5

I am trying to achieve the stateless authentication with Spring by following the document, http://static.springsource.org/spring-security/site/docs/3.1.x/reference/security-filter-chain.html#filter-chains-with-ns

So in my spring-security.xml, I have

<!-- Stateless RESTful service using Basic authentication -->  
<http pattern="/restful/**" create-session="stateless">  
  <intercept-url pattern='/**' access='ROLE_REMOTE' />  
  <http-basic />  
</http>

When I use browser to test it, the first request is required to be authenticated. But the subsequent is not. From my understanding, I am supposed to see the user login prompt. Is there anything I am missing?

Grzegorz Rożniecki
  • 27,415
  • 11
  • 90
  • 112
Dino Tw
  • 3,167
  • 4
  • 34
  • 48

1 Answers1

4

No. In case of basic authentication browser remembers credentials you entered and sends them with subsequent requests automatically.

In order to make sure that your configuration is really stateless you may try to issue some requests (with and without authentication) using command line tools (wget, curl).

axtavt
  • 239,438
  • 41
  • 511
  • 482
  • I tried to use curl to test the authentication function, `curl --user myname:mypswd http://localhost:8080/Spring-Http-Basic-Auth/restful/welcome` I had to provide username and password for each request even though I did not have create-session="stateless" in place. – Dino Tw Jul 11 '13 at 00:05
  • 3
    I think I found out how it works now. When create-session="stateless" is NOT used, I will be able to save the session in cookie with curl option --cookie-jar cookie.txt and then use the session saved in cookie with curl option --cookie cookies.txt to pass the authentication. But when create-session="stateless" is used, the session will not work and I will have to provide user name and password for each request. – Dino Tw Jul 11 '13 at 00:20
  • @DinoTw, not using create-session="stateless" is the way to create stateless configuration that actually stores authentication "session" info in browser cookies, but stateless on the server side, correct? – curious1 Nov 03 '13 at 15:29
  • 1
    @curious1, yes, the stateless is on the server side. You will have to use curl to verify the behavior. When the server is set to stateless, you will have to send the user name and password for each request. The server however will still generate session, but it will be invalid for the subsequent requests. – Dino Tw Nov 06 '13 at 01:51
  • @DinoTw, just wanted to double-check with you on the first part of my question. Not using create-session="stateless" creates a Spring security configuration that user info is stored browser cookies which are subsequently used (for authentication) in each visit to the website from the browser. Right? – curious1 Nov 06 '13 at 05:15
  • @curious1, I guess you are asking the browser behavior when session="stateless" is not set. If you test the HTTP basic authentication from a web browser (I use FireFox most time, you might want to try different browser), there is no difference session="stateless" is set or not. You can only see the effect by using curl. – Dino Tw Nov 06 '13 at 17:41