Currently working on upgrading my web application from Spring Boot 2 to Version 3. As Spring Boot 3 uses Spring 6 I needed to update my security configuration. After my changes I noticed that my custom authentication provider is getting called on every request which leads to heavy database traffic. It's not happening if I use the spring default login form but with basic authentication.
Here is my sample security configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(new CustomAuthenticationProvider());
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.httpBasic();
return http.build();
}
}
My Provider looks like:
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
if ("admin".equals(username) && "admin".equals(password)) {
var user = User.withUsername("admin").password("admin").authorities(new ArrayList<>()).build();
return new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), user.getAuthorities());
} else {
throw new
BadCredentialsException("system authentication failed");
}
}
@Override
public boolean supports(Class<?> auth) {
return auth.equals(UsernamePasswordAuthenticationToken.class);
}
}
Behavior in short:
SecurityConfig | Behavior |
---|---|
.formLogin() |
1x Login / Provider-Call |
.httpBasic() |
1x Login per Session / 1x Provider-Call per request |
What can I do to get the old behavior back as it was with Spring 5 / Spring Boot 2?
for everyone having the same issue, you can restore the old session behavior by setting the session creation policy in your security filter chain:
.httpBasic(withDefaults())
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
...