Challenge - 5 Problems

🎖️

HTTP Basic Auth Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

What happens when a Spring Boot REST endpoint is accessed without credentials with HTTP Basic authentication enabled?

Consider a Spring Boot application with HTTP Basic authentication enabled on a REST endpoint. What is the response when a client tries to access the endpoint without sending any credentials?

Spring Boot

spring.security.user.name=user
spring.security.user.password=pass

@RestController
public class MyController {
  @GetMapping("/data")
  public String getData() {
    return "secret data";
  }
}

AThe server responds with HTTP status 200 OK and returns the data without authentication.

BThe server responds with HTTP status 403 Forbidden without any authentication prompt.

CThe server responds with HTTP status 401 Unauthorized and a WWW-Authenticate header prompting for credentials.

DThe server responds with HTTP status 500 Internal Server Error due to missing credentials.

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Which code snippet correctly configures HTTP Basic authentication in Spring Boot using Java configuration?

Choose the correct Java configuration snippet to enable HTTP Basic authentication in a Spring Boot application.

http
  .authorizeRequests().anyRequest().permitAll()
  .httpBasic();

http
  .authorizeHttpRequests(auth -&gt; auth.anyRequest().authenticated())
  .httpBasic(withDefaults());

http
  .authorizeHttpRequests(auth -&gt; auth.anyRequest().authenticated())
  .formLogin();

http
  .authorizeHttpRequests(auth -&gt; auth.anyRequest().authenticated())
  .oauth2Login();

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What is the value of the 'Authorization' header sent by the client in HTTP Basic authentication for username 'admin' and password '1234'?

When a client sends credentials using HTTP Basic authentication with username 'admin' and password '1234', what is the exact value of the 'Authorization' header?

ABasic YWRtaW46MTIzNA==

BBearer YWRtaW46MTIzNA==

CBasic admin:1234

DToken YWRtaW46MTIzNA==

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this Spring Boot HTTP Basic authentication configuration fail to protect the endpoint?

Given the following Spring Security configuration, why does the endpoint '/api/data' remain accessible without authentication?

Spring Boot

http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/public/**").permitAll()
    .anyRequest().permitAll())
  .httpBasic(withDefaults());

ABecause '.anyRequest().permitAll()' allows all requests without authentication, overriding the HTTP Basic setup.

BBecause '.requestMatchers("/public/**").permitAll()' blocks authentication for all endpoints.

CBecause HTTP Basic authentication requires '.formLogin()' to work properly.

DBecause the 'httpBasic()' method is missing in the configuration.

Attempts:

2 left

🧠 Conceptual

expert

2:00remaining

Which statement best describes the security limitation of HTTP Basic authentication in Spring Boot?

Consider the security model of HTTP Basic authentication in Spring Boot. Which statement correctly identifies a key limitation?

AHTTP Basic authentication automatically encrypts credentials, so it is safe to use over plain HTTP.

BHTTP Basic authentication requires OAuth tokens to function securely.

CHTTP Basic authentication stores credentials in cookies, which can be vulnerable to cross-site scripting attacks.

DHTTP Basic authentication sends credentials encoded but not encrypted, so it should only be used over HTTPS to protect credentials.

Attempts:

2 left