HTTP Basic Authentication With Spring Security

ashok mathan
Jul 13 · 2 min read

How HTTP Basic Authentication Works

In case of HTTP basic authentication, instead of using a form, user login credentials are passed on the HTTP request header, precisely “Authorization” request header. This header allows you to send username and password into request headers instead of the request body, as is the case of form login authentication. This is ideal for authenticating REST clients.

When HTTP basic authentication is enabled, the client that is sending the request, for example, a browser or a REST client concatenates the username and the password with a colon between them and then use Base64 encoding to encode the resulting string. This string is then sent into “Authorization” header of the request.

For example, if your REST client is using username “userId” and password “passwd”, the client creates the string “userId:passwd” and base 64 encode it before sending it in the Authentication header.

When this request reaches to the server then server extract value of the Authorization header and uses the base64 algorithm to decode the password and authenticate a user.More on Spring boot restful web services example for api configuration.

If a request doesn’t have Authentication header than server rejects the request with 401 response and also appends header “WWW-Authenticate: Basic realm” to instruct the client that it needs to send username and password in request header for authentication.

If you use a browser then it readers that response and present a login dialog box to allow you to enter username and password. Btw, this is not the safest way to send login credential as you can see it just base 64 encoded.

There are better ways to authenticate users e.g. by using digest authentication and OAuth 2.0 introduced in Spring 5. I’ll write more about that later but if you are interested, you can check out Spring Security Certification Class by Baeldung to learn more about them.

How to enable Http Basic Authentication using Java Configuration in Spring Security

In the case of Java configuration, you can configure security aspects of calling methods as shown below. Enabling HTTP Basic authentication using Java configuration is as simple as calling the HTTP basic() method on the HttpSecurity object passed into configuring () method.

Here’s a typical example of Spring Security configuration to enable HTTP basic authentication code:

@Configuration
@EnableWebSecurity
public class HttpBasicAuthenticationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth
.inMemoryAuthentication()
.withUser("userId").password("passwd")
.authorities("ROLE_USER");
} @Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/securityNone").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.realmName("Your App");
}}

You can combine security constraint using joiner methods like and(). If you want to turn off HTTP basic authentication just remove the call to HTTP basic() method and you are done.

Btw, HTTP basic authentication is not the safest way to authenticate as you know you can decode password by intercepting traffic and using Base64 algorithm but it works for most common needs e.g.testing.
There are better ways to perform authentication in production or real-world RESTful web service e.g. digest authentication.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade