Spring Security验证成功，密码错误 [英] Spring Security Authentication Success With Wrong Password

问题描述

我的WebSecurity Config如下所示；

My WebSecurity Config is like below;

@EnableWebSecurity
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder builder) throws Exception {
        builder.inMemoryAuthentication().withUser("hellouser")
                .password("hellopass").roles("USER");
    }
}

当我输入错误的用户名时，身份验证失败.但是，如果我一次通过身份验证成功，此后所有其他请求都将使用错误的密码但正确的用户名成功进行身份验证....

When i give wrong username, Authentication fails as expected. But, if i get success in authentication once, all other requests after that with wrong password but correct username gets authenticated successfully....

它被缓存在某个地方了吗?

Is it getting cached somewhere?

我可以禁用此功能吗?

不是应该使用错误的密码给出身份验证失败吗?

Isn't it suppose to give authentication failure with wrong password?

注意:我正在学习弹簧安全性.我没有此应用程序中的任何html页面，也没有PostMan进行的测试.

NOTE: I am learning spring-security. I dont have any html pages in this app and testing from PostMan.

推荐答案

使用http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);在配置方法中.

use http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); inthe configure method.

这篇关于Spring Security验证成功，密码错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！