CODEWITHSUNDEEP
spring-bootspring-security
Farhan
Farhan

Reputation: 431

Spring Boot - spring security authorization issues

I have secured my spring boot application with basic authentication. Below is my spring security configuration.

package com.exxonmobil.asr.backoffice.configuration;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.AuthenticationEntryPoint;
@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String SPRING_SECURITY_PASSWORD = "spring.security.password";
    private static final String SPRING_SECURITY_USERNAME = "spring.security.username";
    @Autowired
    private AuthenticationEntryPoint authEntryPoint;

    @Autowired
    private Environment env;

    @Bean
    public PasswordEncoder bcryptPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser(env.getProperty(SPRING_SECURITY_USERNAME))
                .password(bcryptPasswordEncoder().encode(env.getProperty(SPRING_SECURITY_PASSWORD))).roles("USER");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().authorizeRequests().antMatchers("/**").hasAnyRole("USER").anyRequest().authenticated().and().httpBasic()
                .authenticationEntryPoint(authEntryPoint);
    }

}

I face issues when I try to access the application rest URL's through postman. When I do not give any authorization/wrong credentials in authorization in postman I am not able to access the resource and get Invalid credentials error message. However, the problem is when I am first able to successfully access the resource using correct credentials and now I change the credentials to an invalid one and try to access the resource, I am still able to access it.

Any way I could prevent this.

Thanks in advance.

Regards, Farhan

Upvotes: 0

Views: 133

Answers (1)

Simon Martinelli
Simon Martinelli

Reputation: 36103

Spring Security creates a session and sends back a cookie that Postman keeps and then you are logged in until this session becomes invalid.

You can disable the session with:

http
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

In the configure method of SpringSecurityConfiguration.

But keep in mind that you disable the whole session management. It may be fine if you only have a REST API but if you also have other web components you may need the HTTP session.

Upvotes: 2

Related Questions