HowToDoInJava

Spring boot security rest basic authentication example

By Lokesh Gupta | Filed Under: Spring Boot 2

Learn to use basic authentication to secure rest apis created inside a Spring boot application. The secured rest api will ask for authentication details before giving access the data it secure.

1. Maven dependency

To secure rest apis, we must include spring security related jar files in project runtime. Simplest way to add all required jars is add spring-boot-starter-security dependency.

<parent>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-parent</artifactId>
	<version>2.0.5.RELEASE</version>
	<relativePath />
</parent>

<dependencies>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-web</artifactId>
	</dependency>
	<dependency>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-security</artifactId>
	</dependency>
</dependencies>

2. Configure WebSecurityConfigurerAdapter

To enable authentication and authorization support in spring boot rest apis, we can configure a utility class WebSecurityConfigurerAdapter. It helps in requiring the user to be authenticated prior to accessing any configured URL (or all urls) within our application.

package com.howtodoinjava.rest.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity http) throws Exception 
    {
        http
         .csrf().disable()
         .authorizeRequests().anyRequest().authenticated()
         .and()
         .httpBasic();
    }
 
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) 
            throws Exception 
    {
        auth.inMemoryAuthentication()
        	.withUser("admin")
        	.password("{noop}password")
        	.roles("USER");
    }
}

3. Spring boot security rest basic authentication demo

For demo purpose, we can write a simple REST API given below.

3.1. REST API

@RestController
@RequestMapping(path = "/employees")
public class EmployeeController 
{
    @Autowired
    private EmployeeDAO employeeDao;
    
    @GetMapping(path="/", produces = "application/json")
    public Employees getEmployees() 
    {
        return employeeDao.getAllEmployees();
    }
}

3.2. Access rest api without ‘authorization’ header

Access rest api at URL : HTTP GET http://localhost:8080/employees/

Require username and password
Require username and password

3.3. Access rest api with ‘authorization’ header

Upon passing authorization request header with encoded basic-auth user name and password combination, we will be able to access the rest api response.

Access rest api at URL : HTTP GET http://localhost:8080/employees/

Successful api call
Successful api call

4. Conclusion

In this spring boot security rest basic authentication example, we learned to secure rest apis with basic authentication. It is done in two steps. First step is to include required dependencies e.g. spring-boot-starter-security. Second step is to configure WebSecurityConfigurerAdapter and add auth details.

Sourcecode download

References:

Spring security reference
HTTP Basic Auth

LinkedinRedditPocket

About Lokesh Gupta

Founded HowToDoInJava.com in late 2012. I love computers, programming and solving problems everyday. A family guy with fun loving nature. You can find me on Facebook, Twitter and Google Plus.

Feedback, Discussion and Comments

  1. vnod

    Its working for only localhost and not able to authenticate when calling the api from another server …can anyone pls help?

    Reply

  2. Poonkodi

    This example is good. I am working on microservices and few calls with token but how to bypass few internal urls (interservice calls) which will not carry token info in header.

    Reply

  3. Yogith Teegala

    Instead of going through the pain of encoding username and passwords, you could always select ‘auth’ as ‘Basic auth’ in the postman/Insomnia UI and add in username and password in plain text itself.

    Reply

  4. Rajat

    Make a tutorial on jwt spring boot authentication

    Reply

  5. anand

    What is “.pa” in the exaple above…

    auth.inMemoryAuthentication()
            .pa
            .withUser("admin")
            .password("{noop}password")
            .roles("USER");
    Reply

    • Lokesh Gupta

      Seems a typo error. Thanks for reporting it. Much appreciated.

      Reply

  6. Prasad Revanaki

    Good example for basic understanding of spring security.

    It would be better if you can add on more step on how to create authorization request header with encoded basic-auth user name and password combination. It will help.

    Reply

Ask Questions & Share Feedback

Please do not submit a comment only to say "Thank you".

*Want to Post Code Snippets or XML content? Please use [java] ... [/java] tags otherwise code may not appear partially or even fully. e.g.
[java] 
public static void main (String[] args) {
...
} 
[/java]