Securing REST APIs with Basic Authentication in Spring Boot

Basic Authentication is a simple and stateless authentication mechanism built into the HTTP protocol. It’s easy to implement and useful for:

  • Securing internal APIs
  • Prototyping or quick services
  • Environments where TLS/SSL is enforced (important for securing credentials)

Lets learn how Securing REST APIs with Basic Authentication in Spring Boot can be done.

Securing REST APIs with Basic Authentication in Spring Boot

๐Ÿ“ฆ Project Setup

Maven Dependencies

In your pom.xml, include:




    org.springframework.boot
    spring-boot-starter-security



    org.springframework.boot
    spring-boot-starter-web

๐Ÿงฉ Project Structure


src/
โ””โ”€โ”€ main/
    โ””โ”€โ”€ java/
        โ””โ”€โ”€ com/
            โ””โ”€โ”€ kscodes/
                โ””โ”€โ”€ springboot/
                    โ””โ”€โ”€ security/
                        โ”œโ”€โ”€ SecurityConfig.java
                        โ”œโ”€โ”€ ApiController.java
                        โ””โ”€โ”€ SpringBootSecurityApplication.java

๐Ÿ” Step 1: Create SecurityConfig for Basic Authentication


package com.kscodes.springboot.security;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/public").permitAll()
                .anyRequest().authenticated()
            )
            .httpBasic(); // Enable Basic Authentication

        return http.build();
    }

    @Bean
    public UserDetailsService users() {
        return new InMemoryUserDetailsManager(
            User.withUsername("user")
                .password(passwordEncoder().encode("password"))
                .roles("USER")
                .build(),
            User.withUsername("admin")
                .password(passwordEncoder().encode("adminpass"))
                .roles("ADMIN")
                .build()
        );
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

๐ŸŒ Step 2: Create a REST Controller


package com.kscodes.springboot.security;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class ApiController {

    @GetMapping("/api/public")
    public String publicApi() {
        return "This is a public endpoint.";
    }

    @GetMapping("/api/user")
    public String userApi() {
        return "Welcome, authenticated USER.";
    }

    @GetMapping("/api/admin")
    public String adminApi() {
        return "Welcome, authenticated ADMIN.";
    }
}

๐Ÿš€ Step 3: Main Spring Boot Application


package com.kscodes.springboot.security;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringBootSecurityApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringBootSecurityApplication.class, args);
    }
}

๐Ÿงช Testing the Endpoints

1. Accessing the public endpoint

๐ŸŸข Output: "This is a public endpoint."

2. Accessing a protected endpoint without credentials

๐Ÿ”ด Output: HTTP/1.1 401 Unauthorized

3. Accessing with Basic Auth

๐ŸŸข Output: "Welcome, authenticated USER."


curl -u admin:adminpass http://localhost:8080/api/admin

๐ŸŸข Output: "Welcome, authenticated ADMIN."

โš ๏ธ Important Notes

  • Always use HTTPS with Basic Auth to avoid sending credentials in clear text.
  • Avoid Basic Auth in production unless used with secure environments or in internal microservices behind a gateway.
  • Prefer OAuth2/JWT for public APIs.

๐Ÿ›  Best Practices

  • Use BCryptPasswordEncoder for encoding passwords.
  • Separate roles clearly in SecurityConfig.
  • Add rate-limiting and logging for security-sensitive endpoints.
  • Keep credentials in secure secrets manager, not in plain code or config.

๐Ÿ“š References

๐Ÿ Conclusion

Securing REST APIs with Basic Authentication in Spring Boot is straightforward using Spring Security. With the new Spring Boot 3 and Spring Security 6, configuration is more streamlined using Java configuration with SecurityFilterChain.

Use this setup for quick authentication and secure your internal APIs effectively using Spring’s robust security model.