Securing Spring Boot REST API with Basic Auth

Learn to use basic authentication to secure the REST APIs created in a Spring boot application. The secured API will ask for user authentication credentials before giving access to the API response.

1. Maven Dependency

The simplest way to add all required jars is to add the latest version of spring-boot-starter-security dependency.


2. Configure Spring Security

To enable authentication and authorization support, we can configure the utility class WebSecurityConfigurerAdapter (deprecated). It helps in requiring the user to be authenticated prior to accessing any configured URL (or all URLs) within our application.

In the following configuration, we are using httpBasic() which enables basic authentication. We are also configuring the in-memory authentication manager to supply a username and password.

public class SecurityConfig extends WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity http) throws Exception

    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception

Starting Spring Boot 2.7.0, WebSecurityConfigurerAdapter is deprecated. We can rewrite the above basic auth configuration in the latest versions as follows:

public class BasicAuthWebSecurityConfiguration
  private AppBasicAuthenticationEntryPoint authenticationEntryPoint;

  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

  public InMemoryUserDetailsManager userDetailsService() {
    UserDetails user = User
    return new InMemoryUserDetailsManager(user);

  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(8);

See Also: Basic Auth with Spring Security

3. Basic Authentication Demo

For demo purposes, we can write a simple REST API given below.


@RequestMapping(path = "/employees")
public class EmployeeController
    private EmployeeDAO employeeDao;

    @GetMapping(path="/", produces = "application/json")
    public Employees getEmployees()
        return employeeDao.getAllEmployees();

3.2. Accessing the API without ‘authorization‘ Header

Access rest api at URL: HTTP GET http://localhost:8080/employees/

Require username and password
Require username and password

3.3. With ‘authorization‘ Header

Upon passing authorization request header with encoded basic-auth user name and password combination, we will be able to access the rest api response.

Access rest api at URL: HTTP GET http://localhost:8080/employees/

Successful api call
Successful api call

3.4. Generate Basic Auth Encoding

Browser apI testing tools are able to generate the base-64 encoded token by themselves using the plain username and password. But if we need to generate the encoded token ourselves to pass the token programmatically, then we can use the following code that uses the java.util.Base64 class.

String encoding = Base64.getEncoder().encodeToString((user + ":" + password).getBytes());
String authHeader = "Basic " + encoding;

For example, when making a call from Apache HttpClient, we can use the following code:

String encoding = Base64.getEncoder().encodeToString((user + ":" + password).getBytes());
HttpPost httpPost = new HttpPost("http://localhost:8080/api-url");
httpPost.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + encoding);

HttpResponse response = httpClient.execute(httpPost);
HttpEntity entity = response.getEntity();

4. Conclusion

In this spring boot security basic authentication example, we learned to secure REST APIs with basic authentication. It is done in two steps.

  • The first step is to include required dependencies e.g. spring-boot-starter-security.
  • The second step is to configure WebSecurityConfigurerAdapter or SecurityFilterChain and add authentication details.

Happy Learning !!

Sourcecode on Github


Notify of

Most Voted
Newest Oldest
Inline Feedbacks
View all comments

About Us

HowToDoInJava provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions and frequently asked interview questions.