I'm working on a Java / Angular application using waffle authentication.
When I access it in the Chrome browser it opens directly.
But when I access it in the firefox browser it opens a browser basic authentication window asking for username and password.
How to remove this authentication window from Firefox? The expected behavior is to open it directly like Chrome.
Note: The issue only happens when I access the application installed in a remote server. When accessing in localhost dev environment, firefox doesn't display the basic authentication window.
SecurityConfig.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private NegotiateSecurityFilter negotiateSecurityFilter;
@Autowired
private NegotiateSecurityFilterEntryPoint entryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(entryPoint)
.and()
.addFilterBefore(negotiateSecurityFilter, BasicAuthenticationFilter.class)
.headers()
.addHeaderWriter(new StaticHeadersWriter("Access-Control-Allow-Credentials", "true"));
http.cors();
}
@Override
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication();
}
}
WaffleConfig.java
@Configuration
public class WaffleConfig {
@Bean
public WindowsAuthProviderImpl waffleWindowsAuthProvider() {
return new WindowsAuthProviderImpl();
}
@Bean
public NegotiateSecurityFilterProvider negotiateSecurityFilterProvider(
WindowsAuthProviderImpl windowsAuthProvider) {
return new NegotiateSecurityFilterProvider(windowsAuthProvider);
}
@Bean
public BasicSecurityFilterProvider basicSecurityFilterProvider(
WindowsAuthProviderImpl windowsAuthProvider) {
return new BasicSecurityFilterProvider(windowsAuthProvider);
}
@Bean
public SecurityFilterProviderCollection waffleSecurityFilterProviderCollection(
NegotiateSecurityFilterProvider negotiateSecurityFilterProvider,
BasicSecurityFilterProvider basicSecurityFilterProvider) {
SecurityFilterProvider[] securityFilterProviders =
{negotiateSecurityFilterProvider, basicSecurityFilterProvider};
return new SecurityFilterProviderCollection(securityFilterProviders);
}
@Bean
public NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint(
SecurityFilterProviderCollection securityFilterProviderCollection) {
NegotiateSecurityFilterEntryPoint negotiateSecurityFilterEntryPoint =
new NegotiateSecurityFilterEntryPoint();
negotiateSecurityFilterEntryPoint.setProvider(securityFilterProviderCollection);
return negotiateSecurityFilterEntryPoint;
}
@Bean
public NegotiateSecurityFilter waffleNegotiateSecurityFilter(
SecurityFilterProviderCollection securityFilterProviderCollection) {
NegotiateSecurityFilter negotiateSecurityFilter = new NegotiateSecurityFilter();
negotiateSecurityFilter.setProvider(securityFilterProviderCollection);
return negotiateSecurityFilter;
}
@Bean
public FilterRegistrationBean waffleNegotiateSecurityFilterRegistration(
NegotiateSecurityFilter waffleNegotiateSecurityFilter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean();
registrationBean.setFilter(waffleNegotiateSecurityFilter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
I noticed one thing.
When accessing via Firefox, the following message is added to the logs:
FilterSecurityInterceptor - Failed to authorize filter invocation [GET /myapiurl] with attributes [authenticated]
When accessing via Chrome, the message is this other:
FilterSecurityInterceptor - Authorized filter invocation [GET /myapiurl] with attributes [authenticated]