Menu
I am using spring boot with basic auth (spring security). I am doing some testing, and it seems that if I send a single request to my REST endpoint with the correct username and password for basic auth (via postman), then I remove the the username and password or set it to an incorrect one, all my requests are still authenticated?
I would like for spring security to do a check on every single request and if the auth headers are missing or changed, it should return HTTP 401. Can someone please help on why this is happening? Is there some sort of caching going on? I'm using inMemoryAuthentication(). I have also disabled CSRF.
606
I think I found the solution. You have to set the sessions to be stateless. Like this:
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With