REST API with Waffle and Spring Security returning 401 Unauthorized in Postman
22 views
Skip to first unread message
Juan OKeeffe
Apr 5, 2023, 11:25:06 PM4/5/23
to waffle
Hi,
I have a REST API built with Spring Security and Waffle.
When I call an endpoint in the browser (like the url below) it correctly returns the endpoint result.
http://localhost:8080/hello
But if I go to Postman and call the same url in a GET request I get a 401 Unauthorized response.
The Eclipse console log shows this message:
BasicAuthenticationFilter - Did not process authentication request since failed to find username and password in Basic Authentication header.
Then if I go to Postman and change the Authorization type to Basic Authentication and provide Windows user and password, submit the request again, it works.
But that defeats the whole purpose of using waffle, which is to authenticate the user in the application based in the Windows authentication without needing to inform username and password in the API call.
How can I make the windows authentication work without needing to inform the user and password in the API call (like when accessing via browser)?
Browser Header
Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 200
Remote Address: [::1]:8080
Referrer Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Length: 17
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Apr 2023 14:42:07 GMT
Expires: 0
Keep-Alive: timeout=60
Pragma: no-cache
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: JSESSIONID=XXXXXXXXXXXXXXXXX
Host: localhost:8080
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Postman Interface Header (without providing user/pass)
Cookie -> JSESSIONID=YYYYYYYYYYYYYYY
Postman-Token -> <calculated when request is sent>
Host -> <calculated when request is sent>
User-Agent -> PostmanRuntime/7.31.3
Accept -> */*
Accept-Encoding -> gzip, deflate, br
Connection -> keep-alive
Set-Cookie -> JSESSIONID=YYYYYYYYYYYYYYY; Path=/; HttpOnly
Connection -> keep-alive, keep-alive
WWW-Authenticate -> Negotiate
WWW-Authenticate -> NTLM
WWW-Authenticate -> Basic realm="BasicSecurityFilterProvider"
X-Content-Type-Options -> nosniff
X-XSS-Protection -> 1; mode=block
Cache-Control -> no-cache, no-store, max-age=0, must-revalidate
Pragma -> no-cache
Expires -> 0
X-Frame-Options -> DENY
Transfer-Encoding -> chunked
Date -> Wed, 05 Apr 2023 15:02:32 GMT
Keep-Alive -> timeout=60
Postman cURL (without providing user/pass)
curl --location 'http://localhost:8080/hello' \
--header 'Cookie: JSESSIONID=YYYYYYYYYYYYYYY' \
--data ''
Postman cURL (providing user/pass)
curl --location 'http://localhost:8080/hello' \
--header 'Authorization: Basic Og==' \
--header 'Cookie: JSESSIONID=YYYYYYYYYYYYYYY' \
--data ''
I have a REST API built with Spring Security and Waffle.
When I call an endpoint in the browser (like the url below) it correctly returns the endpoint result.
http://localhost:8080/hello
But if I go to Postman and call the same url in a GET request I get a 401 Unauthorized response.
The Eclipse console log shows this message:
BasicAuthenticationFilter - Did not process authentication request since failed to find username and password in Basic Authentication header.
Then if I go to Postman and change the Authorization type to Basic Authentication and provide Windows user and password, submit the request again, it works.
But that defeats the whole purpose of using waffle, which is to authenticate the user in the application based in the Windows authentication without needing to inform username and password in the API call.
How can I make the windows authentication work without needing to inform the user and password in the API call (like when accessing via browser)?
Browser Header
Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 200
Remote Address: [::1]:8080
Referrer Policy: strict-origin-when-cross-origin
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Length: 17
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Apr 2023 14:42:07 GMT
Expires: 0
Keep-Alive: timeout=60
Pragma: no-cache
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: JSESSIONID=XXXXXXXXXXXXXXXXX
Host: localhost:8080
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Postman Interface Header (without providing user/pass)
Cookie -> JSESSIONID=YYYYYYYYYYYYYYY
Postman-Token -> <calculated when request is sent>
Host -> <calculated when request is sent>
User-Agent -> PostmanRuntime/7.31.3
Accept -> */*
Accept-Encoding -> gzip, deflate, br
Connection -> keep-alive
Set-Cookie -> JSESSIONID=YYYYYYYYYYYYYYY; Path=/; HttpOnly
Connection -> keep-alive, keep-alive
WWW-Authenticate -> Negotiate
WWW-Authenticate -> NTLM
WWW-Authenticate -> Basic realm="BasicSecurityFilterProvider"
X-Content-Type-Options -> nosniff
X-XSS-Protection -> 1; mode=block
Cache-Control -> no-cache, no-store, max-age=0, must-revalidate
Pragma -> no-cache
Expires -> 0
X-Frame-Options -> DENY
Transfer-Encoding -> chunked
Date -> Wed, 05 Apr 2023 15:02:32 GMT
Keep-Alive -> timeout=60
Postman cURL (without providing user/pass)
curl --location 'http://localhost:8080/hello' \
--header 'Cookie: JSESSIONID=YYYYYYYYYYYYYYY' \
--data ''
Postman cURL (providing user/pass)
curl --location 'http://localhost:8080/hello' \
--header 'Authorization: Basic Og==' \
--header 'Cookie: JSESSIONID=YYYYYYYYYYYYYYY' \
--data ''
Reply all
Reply to author
Forward
0 new messages