Disable browser authentication dialog in spring security

Question

I am using spring security 4, for some reason after I finish authentication with my login page I get browser authentication dialog which force me to authenticate again.

this is my security configuration:

    http.antMatcher("/test")
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers("/index.html", "/login.html", "/", "/scripts/**",
                    "/bower_components/**", "/styles/**", "/views/**",
                    "/login", "/api/user/*").permitAll().anyRequest()
            .authenticated().and().logout().logoutUrl("/api/logout").and()
            .csrf().csrfTokenRepository(csrfTokenRepository()).and()
            .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);

Answer 1

The authentication popup is caused by the response header WWW-Authenticate: Basic, which is set by BasicAuthenticationEntryPoint.

Use a custom AuthenticationEntryPoint that doesn't set WWW-Authenticate: Basic:

public class NoPopupBasicAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException authException) throws IOException, ServletException {
    
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
    }

}

Add the custom authentication entry point to the security configuration (order is important):

http
    .httpBasic()
    .authenticationEntryPoint(new NoPopupBasicAuthenticationEntryPoint())

Answer 2

In WebFlux it's not enough to just disable httpBasic. There is an ExceptionTranslationWebFilter that uses HttpBasicServerAuthenticationEntryPoint by default, causing such behavior. To disable it you should install another ServerAuthenticationEntryPoint, for example:

http.exceptionHandling()
    .authenticationEntryPoint(HttpStatusServerEntryPoint(HttpStatus.FORBIDDEN))
    .