0

I cannot understand one particular thing. I am using http-basic authentication on my sever.

My code for that is:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                    .authorizeRequests()
                    .antMatchers("/user/save")
                    .permitAll()
                .and()
                    .authorizeRequests()
                    .antMatchers("/user/**")
                    .hasRole("USER")
                .and()
                    .authorizeRequests()
                    .antMatchers("/admin/**")
                    .hasRole("ADMIN")
                .and()
                    .httpBasic()
                .and()
                    .logout()
                    .permitAll()
                .and()
                    .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }

And my request mapping for /user is:

@GetMapping
public Principal user(Principal user){
    return user;
}

When I query the endpoint /user with the username and password in the postman app, I get the desired authenticated result.

However, when I update the headers with an intentional wrong password, I still get the authenticated result. I cannot understand why this is so.

Also, the POST request on the endpoint /logout fails with:

{
    "timestamp": "2018-07-30T07:42:48.172+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/logout"
}

I cannot understand. Any help is appreciated.

Debanik Dawn
  • 797
  • 5
  • 28
  • Yes, that looks helpful but how can I configure it to check the password too? OR How can the logout functionality invalidate the session? The POST on the logout gives a `FORBIDDEN` response, and I don't get why. – Debanik Dawn Jul 30 '18 at 08:33
  • *how can I configure it to check the password too?* As mentioned in a commentin the other question, you could disable HTTP session. – dur Jul 30 '18 at 08:38
  • Okay I added a new question, it's here:https://stackoverflow.com/questions/51590877/logout-not-working-in-basic-auth-in-spring-security – Debanik Dawn Jul 30 '18 at 09:29

0 Answers0