Spring Boot Security Basic Authentication (2024)
In Spring Security, there are many ways to authenticate RESTful web services. The basic one is Basic Authentication.
Spring Boot Security Tutorial :
- Basic Authentication
- Digest Authentication
- Configuring Authentication Credentials in database
- Spring Boot Method Security with PreAuthorize
- Enable https (http+ssl)
- JWT Introduction
- JWT Token Authentication Example
- JWT Angular Example
- JWT +MYSQL Example
- OAuth2.0 Tutorial
- Advantage of JWT as OAuth Access Token Vs OAuth Default Token
- OAuth2 with JWT Access Token
- Spring Security Interview Questions
Q: What is Basic Authentication?
Basic Authentication is a way to provide authentication by passing username and password as part of our request, using HTTP [Authorization] header to allows user to access the resource.
In this type of authentication, credentials are weakly encoded using Base64 encoding algorithm which is easily reversible and not secured.
Syntax of basic Authentication
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
//Example: Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw==
//Decode it'll give back the original username:password TestUser:test123Now, let's see the Basic Authentication Example.
Project Structure:
Maven Dependency:
Include spring security starter in the pom.xml file to secure our REST API.<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.techgeeknext</groupId>
<artifactId>basicsecurity</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>basicsecurity</name>
<description>Basic Security project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Default Basic Authentication:
If we add onlyspring-boot-starter-security
dependency in pom.xml, without WebSecurityConfiguration class and application.yml security properties.
Now run the application, which will generate default password as given below in console. Test this application by using hello rest api (http://localhost:8083/hello?name=User), enter user name as user and password highlighted below as given in the console.
Now, let's add WebSecurityConfiguration and configure our user.
Configure user and password:
Configure the user and password in application.yml.spring:
security:
user:
name: TestUser
password: test123
server:
port: 8083Spring Security Configuration
Let's configure Spring Security by extending WebSecurityConfigurerAdapter to enable the basic
authentication for our REST API. Override configure method, to use HTTP basic
authentication.
package com.techgeeknext.basicsecurity.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
// Make the below class to extend WebSecurityConfigurerAdapter
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http) throws Exception {
http .authorizeRequests()
.anyRequest().authenticated()
// httpBasic authentication
.and() .httpBasic();
}
}
Take a look at our suggested posts:
REST Controller:
This is a simple Hello REST controller, which returns hello with username back to the REST client.package com.techgeeknext.basicsecurity.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String sayHello(@RequestParam(required = false,defaultValue = "TechGeekNext User") String name) {
return "Hello "+name;
}
}
Testing Basic Authentication
- Case 1: Entering wrong credential. Use hello rest api http://localhost:8083/hello?name=User
- Case 2: Entering valid credential (User:TestUser Password:test123).
- Decode credential: You can see, if we copy
Authorization: Basic VGVzdFVzZXI6dGVzdDEyMw==from above request as shown, we can decode the credential, which will give credential in the form of user:password, which is not secured.
Now, as we seen how basic authentication works in spring boot security, you may notice there are few
challenges like:
So, next we will explore Digest Authentication to solve this challenges.
Download Source Code
The full source code for this article can be found on below.Download it here - Spring Boot Security - Basic Authentication