Different handling of basic authentication in rest client and web app in browser

Refresh

4 weeks ago

Views

6 time

1

I have angular frontend and spring backend. I'm using spring security to hande http basic authentication. I noticed strange difference in behaviour using advanced rest client(or any other) and angular web app.

For tests I disabled my httpInterceptor so it is not including "Authorisation: Basic foobardoofab==" header. So spring backend should response with Unauthorised error right? Well... Sometimes it does and sometimes in doesn't.

Flow is like this: I use my authenticate method to log in:

authenticate(credentials, callback) {

    const headers = new HttpHeaders(credentials ? {
        authorization : 'Basic ' + btoa(credentials.username + ':' + credentials.password)
    } : {});

    this.http.get('http://localhost:8080/login', {headers: headers}).subscribe(response => {
        if (response['name']) {
            let authString = 'Basic ' + btoa(credentials.username + ':' + credentials.password);
            sessionStorage.setItem('basicauth', authString);
            sessionStorage.setItem('username', response['name']);
            sessionStorage.setItem('role', response['authorities']);

        } else {
            // this.authenticated = false;
        }
        return callback && callback();
    });
  }

Those values are stored only for getting access inside angular app.

Now I go to http://localhost:4200/events

In this component I have GET request in ngOninit

ngOnInit() {
    this.http.get<Array<MyEvent>>('http://localhost:8080/events').subscribe((response) => {
      this.events = response;}); 
  }

Because my httpinterceptor is disabled i dont add this "basicauth" stored in session so spring should respond with unathorised. And it does:

{"timestamp":"2019-04-26T13:08:19.167+0000","status":401,"error":"Unauthorized","message":"Unauthorized","path":"/events"}

And I think it is good and expected behaviour.(Since i'm not sending basicauth Im not able to go through spring security.

But there is this second case when im testing it with some rest clients (advanced rest client)

I send GET request to http://localhost:8080/login with "Authorisation: Basic foobar" added to headers and I got 200 OK response from spring.

Now i send get request to http://localhost:8080/events WITHOUT any headers included and I still got 200 OK response and access to returned objects. (While through angular app it respondend with Unauthorised error) To get unathorised error i have to sent GET request to http://localhost:8080/logout (through angular app im not sending it anywhere)

So my question is why those two cases are different in behaviour?

I will also show my WebSecurityConifg:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS, "/index.html", "/", "/home", "/login").permitAll()
        .anyRequest().authenticated().and()
        .logout().invalidateHttpSession(true).deleteCookies("JSESSIONID").and()
        .csrf().disable();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new
                UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }
}

0 answers