apacahe shiro ,after 1 successful basic authentication it returns true for all wrong credentials
I'm using Apache Shiro for my Rest service project and I have troubles getting it to work as intended.
For rest service,I use basic authentication and as first,when I send wrong username,It returns 401 as expected.
Then I send correct user name and password,It returns 200 as expected. As 3th step,When I send again wrong username,It returns 200,should return 401.
I think after first successful login,It doesnt need any authentication process again.How can I force it to authenticate for every request? I couldnt find any reason or any parameter I should add in my shiro.ini.
This is my shiro.ini:
What you are seeing may be the result of your client. Before a client will send credentials to a server typically has to ask for them (responding with a 401), the client will the add the auth header. A client can work around this using "preemptive" auth, which will send the Authorization header on the initial request.
Your server is likely also configured to use cookies, which the server will process first and then return a 200 (and the client would never send the new credentials).
If this is just a REST server/client setup, you could disable session creation, using the noSessionCreation filter.
https://shiro.apache.org/web.html#default_filters
If you are still stuck take a look at your HTTP logs and watch for the headers (specifically Authorization and an Cookie headers).
- How to define the basic HTTP authentication using cURL correctly?
- How to clear basic authentication (HTTP Basic Auth) credentials in Chrome?
- How can I disable the secure by default model for plugins in Backstage ? Or how can I generate the token for my default guest user?
- GRPC TransportCredentials for Basic Authentication
- PostAsJsonAsync C# - How to set headers correctly for POST request - BAD REQUEST 400
- oauth2_proxy for basic auth login
- Laravel 11: Basic Auth to protect & showcase unfinished app to Client
- Multiple user details services for different endpoints
- why my postman basic auth not working correctly?
- HAProxy get username associated with Basic Auth
- Basic authentication with nginx does not work when transitioning pages on a static site created with SolidJS
- Why is the Lambda Target Group unsupported when modifying a Listener using ALB Ingress Controller on EKS?
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- YII 2 REST CORS issue on remote server
- What encoding should I use for HTTP Basic Authentication?
- How to do basic authentication over HTTPs in Ruby?
- How to access Twilio media with HTTP Basic Auth
- Apache2 Basic Auth on sub-directory not prompting for authentication
- Basic auth not being stored in storageState
- How do you use Basic Authentication with System.Net.Http.HttpClient?
- Expressjs with Connect basic auth won't set request user
- Django Rest Framework APIClient login is not working
- "Login information disallowed" error from google script
- Nestjs Authentication Project: "statusCode": 401, "message": "Unauthorized"
- No Basic Authentication choice available in IIS7
- Selenium - Basic Authentication via url
- Is basic access authentication secure?
- How to add Basic Auth to a Caddy config with TLS and auto renewal to Serve QuestDB via Docker
- What is the difference between basic authentication and cryptographic authentication?
- Basic Auth with Remote URL option