Spring Security Authentication Success With Wrong Password

7
votes

My WebSecurity Config is like below;

@EnableWebSecurity
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        builder.inMemoryAuthentication().withUser("hellouser")
                .password("hellopass").roles("USER");
    }
}

When i give wrong username, Authentication fails as expected. But, if i get success in authentication once, all other requests after that with wrong password but correct username gets authenticated successfully....

Is it getting cached somewhere?

Can i disable this feature?

Isn't it suppose to give authentication failure with wrong password?

NOTE: I am learning spring-security. I dont have any html pages in this app and testing from PostMan.

2
springauthenticationspring-securityspring-boot
That is how basic authentication works. As soon as you have logged in successfully the valid credentials will always be posted. - M. Deinum
@M.Deinum : So what type of authentication i need to achieve what i desire? - Rajkishan Swami
Use form based authentication. - M. Deinum

2 Answers

6
votes

use http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); inthe configure method.

2
votes

I was able to access the url from below configuration using basic auth from postman even with wrong credentials.which was happening because once you provide the right credentials the credentials get stored in session and even if you repeats the same request the same session will be used to access the url.

http.httpBasic().and().authorizeRequests().antMatchers("/secure/admin/**").hasRole("ADMIN").antMatchers("/api/**","/secure/getUserByName/**").hasAnyRole("USER","ADMIN").anyRequest().fullyAuthenticated();

Solution:

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Just add the above code .So this configuration assures that only a single instance of a user is authenticated at a time.And if the same user tries to access the url then it's previous session is terminated and then the user has to provide login credentials again for which new session is created.