0

I'm creating a simple app with a Sign-In site. I used HTTP basic type of authorization, but the problem is I don't know how to disable the pop-up window which is showing every time when I pass wrong credentials or in case of writing secured endpoint site before authentication.

The frontend is written in pure JS, launched without any template engine. Just js + html files in static dir.

The authentication page uses the Fetch Api to send headers with credentials

Does someone knows how to disable this window, shown below:

Sign In Window

Here is my Security config class:



@Configuration
@EnableWebSecurity
public class CustomWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Resource
    private UserDetailsService userDetailsService;

    @Autowired
    private CustomLogoutHandler logoutHandler;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
                .antMatchers(HttpMethod.POST, "/demo/users/save").permitAll()
                .antMatchers(HttpMethod.POST, "/demo/users/**").permitAll()
                .antMatchers(HttpMethod.POST, "/users/*/save").permitAll()
                .antMatchers(HttpMethod.DELETE, "/users/**").permitAll()
                .antMatchers(HttpMethod.POST, "/users/*/verify").permitAll()
                .antMatchers(HttpMethod.GET,"/users/**").permitAll()
                .antMatchers(HttpMethod.PUT,"/users/**").permitAll()
                .antMatchers("/css/**", "/js/**", "/img/**").permitAll()
                .antMatchers("/signup-page.html").permitAll()
                .antMatchers("/landing-page.html").permitAll()
                .anyRequest().authenticated()
                .and()
                    .formLogin()
                    .disable()
                .logout()
                    .logoutUrl("/logout")
                    .addLogoutHandler(logoutHandler)
                    .logoutSuccessUrl("/landing-page.html")
                    .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK))
                    .permitAll()
                .and()
                .httpBasic();

    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(passwordEncoder());
        return authProvider;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
Patryk Szymon Młyńczak
  • 99
  • 8
  • See also https://stackoverflow.com/questions/34296208/remove-www-authenticate-header-from-basic-authentication-in-spring-boot – dur Oct 19 '21 at 07:46

1 Answers1

2

I couldn't find the answer before, every response I found consisted of "disable httpBasic" and that wasn't a satisfying solution. Here is a Topic : Spring Boot security shows Http-Basic-Auth popup after failed login

and these lines solved my problem:

httpBasic()
                .authenticationEntryPoint(new AuthenticationEntryPoint(){ //<< implementing this interface
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response,
                        AuthenticationException authException) throws IOException, ServletException {
                            //>>> response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\""); <<< (((REMOVED)))
                            response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
                    }
                });
Patryk Szymon Młyńczak
  • 99
  • 8