I am using spring security with the below configurations.
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.securityContextRepository(securityContextRepository)
.authorizeExchange()
.anyExchange().authenticated()
.and()
.formLogin().disable()
.httpBasic().disable()
.csrf().disable()
.logout().disable();
return http.build();
}
And my ShipxpressReactiveSecurityContextRepository load method looks like below.
@Override
public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
String authorization = CollectionToolkit.getFirstElement(
serverWebExchange.getRequest().getHeaders().get(ShipxSecurityConstant.Header.AUTHORIZATION_HEADER));
if (StringToolkit.isNotEmpty(authorization)) {
return authenticate(authorization, serverWebExchange);
} else {
return Mono.empty();
}
}
My use case is properly working. but my issue is here when I try to access my API from the browser (ex : localhost:8180/dmu) Spring browser prompt to authentication. in that situation if i enter the wrong user / password i cant change it with next request.
Because There is a "Authorization" request header with invalid authentication.
I have two questions.
- How we can remove default request headers from the browser ( access get methods from browser URL)
- how i can disable to generate default request headers from spring.
Example screenshot:
question from:
https://stackoverflow.com/questions/65599089/remove-default-authorization-header-spring-webflux-security 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…