Securing REST APIs with HTTP BASIC authentication

Security is no longer an afterthought, it's a must in any application these days.

Somnath Musib
Jan 3 · 3 min read
Image Courtesy:

In the modern era, security is an essential feature in any application, your REST services are no exception to it. In this short tutorial, we’ll discuss how to secure your REST APIs with BASIC authentication. We’ll use Spring Security to implement the security of the API

Application Endpoints

We’ll use a fictitious application that lets us manage our favorite web URLs. Let us call this application Pocket. It has the following endpoints:

GET /pockets: Returns all available pockets

GET /pockets/{id}: Returns the available pocket for the supplied id. Return an error for invalid ids

POST /pockets: Create a new pocket

PUT /pockets: Update an existing pocket

DELETE /pockets/{id}: Delete a pocket by the supplied id

Application Development

Let us now generate a Spring Boot project with the web, lombok, data-jpa, and H2 dependencies.

Let us now the Pocket model object:

Pocket Model POJO

Let us now create the PocketRespository that lets us manage the pockets in the H2 database:

Now that the repository is ready, let us create the PocketController class that provides the HTTP endpoints:

We’ve used a custom exception that is thrown if there is an invalid pocket id is supplied:

At this point, the API is ready to manage the pockets. However, the application is not at all secure and all pocket endpoints are accessible to everyone. Let us add the security aspect to the application. To begin with, let us first add the spring-boot-starter-security dependency in the pom.xml. This dependency brings-in the Spring Security infrastructure to the application. We now want to implement the HTTP Basic authentication.

This Security configuration class lets you customize the security settings of your application. Let us explain the changes:

  1. You have extended the WebSecurityConfigurerAdapter class that lets you customize the Spring Security default configuration

We’ve created a few sample pockets in the main class:

Testing the Application

If you access the endpoints without BASIC authentication, you’ll be returned an HTTP 401 status code indicating you are Unauthorized:

If you provide the BASIC authentication details, you can access the endpoints:

Source Code

The source code for this article is available in the GitHub repository at

Code Fountain

Blog and mini courses on Java and Spring

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store