Invalid password is accepted in spring security using custom Authentication Provider

Question

I am using spring security with custom Authentication Provider using basic auth.

When I am trying to hit backend API GET call through postman it is working fine only when I make changes in username

Here is the problem statement - whenever I modify the user name then only custom authenticator provider works. once I added the correct username and password then it works but after that when I am making any changes in password (giving wrong password) always showing 200 success response. If I am making changes in username (giving wrong username) then only call to custom authenticator provider happened and getting 401 response.

Java Spring code

@Configuration
@EnableWebSecurity
@ComponentScan("com.authentication.service")
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{     

    @Autowired
    private AuthService authProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider);
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception { http
         .httpBasic().and().logout().clearAuthentication(true).and() .authorizeRequests()
         .antMatchers("/index.html", "/", "/home", "/login", "/assets/**").permitAll()
         .anyRequest().authenticated() .and() .csrf()
         .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }

}

@Service
public class AuthService implements AuthenticationProvider{

@Override
    public Authentication authenticate(Authentication authentication)
            throws org.springframework.security.core.AuthenticationException {
        String userName = (String) authentication.getPrincipal();
        String userPassword = authentication.getCredentials().toString();
        
        if(authenticateUser(userName, userPassword)) {
            return new UsernamePasswordAuthenticationToken(userName, userPassword, new ArrayList<>());
        } else {
            return null;
        }
    }


    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }

    public Boolean authenticateUser(String userName, String userPassword) {
        // Using some third party service
        // return true if user is authenticated else false
     }
}

Answer 1

This is occurring because Spring Security is creating a session that is returned as a Cookie upon successful authentication (You can check this in the Cookies panel in the Postman's response). For Further requests, even if you provide invalid credentials, Postman will send this session cookie that will be used for Authentication.

To remove this effect, you can update your session management policy to be SessionCreationPolicy.STATELESS , this will make sure no session is created by the application and the Basic Auth credentials that are sent in the request are used for authentication.

You can update the Session Management Policy like this:

@Configuration
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter{     
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}