Basic authentication for Springboot REST API application with HandlerInterceptor
This post will show you how to authenticate the Springboot REST API application using basic authentication. To do this process I’m going to use a HandlerInterceptor class provided by the spring framework.
To learn more about HandlerInterceptor behavior please visit my previous post from here. Also please visit here to get the full code example.
Overview
Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username: password. To explain this process I’m going to use 2 controllers called Create Employee and Retrieve Employee.
Example URL format:
http://testUser:CMbk5083@localhost:8080/employee-service/employees/add
This user name and password coming as a header value and its base64 encoded value (Ex: Basic dGVzdFVzZXI6Q01iazUwODM=). In the back end, we are validating the UN and PWD after decoding this value.
In the industry most of the time, we are using this authentication method for callback authentication.
Please refer to the following sequence diagrams to get a better idea of this process.
Technologies
Java 1.8
Maven 3.6.1
Springboot 2.2.7.RELEASE
spring-boot-starter-web
MongoDB
log4j
Project Structure
First, we have to double-check our controller endpoints are working fine. We can use Postman or any other third-party tool to execute endpoints.
STEP 1: Maven dependency (POM.xml).
Please visit pom.xml to see the completed version.
STEP 2: Add customized Interceptor class.
Here we are using HandlerInterceptorAdapter class to make our custom Interceptor class called EmployeeSecurityInterceptor.Since we are only going to validate application credentials, inside of the overridden preHandle() method. Also, we have overridden postHandle() method with some logs.
In this preHandle() method we are doing a couple of things like,
- Grab basic header value from the request header object.
- Call the AuthService module to validate the header value.
- Set response status according to validity.
Please go through EmployeeSecurityInterceptor class, I have explained each step in the comment section. To learn more about HandlerInterceptor behavior please visit my previous post from here.
STEP 3: Configuration.
Here we are going to add a configuration class for the Spring MVC configuration since we need to bind our custom Interceptor (EmployeeSecurityInterceptor) class with Spring MVC.
Here we have a class called SpringMVCConfig and it’s overridden by WebMvcConfigurer provided by the Spring framework.
STEP 4: Service layer changes.
Here I have introduced a couple of classes to act as an auth service module. Inside of this service layer, we are going to validating the base64 encoded header value with application credentials.
Please visit AuthServiceImpl to see the full implementation.
STEP 5: Testing
Once you are done with the changes you can test both endpoints using Postman.
If the validation method returns TRUE, then the request will redirect to the controller endpoint according to the URI with a 200 (OK ) status.
If it returns FALSE, then it will throw an error with 401(UN-AUTHORIZED) status.
Example :
Authentication Success Response
Authentication Failed Response
Note ***
Rather than using a user name and password like this http://testUser:CMbk5083@localhost:8080/employee-service/employees/add, you can use the following options in the Postman.
- Set as a User name and password in the Authorization tab.
2. Set ‘Authorization’ header value as Bas64 encoded value
First, you have to convert username:password into base64 encoded value and add a prefix called “Basic”.
Please visit a completed version from here and I have explained every possible step in the comment section. Please leave a comment if you have concerns or questions.
