Summary
Hi guys. We have dedicated authorization server application and and rest application. I've noticed that insecure methods returns 401 in case of invalid credentials. Is this expected behavior?
Actual Behavior
- Add header:
Authorization: Bearer <incorrect_token> - URL http://localhost:8082/insecure/user returns 401
Expected Behavior
I'm not sure, but is such behavior possible?
For secure methods:
- Correct token: returns principal
- Invalid or without token: 401
For insecure methods:
- Correct token: returns principal
- Invalid or without token: anonymous user
Configuration
Version
Spring Security - 4.2.2.RELEASE
Sample
Repository with sample: link
Steps to reproduce:
- Start authorization server:
gradlew bootRunSecurity - Start application:
gradlew bootRunApp - Generate new token:
POST: http://foo:foosecret@localhost:8081/oauth/token?grant_type=password&username=my_user&password=pass - Make requests with/without/incorrect HTTP header
Authorization: Bearer <access_token>for ULRshttp://localhost:8082/secure/userandhttp://localhost:8082/insecure/user
Comment From: BigTows
Answer from StackOverFlow
Comment From: jzheaux
Thanks for getting in touch! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.