Reputation: 341
Spring Security Basic Authentication only happens once
Recently I am using Spring Security basic authentication for my REST services.
Below is the security xml configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http pattern="/rest/**" create-session="never" use-expressions="true">
<security:http-basic />
<security:intercept-url pattern="/rest/auth/**" access="isAuthenticated()"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder hash="sha-256" />
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled"/>
</beans>
Spring framework and Spring Security that I use:
<springframework.version>4.1.0.RELEASE</springframework.version>
<spring.security.version>3.2.5.RELEASE</spring.security.version>
I map my REST services to URL prefixed with "rest/" and when I access the URL for the first time, the browser prompt the username and password field of basic authentication. I fill it with the right credential and my controller accessed successfully.
However if I try to access the same URL with browser again, it will not prompt me the username and password field of basic authentication again and directly access the URL.
I expect that browser always prompt me with basic authentication because I set create-session attribute to never.
So, am I missing something?
Upvotes: 3
Views: 3246
Answers (2)
Reputation: 2866
From the javadoc for create-session. I think your application is creating a sessions and that session is being used.
Attribute : create-session Controls the eagerness with which an HTTP session is created by Spring Security classes. If not set, defaults
to "ifRequired". If "stateless" is used, this implies that the application guarantees that it will not create a session. This differs from the use of "never" which mans that Spring Security will not create a session, but will make use of one if the application does.Data Type : string Enumerated Values : - ifRequired - always - never - stateless
You should try using
"stateless"
instead of
never
Upvotes: -1
Reputation: 24561
Browser caches credentials. Sometimes clearing the cache doesn't help. The only reliable way how to fake it is use Chrome's incognito window (Ctrl+N). But one prompt per one incognito window. So you need new incognito window when you want to enter them again.
This is the only way I found to test basic authentication manually.
Upvotes: 2
Related Questions
- spring security in memory authentication accepts any password after first authentication
- Spring security baisc authentication only validating first request
- Spring authentication performed twice, first succeeds and then fails
- Spring Security Login Issue after re-login ... in same session
- authentication failing in spring security, why?
- Spring security - login 2 consecutive times behaviour
- Spring Security ignores failed authentication
- Spring Security authentication is ignored
- Spring Security asks authenticated user to log in again and again
- Spring Security AuthenticationException persistent?