In this post we will discuss about Basic Authentication and how to use it using Spring Security.
BASIC Authentication
- It’s simplest of all techniques and probably most used as well. You use login/password forms – it’s basic authentication only. You input your username and password and submit the form to server, and application identify you as a user – you are allowed to use the system – else you get error.
- The main problem with this security implementation is that credentials are propagated in a plain way from the client to the server. Credentials are merely encoded with Base64 in transit, but not encrypted or hashed in any way. This way, any sniffer could read the sent packages over the network.
- HTTPS is, therefore, typically preferred over or used in conjunction with Basic Authentication which makes the conversation with the web server entirely encrypted. The best part is that nobody can even guess from the outside that Basic Auth is taking place.
Let's create a simple Spring Boot application which Basic Authentication enabled. You can read my previous post on how to create Simple Spring Boot application, if not familiar with it.
Add dependencies in pom.xml
We will add spring-boot-starter-security
dependency to the pom.xml
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
Configurations for Basic Authentication
We need to register BasicAuthenticationFilter
and BasicAuthenticationEntryPoint
as bean in the Spring context.
@Bean BasicAuthenticationFilter basicAuthFilter(AuthenticationManager authenticationManager, BasicAuthenticationEntryPoint basicAuthEntryPoint) { return new BasicAuthenticationFilter(authenticationManager, basicAuthEntryPoint()); } @Bean BasicAuthenticationEntryPoint basicAuthEntryPoint() { BasicAuthenticationEntryPoint bauth = new BasicAuthenticationEntryPoint(); bauth.setRealmName("GAURAVBYTES"); return bauth; }
Enabling basic authentication and configuring properties
Basic Authenication is by default enabled when you add spring-security in your classpath. You need to configure the username and password for basic authentication. Here are some of the security properties. You can see SecurityProperties
for other properties that you can configure like realm name etc.
security: basic: enabled: true user: name: gaurav password: bytes
XML based configuration for Basic Authentication
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http> <intercept-url pattern="/*" access="ROLE_USER" /> <!-- Adds Support for basic authentication --> <http-basic/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="gaurav" password="bytes" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
This is how to enable basic authentication in Spring Boot application using Spring Security. You can get the full working example code for basic authentication on Github.