🏠SecurityBasic Authentication in Spring Boot

Basic Authentication in Spring Boot

Let’s learn how to implement Basic authentication in a Spring MVC application with an example.

Configure Basic Auth

To set up basic authentication, you need to provide our own HttpSecurity configuration. Similar to providing custom login form, this setup also requires a custom WebSecurityConfigurerAdapter as shown below.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .httpBasic();
    }
}Code language: CSS (css)

This is the only change that you have to do. After adding this configuration to your application restart and access http://localhost:8080/hello. This time the browser will show you a username and password dialogue. The dialogue box itself may look different from browser to browser(see image below). Yet, they all take a username and password.

spring basic auth in action

browsers showing basic authentication dialog

After providing a username and password, You will be shown a ”Hello World!” message.

Browser behaviour for Basic Auth

You may wonder how the browser knew when to ask for credentials. This ingenuity is part of the RFC specification. When a request comes to the server who supports basic auth, the server must respond with a 401 Unauthorized response code along with a WWW-Authenticate header. This header contains which authentication type the server supports. In this case, it would specify Basic.

Session Handling with BasicAuth

By default, Spring Security enables session management. This means a JSESSIONID cookie will be exchanged with the browser for further requests. At this point, further requests don’t need an Authorization header. But, the default behaviour of the browsers is to send an Authorization header regardless. This behaviour is for the client and server to establish a stateless communication. We will speak about sessions and state in upcoming posts. Just remember that session is nothing, but the concept of the server keeping track of the client requests.

We can take full advantage of basic authentication by disabling the session management altogether with a small change to our spring configuration.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}Code language: CSS (css)

By setting the session creation policy to be STATELESS, the server will not send a JSESSIONID cookie anymore. you can check this in the Chrome developer tools by going to Application > Storage > Cookies.

This may be helpful when you have more than one instance of the same application running behind a load balancer or a gateway. This way, the applications don’t need to share a common session store like Redis.

Things to consider

  1. The passwords in requests with basic auth are encoded and not encrypted. To be secure, only use Basic Auth if the communication between client and server has some form of encryption like SSL/TLS.
  2. Basic Auth is probably best when used with in-memory UserDetailService users like the default user that got created. If the user details are to be fetched from DB or some third party, performance is going to get worse.
  3. Complementing point 2, You can improve the performance by loading the user details from a cache such as Redis.

You can find this example in our GitHub Repository.

If you liked this article, You may also find the below articles interesting.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *