Bird
Raised Fist0
Spring Bootframework~5 mins

HTTP Basic authentication in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

HTTP Basic authentication helps protect your web app by asking users for a username and password before they can access certain pages.

You want a simple way to secure admin pages in your Spring Boot app.
You need to quickly protect an API endpoint without complex login forms.
You want to test authentication in development without building a full login system.
Syntax
Spring Boot
http
  .authorizeHttpRequests(auth -> auth
    .anyRequest().authenticated()
  )
  .httpBasic();
This code goes inside your Spring Security configuration class.
It tells Spring Boot to require authentication for all requests and use HTTP Basic.
Examples
This example secures only URLs under /admin/, letting others be public.
Spring Boot
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/admin/**").authenticated()
    .anyRequest().permitAll()
  )
  .httpBasic();
Complete method to enable HTTP Basic authentication for all requests.
Spring Boot
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  return http
    .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
    .httpBasic()
    .and()
    .build();
}
Sample Program

This Spring Boot app requires HTTP Basic authentication for all pages. When you visit any URL, the browser will ask for username and password.

Spring Boot
package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@SpringBootApplication
public class DemoApplication {

  public static void main(String[] args) {
    SpringApplication.run(DemoApplication.class, args);
  }

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
      .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
      .httpBasic()
      .and()
      .build();
  }
}
OutputSuccess
Important Notes

HTTP Basic sends credentials encoded but not encrypted. Use it only over HTTPS to keep passwords safe.

Spring Boot by default creates a user with a generated password printed in the console when the app starts.

Summary

HTTP Basic authentication is a simple way to protect web resources with username and password.

Spring Boot makes it easy to enable with just a few lines in your security config.

Always use HTTPS with HTTP Basic to keep credentials secure.

Practice

(1/5)
1. What does HTTP Basic authentication do in a Spring Boot application?
easy
A. It protects web resources by requiring a username and password.
B. It encrypts all data sent between client and server automatically.
C. It allows users to log in without any credentials.
D. It disables security for all endpoints.

Solution

  1. Step 1: Understand HTTP Basic authentication purpose

    HTTP Basic authentication requires users to provide a username and password to access protected resources.

  2. Step 2: Identify what it does in Spring Boot

    Spring Boot uses HTTP Basic to prompt for credentials before allowing access to endpoints.

  3. Final Answer:

    It protects web resources by requiring a username and password. -> Option A

  4. Quick Check:

    HTTP Basic authentication = username and password protection [OK]
Hint: Remember HTTP Basic always asks for username and password [OK]
Common Mistakes:
  • Thinking HTTP Basic encrypts data by itself
  • Assuming it allows access without credentials
  • Confusing it with disabling security
2. Which of the following is the correct way to enable HTTP Basic authentication in a Spring Security configuration?
easy
A. http.authBasic();
B. http.enableBasicAuth();
C. http.httpBasic();
D. http.basicAuthentication();

Solution

  1. Step 1: Recall Spring Security method for HTTP Basic

    The correct method to enable HTTP Basic is httpBasic() on the HttpSecurity object.

  2. Step 2: Match the exact method name

    Only http.httpBasic(); matches the official Spring Security syntax.

  3. Final Answer:

    http.httpBasic(); -> Option C

  4. Quick Check:

    Enable HTTP Basic = http.httpBasic() [OK]
Hint: Look for exact method name: httpBasic() [OK]
Common Mistakes:
  • Using incorrect method names like enableBasicAuth()
  • Confusing method names with similar words
  • Missing parentheses in method call
3. Given this Spring Security configuration snippet, what happens when a user accesses a protected endpoint?
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic();
medium
A. The user can access the endpoint without any credentials.
B. The user is redirected to a custom login page.
C. The server returns a 404 Not Found error.
D. The user is prompted to enter username and password via browser popup.

Solution

  1. Step 1: Analyze the configuration

    The configuration requires authentication for any request and enables HTTP Basic authentication.

  2. Step 2: Understand HTTP Basic behavior

    HTTP Basic triggers a browser popup asking for username and password when accessing protected resources.

  3. Final Answer:

    The user is prompted to enter username and password via browser popup. -> Option D

  4. Quick Check:

    httpBasic() = browser login popup [OK]
Hint: httpBasic() triggers browser popup for credentials [OK]
Common Mistakes:
  • Thinking it redirects to a login page
  • Assuming no credentials are needed
  • Confusing 404 error with authentication failure
4. Identify the error in this Spring Security configuration for HTTP Basic authentication:
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpbasic();
medium
A. Method name should be httpBasic() with capital B.
B. authorizeHttpRequests() should be authorizeRequests().
C. authenticated() should be permitAll().
D. No error, configuration is correct.

Solution

  1. Step 1: Check method names carefully

    The method to enable HTTP Basic is httpBasic() with a capital B, not httpbasic().

  2. Step 2: Verify other methods

    authorizeHttpRequests() is correct in Spring Security 6+, and authenticated() is appropriate to require login.

  3. Final Answer:

    Method name should be httpBasic() with capital B. -> Option A

  4. Quick Check:

    Method names are case-sensitive = httpBasic() [OK]
Hint: Check method capitalization carefully [OK]
Common Mistakes:
  • Using wrong method case like httpbasic()
  • Confusing authorizeHttpRequests with older authorizeRequests
  • Changing authenticated() to permitAll() incorrectly
5. You want to secure your Spring Boot REST API with HTTP Basic authentication but only for the endpoints under /admin/**. Which configuration snippet correctly applies HTTP Basic only to those endpoints?
hard
A. http.httpBasic().authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
B. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic();
C. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()).httpBasic();
D. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").permitAll()).httpBasic();

Solution

  1. Step 1: Understand the requirement

    Only endpoints matching /admin/** should require authentication; others should be open.

  2. Step 2: Analyze each option

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); correctly requires authentication for /admin/** and permits all other requests. Other options either require authentication for all requests, permit all requests, or incorrectly permit the /admin/** paths.

  3. Final Answer:

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); -> Option B

  4. Quick Check:

    Secure only /admin/** = authenticated() on matcher + permitAll() others [OK]
Hint: Use requestMatchers for specific paths, then set auth [OK]
Common Mistakes:
  • Applying authentication to all endpoints instead of specific ones
  • Permitting admin endpoints by mistake
  • Misordering authorizeHttpRequests and httpBasic calls