Bird
Raised Fist0
Spring Bootframework~5 mins

HTTP Basic authentication in Spring Boot - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is HTTP Basic authentication?
HTTP Basic authentication is a simple way to protect web resources by requiring a username and password sent in the HTTP header encoded in Base64.
Click to reveal answer
intermediate
How does Spring Boot enable HTTP Basic authentication?
Spring Boot enables HTTP Basic authentication by configuring security settings, often using the @EnableWebSecurity annotation and setting up an AuthenticationManager with user details.
Click to reveal answer
beginner
What header does the client send for HTTP Basic authentication?
The client sends the 'Authorization' header with the value 'Basic ' followed by the Base64 encoded string of 'username:password'.
Click to reveal answer
intermediate
What happens if HTTP Basic authentication fails in Spring Boot?
If authentication fails, Spring Boot responds with HTTP status 401 Unauthorized and includes a 'WWW-Authenticate' header prompting the client to provide credentials.
Click to reveal answer
beginner
Why is HTTP Basic authentication not recommended for production without HTTPS?
Because credentials are only Base64 encoded, not encrypted, they can be easily intercepted and read if sent over plain HTTP. HTTPS encrypts the entire connection to protect credentials.
Click to reveal answer
Which HTTP header carries the credentials in HTTP Basic authentication?
AAuthentication
BAuthorization
CWWW-Authenticate
DProxy-Authorization
In Spring Boot, which annotation is commonly used to enable web security including HTTP Basic?
A@EnableWebSecurity
B@SpringBootApplication
C@RestController
D@EnableAutoConfiguration
What status code does the server return when HTTP Basic authentication fails?
A400 Bad Request
B403 Forbidden
C401 Unauthorized
D500 Internal Server Error
How are credentials sent in HTTP Basic authentication?
AHashed password in a cookie
BEncrypted username and password in the body
CPlain text username and password in URL parameters
DBase64 encoded username and password in the Authorization header
Why should HTTP Basic authentication be used with HTTPS?
ATo encrypt credentials and protect them from interception
BTo speed up authentication
CTo avoid using passwords
DTo allow anonymous access
Explain how HTTP Basic authentication works in a Spring Boot application.
Think about the request header and server response.
You got /4 concepts.
    Describe why it is important to use HTTPS with HTTP Basic authentication.
    Consider what happens if data is sent over an unprotected network.
    You got /4 concepts.

      Practice

      (1/5)
      1. What does HTTP Basic authentication do in a Spring Boot application?
      easy
      A. It protects web resources by requiring a username and password.
      B. It encrypts all data sent between client and server automatically.
      C. It allows users to log in without any credentials.
      D. It disables security for all endpoints.

      Solution

      1. Step 1: Understand HTTP Basic authentication purpose

        HTTP Basic authentication requires users to provide a username and password to access protected resources.

      2. Step 2: Identify what it does in Spring Boot

        Spring Boot uses HTTP Basic to prompt for credentials before allowing access to endpoints.

      3. Final Answer:

        It protects web resources by requiring a username and password. -> Option A

      4. Quick Check:

        HTTP Basic authentication = username and password protection [OK]
      Hint: Remember HTTP Basic always asks for username and password [OK]
      Common Mistakes:
      • Thinking HTTP Basic encrypts data by itself
      • Assuming it allows access without credentials
      • Confusing it with disabling security
      2. Which of the following is the correct way to enable HTTP Basic authentication in a Spring Security configuration?
      easy
      A. http.authBasic();
      B. http.enableBasicAuth();
      C. http.httpBasic();
      D. http.basicAuthentication();

      Solution

      1. Step 1: Recall Spring Security method for HTTP Basic

        The correct method to enable HTTP Basic is httpBasic() on the HttpSecurity object.

      2. Step 2: Match the exact method name

        Only http.httpBasic(); matches the official Spring Security syntax.

      3. Final Answer:

        http.httpBasic(); -> Option C

      4. Quick Check:

        Enable HTTP Basic = http.httpBasic() [OK]
      Hint: Look for exact method name: httpBasic() [OK]
      Common Mistakes:
      • Using incorrect method names like enableBasicAuth()
      • Confusing method names with similar words
      • Missing parentheses in method call
      3. Given this Spring Security configuration snippet, what happens when a user accesses a protected endpoint?
      http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic();
      medium
      A. The user can access the endpoint without any credentials.
      B. The user is redirected to a custom login page.
      C. The server returns a 404 Not Found error.
      D. The user is prompted to enter username and password via browser popup.

      Solution

      1. Step 1: Analyze the configuration

        The configuration requires authentication for any request and enables HTTP Basic authentication.

      2. Step 2: Understand HTTP Basic behavior

        HTTP Basic triggers a browser popup asking for username and password when accessing protected resources.

      3. Final Answer:

        The user is prompted to enter username and password via browser popup. -> Option D

      4. Quick Check:

        httpBasic() = browser login popup [OK]
      Hint: httpBasic() triggers browser popup for credentials [OK]
      Common Mistakes:
      • Thinking it redirects to a login page
      • Assuming no credentials are needed
      • Confusing 404 error with authentication failure
      4. Identify the error in this Spring Security configuration for HTTP Basic authentication:
      http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpbasic();
      medium
      A. Method name should be httpBasic() with capital B.
      B. authorizeHttpRequests() should be authorizeRequests().
      C. authenticated() should be permitAll().
      D. No error, configuration is correct.

      Solution

      1. Step 1: Check method names carefully

        The method to enable HTTP Basic is httpBasic() with a capital B, not httpbasic().

      2. Step 2: Verify other methods

        authorizeHttpRequests() is correct in Spring Security 6+, and authenticated() is appropriate to require login.

      3. Final Answer:

        Method name should be httpBasic() with capital B. -> Option A

      4. Quick Check:

        Method names are case-sensitive = httpBasic() [OK]
      Hint: Check method capitalization carefully [OK]
      Common Mistakes:
      • Using wrong method case like httpbasic()
      • Confusing authorizeHttpRequests with older authorizeRequests
      • Changing authenticated() to permitAll() incorrectly
      5. You want to secure your Spring Boot REST API with HTTP Basic authentication but only for the endpoints under /admin/**. Which configuration snippet correctly applies HTTP Basic only to those endpoints?
      hard
      A. http.httpBasic().authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
      B. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic();
      C. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()).httpBasic();
      D. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").permitAll()).httpBasic();

      Solution

      1. Step 1: Understand the requirement

        Only endpoints matching /admin/** should require authentication; others should be open.

      2. Step 2: Analyze each option

        http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); correctly requires authentication for /admin/** and permits all other requests. Other options either require authentication for all requests, permit all requests, or incorrectly permit the /admin/** paths.

      3. Final Answer:

        http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); -> Option B

      4. Quick Check:

        Secure only /admin/** = authenticated() on matcher + permitAll() others [OK]
      Hint: Use requestMatchers for specific paths, then set auth [OK]
      Common Mistakes:
      • Applying authentication to all endpoints instead of specific ones
      • Permitting admin endpoints by mistake
      • Misordering authorizeHttpRequests and httpBasic calls