Spring Security that needs username and password on every request

Question

What I wanted to do is build a Rest backend application that needs the Authorization header on every request, validate and return the data or 401 Unauthorized if the user or password is wrong.

I have Spring Security in my classpath with this simple configuration:

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .passwordEncoder(NoOpPasswordEncoder.getInstance())
                .withUser("user")
                .password("pass")
                .roles("USER");
    }
}

But one thing is not working correctly: when I make a request with valid username and password with Postman, the server responds the data correctly, but if I change the password to a wrong password and keep the correct username, the server stills responds with the data and OK status, as if it is using a JSESSIONID Cookie to check the further requests.

Is that a way of using spring security only for checking the header Authorization (with no cookies, sessions nor saving user informations or login and logout pages), or is better to just use Filters for doing that instead?

Thank you for any help !

Answer 1

Just add the following to your configuration:

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
}

This will configure spring security to never create a cookie, every request must reauthenticate.