1. 技术文章
  2. Spring Security caching my authentication

Spring Security caching my authentication

六眼飞鱼酱① 提交于 2020-05-27 04:58:10

问题


I've just added Spring Security in my Spring Boot project classpath. I did no Java Configuration or XML configuration.

The problem is that when I send a request to my resource localhost:8080/users, my first request gets authenticated (via Basic Authentication) normally, but the subsequent requests do not need any authentication header. Even if I restart my server, the requests are still being authenticated without entering any credentials.

I would like to turn this "cache" off.

I tried with lots of clients. Postman, SOAP-UI, browsers..Already read this, but didn't works


回答1:


You have to set session creation policy to STATELESS. Otherwise Spring security will use cookies.

(You can delete cookies in Postman in the cookies menu below the send button.)

Example configuration:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(
                   SessionCreationPolicy.STATELESS)
                .and()
            .authorizeRequests()
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }

    ...

}



回答2:


I had this issue with my out-of-the-box Spring Actuator.

I had to add: .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); to my ActuatorSecurityConfig Class.

package com.foo;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.context.ShutdownEndpoint;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to(ShutdownEndpoint.class))
                .denyAll()
                .requestMatchers(EndpointRequest.toAnyEndpoint())
                .hasRole("ACTUATOR_ADMIN")
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                .permitAll()
                .antMatchers("/foo/**")
                .permitAll()
                .antMatchers("/**")
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }
}


来源:https://stackoverflow.com/questions/50842258/spring-security-caching-my-authentication

标签
java
Spring
spring-security
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!