Issue
I created a very simple http basic security for a Springboot app, the app deploys and I put the user and password. The problem is that if I call again with a different password, the request still counts as correct, instead of rejecting it.But if I change the user, then the application rejects my request and waits for the correct username and password.
my code:
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
return http.build();
}
}
The result with good credentials: The json output is as expected
The result with bad credentials: The json output is still as if it was succesfull
The result with different user: The app behaves like expected
Solution
This is expected for httpBasic()
, see the BasicAuthenticationFilter
.
After the first request, you should have a JSESSIONID
cookie, which will be used to authenticate further requests. This behavior avoids doing the basic authentication flow every time a request comes in. The only reason to reauthenticate is if the HTTP Basic username
is different from the authenticated user's username.
Answered By - Marcus Hert da Coregio
Answer Checked By - Cary Denson (JavaFixing Admin)