Table of Contents
- What is Basic Authentication?
- How Basic Authentication Works in Spring Security
- Setting Up Basic Authentication in a Spring Boot Application
- Creating Custom User Details
- Configuring a Custom Security Filter Chain
- Testing Basic Authentication with Postman or curl
- Summary
1. What is Basic Authentication?
Basic Authentication is a simple authentication scheme built into the HTTP protocol. It transmits credentials (username and password) encoded in Base64 in the Authorization header. Though easy to implement, it should always be used over HTTPS to protect credentials from interception.
Example Authorization Header:
makefileCopyEditAuthorization: Basic dXNlcjpwYXNzd29yZA==
The encoded string is just username:password in Base64.
2. How Basic Authentication Works in Spring Security
Spring Security supports HTTP Basic Authentication out of the box. Once enabled, Spring Security:
- Intercepts all HTTP requests
- Checks for an
Authorization: Basicheader - Decodes the credentials
- Validates the user using a
UserDetailsService - Grants or denies access based on authentication and roles
3. Setting Up Basic Authentication in a Spring Boot Application
Step 1: Add Spring Security Dependency
For Maven:
xmlCopyEdit<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Step 2: Default Behavior
If you don’t configure anything, Spring Security auto-generates a default user (user) with a random password. You can test this immediately via browser or API tools.
To override this behavior and set custom credentials, configure the following in application.properties:
propertiesCopyEditspring.security.user.name=admin
spring.security.user.password=admin123
4. Creating Custom User Details
You can define your own users and roles using the UserDetailsService interface and InMemoryUserDetailsManager.
javaCopyEdit@Configuration
public class SecurityConfig {
@Bean
public InMemoryUserDetailsManager userDetailsService() {
UserDetails user = User.withUsername("john")
.password(passwordEncoder().encode("john123"))
.roles("USER")
.build();
UserDetails admin = User.withUsername("admin")
.password(passwordEncoder().encode("admin123"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
5. Configuring a Custom Security Filter Chain
Next, create a filter chain to specify security rules:
javaCopyEdit@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeHttpRequests()
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic(); // Enables basic authentication
return http.build();
}
This config:
- Disables CSRF (not recommended for web apps, okay for REST APIs)
- Allows open access to
/public/** - Secures all other endpoints with basic authentication
6. Testing Basic Authentication with Postman or curl
Using curl:
bashCopyEditcurl -u john:john123 http://localhost:8080/api/secure-data
Using Postman:
- Open Postman and select your endpoint.
- Go to Authorization tab.
- Choose Basic Auth.
- Enter your username and password.
- Hit Send.
Spring Security will decode credentials and authorize based on roles and configuration.
7. Summary
Basic authentication is a fast and minimal way to protect your endpoints, ideal for internal tools or simple APIs. However, it sends credentials with every request, so it must be used with HTTPS to ensure security.
Key Points:
- Easy to set up with Spring Security and Spring Boot.
- Credentials are passed in Base64, not encrypted—SSL is essential.
- Works well with tools like Postman, curl, and simple API clients.
- Not recommended for public-facing applications without token-based enhancements.
In future modules, we’ll cover form-based login, JWT-based authentication, and integrating with external identity providers for more advanced and secure setups.
