Skip to content

http.requestCache().disable() not working #6102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
beku8 opened this issue Nov 16, 2018 · 1 comment · Fixed by #6107
Closed

http.requestCache().disable() not working #6102

beku8 opened this issue Nov 16, 2018 · 1 comment · Fixed by #6107
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: backport An issue that is a backport of another issue to a maintenance branch type: bug A general bug
Milestone
5.2.0.M1

Comments

@beku8
Copy link

beku8 commented Nov 16, 2018

Summary

http.requestCache().disable() is not working in spring security 5.0.8

Actual Behavior

http.requestCache().disable() is not disabling cache. We can see that from the log:

2018-11-16 11:28:28.436 DEBUG 18378 --- [nio-8080-exec-3] o.s.s.w.s.HttpSessionRequestCache        : DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/actuator]
2018-11-16 11:28:28.436 DEBUG 18378 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.

Expected Behavior

I expect this config to be disabling the request cache.

Configuration

I tried in a very simple spring boot app to confirm:

@SpringBootApplication
@EnableWebSecurity
public class BasicauthdemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(BasicauthdemoApplication.class, args);
	}
	
	@Configuration
  public static class HttpBasicSecurityConfig extends WebSecurityConfigurerAdapter {
    
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http
        .requestMatchers()
          .requestMatchers(EndpointRequest.toAnyEndpoint())
      .and()
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("health", "info")).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
        .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
        .antMatchers("/error").permitAll() // To give proper error on failed authentication, https://github.com/spring-projects/spring-security/issues/4467
        .anyRequest().hasRole("ACTUATOR")
      .and()
        .httpBasic()
      .and()
        .requestCache().disable()
        .csrf().disable();
      
      
    }  

  }
}

Version

5.0.8

Sample

https://github.com/beku8/basicauthdemo
@rwinch rwinch added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2018
@jzheaux jzheaux removed the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2018
@jzheaux jzheaux added this to the 5.0.10 milestone Nov 16, 2018
jzheaux added a commit to jzheaux/spring-security that referenced this issue Nov 16, 2018
@jzheaux
Register NullRequestCache When Disabled
330699a 
Fixes: spring-projectsgh-6102
@jzheaux jzheaux mentioned this issue Nov 16, 2018
Merged
@rwinch
Copy link
Member

rwinch commented Nov 19, 2018

Thanks for the report @beku8! You can work around this by explicitly setting the cache to be NullRequestCache. For example:

http
    ...
    .requestCache()
        .requestCache(new NullRequestCache());

@jzheaux jzheaux mentioned this issue Nov 20, 2018
Closed
jzheaux added a commit that referenced this issue Nov 20, 2018
@jzheaux
Register NullRequestCache When Disabled
3a43ed8 
Fixes: gh-6102
@jzheaux jzheaux mentioned this issue Nov 20, 2018
Closed
@jzheaux jzheaux modified the milestones: 5.0.10, 5.2.0.M1 Nov 20, 2018
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: bug A general bug type: backport An issue that is a backport of another issue to a maintenance branch labels Nov 20, 2018
@jzheaux jzheaux mentioned this issue Nov 20, 2018
Closed
jzheaux added a commit that referenced this issue Nov 20, 2018
@jzheaux
Register NullRequestCache When Disabled
db145fa 
Fixes: gh-6102
jzheaux added a commit that referenced this issue Nov 20, 2018
@jzheaux
Register NullRequestCache When Disabled
ddad61d 
Fixes: gh-6102
jzheaux added a commit that referenced this issue Nov 20, 2018
@jzheaux
Register NullRequestCache When Disabled
dfacad0 
Fixes: gh-6102
jer051 pushed a commit to jer051/spring-security that referenced this issue Nov 21, 2018
@jzheaux
Register NullRequestCache When Disabled
0edbc12 
Fixes: spring-projectsgh-6102
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: backport An issue that is a backport of another issue to a maintenance branch type: bug A general bug
Projects
None yet
Milestone
5.2.0.M1
Development

Successfully merging a pull request may close this issue.

Register NullRequestCache When Disabled jzheaux/spring-security
3 participants
@rwinch @beku8 @jzheaux