Bird
Raised Fist0
Spring Bootframework~20 mins

HTTP Basic authentication in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
HTTP Basic Auth Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a Spring Boot REST endpoint is accessed without credentials with HTTP Basic authentication enabled?

Consider a Spring Boot application with HTTP Basic authentication enabled on a REST endpoint. What is the response when a client tries to access the endpoint without sending any credentials?

Spring Boot
spring.security.user.name=user
spring.security.user.password=pass

@RestController
public class MyController {
  @GetMapping("/data")
  public String getData() {
    return "secret data";
  }
}
AThe server responds with HTTP status 200 OK and returns the data without authentication.
BThe server responds with HTTP status 403 Forbidden without any authentication prompt.
CThe server responds with HTTP status 401 Unauthorized and a WWW-Authenticate header prompting for credentials.
DThe server responds with HTTP status 500 Internal Server Error due to missing credentials.
Attempts:
2 left
💡 Hint

Think about how HTTP Basic authentication challenges clients when no credentials are provided.

📝 Syntax
intermediate
2:00remaining
Which code snippet correctly configures HTTP Basic authentication in Spring Boot using Java configuration?

Choose the correct Java configuration snippet to enable HTTP Basic authentication in a Spring Boot application.

A
http
  .authorizeRequests().anyRequest().permitAll()
  .httpBasic();
B
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic(withDefaults());
C
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .formLogin();
D
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .oauth2Login();
Attempts:
2 left
💡 Hint

Look for the method that enables HTTP Basic authentication and requires authentication for all requests.

state_output
advanced
2:00remaining
What is the value of the 'Authorization' header sent by the client in HTTP Basic authentication for username 'admin' and password '1234'?

When a client sends credentials using HTTP Basic authentication with username 'admin' and password '1234', what is the exact value of the 'Authorization' header?

ABasic YWRtaW46MTIzNA==
BBearer YWRtaW46MTIzNA==
CBasic admin:1234
DToken YWRtaW46MTIzNA==
Attempts:
2 left
💡 Hint

Remember HTTP Basic authentication encodes 'username:password' in Base64 and prefixes with 'Basic '.

🔧 Debug
advanced
2:00remaining
Why does this Spring Boot HTTP Basic authentication configuration fail to protect the endpoint?

Given the following Spring Security configuration, why does the endpoint '/api/data' remain accessible without authentication?

Spring Boot
http
  .authorizeHttpRequests(auth -> auth
    .requestMatchers("/public/**").permitAll()
    .anyRequest().permitAll())
  .httpBasic(withDefaults());
ABecause '.anyRequest().permitAll()' allows all requests without authentication, overriding the HTTP Basic setup.
BBecause '.requestMatchers("/public/**").permitAll()' blocks authentication for all endpoints.
CBecause HTTP Basic authentication requires '.formLogin()' to work properly.
DBecause the 'httpBasic()' method is missing in the configuration.
Attempts:
2 left
💡 Hint

Check the order and effect of authorization rules in the configuration.

🧠 Conceptual
expert
2:00remaining
Which statement best describes the security limitation of HTTP Basic authentication in Spring Boot?

Consider the security model of HTTP Basic authentication in Spring Boot. Which statement correctly identifies a key limitation?

AHTTP Basic authentication automatically encrypts credentials, so it is safe to use over plain HTTP.
BHTTP Basic authentication requires OAuth tokens to function securely.
CHTTP Basic authentication stores credentials in cookies, which can be vulnerable to cross-site scripting attacks.
DHTTP Basic authentication sends credentials encoded but not encrypted, so it should only be used over HTTPS to protect credentials.
Attempts:
2 left
💡 Hint

Think about how HTTP Basic authentication transmits credentials over the network.

Practice

(1/5)
1. What does HTTP Basic authentication do in a Spring Boot application?
easy
A. It protects web resources by requiring a username and password.
B. It encrypts all data sent between client and server automatically.
C. It allows users to log in without any credentials.
D. It disables security for all endpoints.

Solution

  1. Step 1: Understand HTTP Basic authentication purpose

    HTTP Basic authentication requires users to provide a username and password to access protected resources.

  2. Step 2: Identify what it does in Spring Boot

    Spring Boot uses HTTP Basic to prompt for credentials before allowing access to endpoints.

  3. Final Answer:

    It protects web resources by requiring a username and password. -> Option A

  4. Quick Check:

    HTTP Basic authentication = username and password protection [OK]
Hint: Remember HTTP Basic always asks for username and password [OK]
Common Mistakes:
  • Thinking HTTP Basic encrypts data by itself
  • Assuming it allows access without credentials
  • Confusing it with disabling security
2. Which of the following is the correct way to enable HTTP Basic authentication in a Spring Security configuration?
easy
A. http.authBasic();
B. http.enableBasicAuth();
C. http.httpBasic();
D. http.basicAuthentication();

Solution

  1. Step 1: Recall Spring Security method for HTTP Basic

    The correct method to enable HTTP Basic is httpBasic() on the HttpSecurity object.

  2. Step 2: Match the exact method name

    Only http.httpBasic(); matches the official Spring Security syntax.

  3. Final Answer:

    http.httpBasic(); -> Option C

  4. Quick Check:

    Enable HTTP Basic = http.httpBasic() [OK]
Hint: Look for exact method name: httpBasic() [OK]
Common Mistakes:
  • Using incorrect method names like enableBasicAuth()
  • Confusing method names with similar words
  • Missing parentheses in method call
3. Given this Spring Security configuration snippet, what happens when a user accesses a protected endpoint?
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic();
medium
A. The user can access the endpoint without any credentials.
B. The user is redirected to a custom login page.
C. The server returns a 404 Not Found error.
D. The user is prompted to enter username and password via browser popup.

Solution

  1. Step 1: Analyze the configuration

    The configuration requires authentication for any request and enables HTTP Basic authentication.

  2. Step 2: Understand HTTP Basic behavior

    HTTP Basic triggers a browser popup asking for username and password when accessing protected resources.

  3. Final Answer:

    The user is prompted to enter username and password via browser popup. -> Option D

  4. Quick Check:

    httpBasic() = browser login popup [OK]
Hint: httpBasic() triggers browser popup for credentials [OK]
Common Mistakes:
  • Thinking it redirects to a login page
  • Assuming no credentials are needed
  • Confusing 404 error with authentication failure
4. Identify the error in this Spring Security configuration for HTTP Basic authentication:
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpbasic();
medium
A. Method name should be httpBasic() with capital B.
B. authorizeHttpRequests() should be authorizeRequests().
C. authenticated() should be permitAll().
D. No error, configuration is correct.

Solution

  1. Step 1: Check method names carefully

    The method to enable HTTP Basic is httpBasic() with a capital B, not httpbasic().

  2. Step 2: Verify other methods

    authorizeHttpRequests() is correct in Spring Security 6+, and authenticated() is appropriate to require login.

  3. Final Answer:

    Method name should be httpBasic() with capital B. -> Option A

  4. Quick Check:

    Method names are case-sensitive = httpBasic() [OK]
Hint: Check method capitalization carefully [OK]
Common Mistakes:
  • Using wrong method case like httpbasic()
  • Confusing authorizeHttpRequests with older authorizeRequests
  • Changing authenticated() to permitAll() incorrectly
5. You want to secure your Spring Boot REST API with HTTP Basic authentication but only for the endpoints under /admin/**. Which configuration snippet correctly applies HTTP Basic only to those endpoints?
hard
A. http.httpBasic().authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
B. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic();
C. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()).httpBasic();
D. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").permitAll()).httpBasic();

Solution

  1. Step 1: Understand the requirement

    Only endpoints matching /admin/** should require authentication; others should be open.

  2. Step 2: Analyze each option

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); correctly requires authentication for /admin/** and permits all other requests. Other options either require authentication for all requests, permit all requests, or incorrectly permit the /admin/** paths.

  3. Final Answer:

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); -> Option B

  4. Quick Check:

    Secure only /admin/** = authenticated() on matcher + permitAll() others [OK]
Hint: Use requestMatchers for specific paths, then set auth [OK]
Common Mistakes:
  • Applying authentication to all endpoints instead of specific ones
  • Permitting admin endpoints by mistake
  • Misordering authorizeHttpRequests and httpBasic calls