1. I have very basic simple Spring Boot Rest application.

2. I needed to implement custom authentication in Spring Security: for every REST request I need to check username and password, that are in specific headers of every request ("username" and "password").

3. So I implemented custom AuthEntryPoint:

    @Service
   public class CustomAuthEntryPoint implements AuthenticationEntryPoint {
       @Override
       public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
           String username = httpServletRequest.getHeader("username");
           String password = httpServletRequest.getHeader("password");
           if (!username.equals("admin") || !password.equals("admin")) {
               throw new RuntimeException("", new BadCredentialsException("Wrong password"));
           }
       }
   }

4. So, I realized, that RequestCacheAwareFilter is caching first request and headers are also stored in cache. So if I make a request with wrong pass and then with right one, I will still get an exception.

So, how could I override the CacheAwareFilter or disable it? Or am I doing something totally wrong?

Use custom WebSecurityConfigurerAdapter to set request cache to NullRequestCache:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestCache()
            .requestCache(new NullRequestCache());
    }
}

I just made the app stateless like here: How can I use Spring Security without sessions?

And now everything is okay.

In Spring Security 6:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .requestCache(RequestCacheConfigurer::disable)
        .build();
}