Home > OS >  Spring boot security passes bad credentials
Spring boot security passes bad credentials

Time:08-24

I created a very simple http basic security for a Springboot app, the app deploys and I put the user and password. The problem is that if I call again with a different password, the request still counts as correct, instead of rejecting it.But if I change the user, then the application rejects my request and waits for the correct username and password.

my code:

@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
        return http.build();
    }
}

The result with good credentials: The json output is as expected

The result with bad credentials: The json output is still as if it was succesfull

The result with different user: The app behaves like expected

CodePudding user response:

This is expected for httpBasic(), see the BasicAuthenticationFilter.

After the first request, you should have a JSESSIONID cookie, which will be used to authenticate further requests. This behavior avoids doing the basic authentication flow every time a request comes in. The only reason to reauthenticate is if the HTTP Basic username is different from the authenticated user's username.

Page link:https//www.codepudding.com/os/519868.html

Prev:Is there a way to get SpEL to treat a bean that is an implementation of a Functional Interface as a
Next:URLClassLoader trying to get a class from external jar always returning null
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding