports(Class<?> authentication)");
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
  }

  private static class User {
    private String name;
    private String password;
    private String role;

    public User(String name, String password, String role) {
      this.name = name;
      this.password = password;
      this.role = role;
    }

    public boolean match(String name, String password) {
      return this.name.equals(name) && this.password.equals(password);
    }
  }
}