Basic Authentication is a simple and stateless authentication mechanism built into the HTTP protocol. It’s easy to implement and useful for:
- Securing internal APIs
- Prototyping or quick services
- Environments where TLS/SSL is enforced (important for securing credentials)
Lets learn how Securing REST APIs with Basic Authentication in Spring Boot can be done.
๐ฆ Project Setup
Maven Dependencies
In your pom.xml, include:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> |
๐งฉ Project Structure
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
src/ โโโ main/ โโโ java/ โโโ com/ โโโ kscodes/ โโโ springboot/ โโโ security/ โโโ SecurityConfig.java โโโ ApiController.java โโโ SpringBootSecurityApplication.java |
๐ Step 1: Create SecurityConfig for Basic Authentication
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
package com.kscodes.springboot.security; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; @Configuration public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeHttpRequests(auth -> auth .requestMatchers("/api/public").permitAll() .anyRequest().authenticated() ) .httpBasic(); // Enable Basic Authentication return http.build(); } @Bean public UserDetailsService users() { return new InMemoryUserDetailsManager( User.withUsername("user") .password(passwordEncoder().encode("password")) .roles("USER") .build(), User.withUsername("admin") .password(passwordEncoder().encode("adminpass")) .roles("ADMIN") .build() ); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } } |
๐ Step 2: Create a REST Controller
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
package com.kscodes.springboot.security; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class ApiController { @GetMapping("/api/public") public String publicApi() { return "This is a public endpoint."; } @GetMapping("/api/user") public String userApi() { return "Welcome, authenticated USER."; } @GetMapping("/api/admin") public String adminApi() { return "Welcome, authenticated ADMIN."; } } |
๐ Step 3: Main Spring Boot Application
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
package com.kscodes.springboot.security; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication public class SpringBootSecurityApplication { public static void main(String[] args) { SpringApplication.run(SpringBootSecurityApplication.class, args); } } |
๐งช Testing the Endpoints
1. Accessing the public endpoint
|
1 2 3 |
curl http://localhost:8080/api/public |
๐ข Output: "This is a public endpoint."
2. Accessing a protected endpoint without credentials
|
1 2 3 |
curl http://localhost:8080/api/user |
๐ด Output: HTTP/1.1 401 Unauthorized
3. Accessing with Basic Auth
|
1 2 3 |
curl -u user:password http://localhost:8080/api/user |
๐ข Output: "Welcome, authenticated USER."
|
1 2 3 4 |
curl -u admin:adminpass http://localhost:8080/api/admin |
๐ข Output: "Welcome, authenticated ADMIN."
โ ๏ธ Important Notes
- Always use HTTPS with Basic Auth to avoid sending credentials in clear text.
- Avoid Basic Auth in production unless used with secure environments or in internal microservices behind a gateway.
- Prefer OAuth2/JWT for public APIs.
๐ Best Practices
- Use
BCryptPasswordEncoderfor encoding passwords. - Separate roles clearly in
SecurityConfig. - Add rate-limiting and logging for security-sensitive endpoints.
- Keep credentials in secure secrets manager, not in plain code or config.
๐ References
๐ Conclusion
Securing REST APIs with Basic Authentication in Spring Boot is straightforward using Spring Security. With the new Spring Boot 3 and Spring Security 6, configuration is more streamlined using Java configuration with SecurityFilterChain.
Use this setup for quick authentication and secure your internal APIs effectively using Spring’s robust security model.