Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Let me shortly describe what problem i am facing right now.

I have configured spring security for webflux application, and i am getting login form prompted, when i try to access the route that doesn't require authentication. The route is /swagger-ui/ and it should get opened without any login forms or whatever.

Below is the code i have within the SecurityWebFilterChain

@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { //@formatter:off return http .formLogin().disable() .httpBasic().disable() .authenticationManager(authenticationManager) .securityContextRepository(securityContextRepository) .authorizeExchange() .pathMatchers(HttpMethod.OPTIONS).permitAll() .pathMatchers("/v2/api-docs", "/v3/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security", "/swagger-ui/", "/swagge‌​r-ui", "/webjars/**", "/swagger-resources/configuration/ui", "/swagger-resources/configuration/security").permitAll() // Allowed routes for swagger .pathMatchers("/api/auth", "/api/auth/**").permitAll() // Allowed routes for auth .and() .authorizeExchange() .anyExchange() .authenticated() // All other routes require authentication .and() .csrf().disable() .headers() .hsts() .includeSubdomains(true) .maxAge(Duration.ofSeconds(31536000)) .and() .frameOptions().mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN) .and() .build(); //@formatter:on

If anyone has any suggestions, please let me know, i will appreciate it. Here is the picture what i got in the browser.

Are you sure it is even loaded, and what does your debug output tell you, and the browser logs – Toerktumlare Aug 27, 2020 at 11:45 But the browser request log, what requests are performed and what requests are red, return statuses, etc – Toerktumlare Aug 27, 2020 at 12:18 That diolog box looks like ”basic auth” and is given by the webbrowser and not spring. The path ”/” seems to still have basic auth and someone is requesting that path – Toerktumlare Aug 27, 2020 at 12:24 @ThomasAndolf I have fixed it accidentally, .httpBasic() .and() .formLogin().disable() i have removed .disable() from the httpBasic() and apparently its working, but let me chek once again if i have modified something else also. – Milos Aug 27, 2020 at 13:26

I was really annoyed by this issue too. The problem is that by putting .httpBasic().disable() in your code you would expect spring to skip basic authentication (that browser window) but it doesn't.

Instead, try providing a ServerAuthenticationEntryPoint to the .httpBasic() .

The most simple one is the HttpStatusServerEntryPoint .

For example in your code change to:

return http .formLogin().disable() .httpBasic().authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)) .authenticationManager(authenticationManager)

By changing that your server will return a 401 UNAUTHORIZED HttpStatus instead of that browser window! Cheers!

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question . Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.
• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers .