How to set basic authentication for API endpoints in spring boot
When we are talking about logging in or authentication in general, the first thing we think about is logging into an application.
However, there is more to that.
If you are working as a backend developer, a lot of times you have to write API endpoints that are ready to be consumed.
Today, we will talk how to create a spring boot application that users have to authenticate against in order to access these API endpoints.
Why do we need to authenticate to access endpoints? I mean, if we create these endpoints without authentication, won’t it be less code to maintain? What can actually happen when these endpoints are not secured?
Let’s use the following example: imagine creating an API that handles bank account transactions. This API allows us to transfer to another account, to accept transfer, and as well as creating a bank account with some initial amount.
Now let’s also assume we created a banking UI application that allow us to transfer money to other external accounts. Sure, I can make a transaction to another trusted account. But what if a hacker get access to this piece of information?
In that case, the hacker would take advantage of this information and use it to make an API call to transfer money to himself. If we set up basic authentication, we can check to see if the person requesting the transfer is someone we trust. If it is, we allow the transfer to happen. If it is not, then the transaction does not happen.
Now let’s talk about how to set up spring boot APIs with a basic authentication setup.
Before starting on this tutorial, please complete the tutorial specified in Setting your own spring boot server via JDBC part 1 | by Michael Tong | Dev Genius in order to have a spring boot base application setup.
Step 1: In your pom.xml, ensure you have the following dependencies included in the file:
Afterward, load the dependencies by reloading the project in the pom.xml file:
Step 1: Under src/main/java/com.example.demo create three packages: config, controller, and service. The config package will store all the configurations needed to set up the basic authentication. The controller package will include a controller that returns hello world, using our hello world service.
Step 2: Under the controller package, create a class called HelloWorldController with the following content:
Here, we have two endpoints, that returns an age and name. For now, let’s not worry too much about the implementation of getAge and getName. All we know is these two functions return some dummy values, which we will see in a minute when we implement the service.
Step 3: Insider the service package, create a class called HelloWorldService.java:
Over here, we have two methods, getUserName and getAge. These two methods simply return some dummy data. These methods will be getting called when the application receives client request that trigger the getAge and getUserName endpoints in the controller level.
Step 4: Locate your config package and create a file called BasicAuthConfig.java:
Over here, we include @EnableWebSecurity annotation and @Configuration annotation, indicating this will be a configuration file that will override existing security functionality in the application.
There are three things that we need to always get in mind:
- configureGlobal: This is the part where we decide with what username and password would we allow the client request to be authorized to access the endpoints. Over here, we authorize client requests if they have username as “michaeluser” and password as “password”.
- configure: By overriding this method, we are essentially saying over here any client request will be prompted a username and password. If the credentials match whatever that was exacted in the configureGlobal method, then user is allowed to access the resource. Else, the user will be given the same prompt to enter the username and password.
- passwordEncoder: Behind the scene, this password encoder will encrypt the password that was provided by the client when it supplies a username and password.
Afterward, you can run the application and it will load the application in port:8080.
Here is how it will look like when we try to access an endpoint that is authorized:
What happens if I access an authorized endpoint with the wrong credentials?
In this case, after you type in a wrong username and password it will prompt you for new credentials again. Until that happens, you are not allowed to access the given resource in the server.
That’s it! You just learned to how to build a spring application with basic authentication supported.
What if you want to restrict certain API from external access regardless? We can cover that another time.
