Spring Security Authentication Success With Wrong Password

Question

My WebSecurity Config is like below;

@EnableWebSecurity
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        builder.inMemoryAuthentication().withUser("hellouser")
                .password("hellopass").roles("USER");
    }
}

When i give wrong username, Authentication fails as expected. But, if i get success in authentication once, all other requests after that with wrong password but correct username gets authenticated successfully....

Is it getting cached somewhere?

Can i disable this feature?

Isn't it suppose to give authentication failure with wrong password?

NOTE: I am learning spring-security. I dont have any html pages in this app and testing from PostMan.

Answer 1

use http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); in the configure method.

 @Override
 protected void configure(HttpSecurity http) throws Exception {

        http
                //HTTP Basic authentication
                .httpBasic()
                .and()
                ....
                .csrf().disable()
                .formLogin().disable();

        //to check password in each request
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

Answer 2

I was able to access the url from below configuration using basic auth from postman even with wrong credentials.which was happening because once you provide the right credentials the credentials get stored in session and even if you repeats the same request the same session will be used to access the url.

http.httpBasic().and().authorizeRequests().antMatchers("/secure/admin/**").hasRole("ADMIN").antMatchers("/api/**","/secure/getUserByName/**").hasAnyRole("USER","ADMIN").anyRequest().fullyAuthenticated();

Solution:

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Just add the above code .So this configuration assures that only a single instance of a user is authenticated at a time.And if the same user tries to access the url then it's previous session is terminated and then the user has to provide login credentials again for which new session is created.