Spring Security — Implementing Basic Authentication
Hello there and welcome back. This is going to be the continuation of Spring Security — Basic Authentication for REST APIs. Today we will see how we can use Spring Boot and Spring Security to configure the Basic authentication.
Before We Start
- I will be using the Maven dependency manager for this project.
- For development, I am using Spring Tool Suite IDE.
Adding Spring Security Dependency
For Basic authentication implementation, we have to enable spring-boot-starter-security by adding the dependency to our project. Open your ‘ pom.xml’ and add the following dependency.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId></dependency>Once you save the project, the dependencies will get downloaded and added to your project. Once we add the spring security support, we have to configure the security. This configuration includes several things like enabling basic authentication, permitting resource access, etc.
Configuring Security
- Create a new class for security configuration
- Import WebSecurityConfigurerAdapter from org.springframework.security.config.annotation.web.configuration package
- Import EnableWebSecurity from org.springframework.security.config.annotation.web.configuration package
- Annotate security configuration class with EnableWebSecurity marker annotation
- Extend security configuration class with WebSecurityConfigurerAdapter
What is HTTP Security
Certain security constraints will be applied to all the requests coming to the server. We need to customize or configure this based on our requirements. Spring provides a wrapper class HttpSecurity for web security configuration. As a first step, we have to override the configure(HttpSecurity ) method of WebSecurityConfigurerAdapter class. This is how we are customizing or overriding the default configuration. To see the default configuration, just open configure(HttpSecurity ). WebSecurityConfigurerAdapter using resource lookup and search for
Enabling Basic Authentication
We need to tell spring to do authentication checks on all the HTTP resource requests and perform Basic authentication check. Once we specify the authentication scheme to use for HTTP resource requests, Spring will make use of the Authorization header to capture the credential information. This happens internally.
With the above line of code we enforce a condition that any access to a HTTP resource must be authenticated for a a given user with Basic authentication scheme.
What we saw above is called Filter Chaining. This is a complex mechanism but it is very much flexible. Take a look at the below stack trace to understand this better. This is what happens when the server receives a new request, it pass through all the security filters. These filters raise Error 401 Unauthorized, Error 403 Forbidden etc. Take a look at the below given screen shot for a high level understanding.
Enabling Security Debugging
Open ‘ application.properties’ file and add the below given property and restart the server.
logging.level.org.springframework.security=DEBUGAdding Logout Support
This is going to be very simple. Chaining logout() method call will expose ‘/logout’ URL to the end user.
So to perform logout user has to hit the below given URL
http://localhost:8080/logoutOnce we hit the logout URL, it will get handler by the LogoutFilter present in the security filter chain. The LogoutFilter will clear the security context and invalidate the active session or connection. You can read about Filter Ordering here.
The basic authentication implementation is now complete. In the next article we will talk about some more topics like CSRF, Data representation, etc. Also I will show how you can configure a simple CRUD server with spring data rest.
Questions and Answers
Q: Where exactly we are checking the authenticity of the user. How do we do this?
A: Again, this is configured the same was we configure the HTTP security as mentioned above. This will be taken care of in the next article.
Now with the last question, we have completed the implementation of basic authentication. Got some questions? Post it as a comment 🙂
Thank you for reading.
Seyed Sahil
Originally published at http://sydlabz.wordpress.com on April 24, 2020.
