Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security caching my authentication

I've just added Spring Security in my Spring Boot project classpath. I did no Java Configuration or XML configuration.

The problem is that when I send a request to my resource localhost:8080/users, my first request gets authenticated (via Basic Authentication) normally, but the subsequent requests do not need any authentication header. Even if I restart my server, the requests are still being authenticated without entering any credentials.

I would like to turn this "cache" off.

I tried with lots of clients. Postman, SOAP-UI, browsers..Already read this, but didn't works

like image 504
Matheus Cirillo Avatar asked Jun 13 '18 16:06

Matheus Cirillo


People also ask

How does authentication work in Spring Security?

The Spring Security Architecture There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.

How do you achieve caching in your Spring application?

The simplest way to enable caching behavior for a method is to mark it with @Cacheable and parameterize it with the name of the cache where the results would be stored. It provides a parameter called allEntries that evicts all entries rather than one entry based on the key.

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.


2 Answers

You have to set session creation policy to STATELESS. Otherwise Spring security will use cookies.

(You can delete cookies in Postman in the cookies menu below the send button.)

Example configuration:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(
                   SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }

    ...

}
like image 106
Matt Ke Avatar answered Nov 07 '22 13:11

Matt Ke


I had this issue with my out-of-the-box Spring Actuator.

I had to add: .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); to my ActuatorSecurityConfig Class.

package com.foo;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.context.ShutdownEndpoint;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to(ShutdownEndpoint.class))
                .denyAll()
                .requestMatchers(EndpointRequest.toAnyEndpoint())
                .hasRole("ACTUATOR_ADMIN")
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                .permitAll()
                .antMatchers("/foo/**")
                .permitAll()
                .antMatchers("/**")
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }
}
like image 43
javaPlease42 Avatar answered Nov 07 '22 15:11

javaPlease42