Spring安全缓存基本身份验证?不验证后续请求 [英] Spring security caching basic auth? Not verifying subsequent requests

问题描述

我正在使用具有基本身份验证(弹簧安全性)的 Spring Boot.我正在做一些测试，似乎如果我使用正确的用户名和密码(通过邮递员)向我的 REST 端点发送单个请求，然后我删除用户名和密码或将其设置为不正确的用户名和密码，我的所有请求仍然经过身份验证?

I am using spring boot with basic auth (spring security). I am doing some testing, and it seems that if I send a single request to my REST endpoint with the correct username and password for basic auth (via postman), then I remove the the username and password or set it to an incorrect one, all my requests are still authenticated?

我希望 Spring Security 对每个请求进行检查，如果 auth 标头丢失或更改，它应该返回 HTTP 401.有人可以帮忙解释为什么会发生这种情况吗?是否有某种缓存正在进行?我正在使用 inMemoryAuthentication().我也禁用了 CSRF.

I would like for spring security to do a check on every single request and if the auth headers are missing or changed, it should return HTTP 401. Can someone please help on why this is happening? Is there some sort of caching going on? I'm using inMemoryAuthentication(). I have also disabled CSRF.

推荐答案

我想我找到了解决方案.您必须将会话设置为无状态.像这样:

I think I found the solution. You have to set the sessions to be stateless. Like this:

 http
     .sessionManagement()
     .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

这篇关于Spring安全缓存基本身份验证?不验证后续请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！