I've just added Spring Security in my Spring Boot project classpath. I did no Java Configuration or XML configuration.
The problem is that when I send a request to my resource localhost:8080/users, my first request gets authenticated (via Basic Authentication) normally, but the subsequent requests do not need any authentication header. Even if I restart my server, the requests are still being authenticated without entering any credentials.
I would like to turn this "cache" off.
I tried with lots of clients. Postman, SOAP-UI, browsers..Already read this, but didn't works
The Spring Security Architecture There are multiple filters in spring security out of which one is the Authentication Filter, which initiates the process of authentication. Once the request passes through the authentication filter, the credentials of the user are stored in the Authentication object.
The simplest way to enable caching behavior for a method is to mark it with @Cacheable and parameterize it with the name of the cache where the results would be stored. It provides a parameter called allEntries that evicts all entries rather than one entry based on the key.
From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.
You have to set session creation policy to STATELESS. Otherwise Spring security will use cookies.
(You can delete cookies in Postman in the cookies menu below the send button.)
Example configuration:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(
SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
...
}
I had this issue with my out-of-the-box Spring Actuator.
I had to add: .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
to my ActuatorSecurityConfig
Class.
package com.foo;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.context.ShutdownEndpoint;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.requestMatchers(EndpointRequest.to(ShutdownEndpoint.class))
.denyAll()
.requestMatchers(EndpointRequest.toAnyEndpoint())
.hasRole("ACTUATOR_ADMIN")
.requestMatchers(PathRequest.toStaticResources().atCommonLocations())
.permitAll()
.antMatchers("/foo/**")
.permitAll()
.antMatchers("/**")
.authenticated()
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With