Bird
Raised Fist0
Spring Bootframework~10 mins

HTTP Basic authentication in Spring Boot - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to enable HTTP Basic authentication in Spring Boot.

Spring Boot
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .[1]();
    }
}
Drag options to blanks, or click blank then click option'
AhttpBasic
BformLogin
Ccsrf
Dlogout
Attempts:
3 left
💡 Hint
Common Mistakes
Using formLogin() instead of httpBasic() will enable form-based login, not HTTP Basic.
Forgetting to call any authentication method will leave the app unsecured.
2fill in blank
medium

Complete the code to configure an in-memory user with username 'user' and password 'password'.

Spring Boot
@Bean
public UserDetailsService userDetailsService() {
    UserDetails user = User.withDefaultPasswordEncoder()
        .username("user")
        .password("password")
        .roles("USER")
        .[1]();
    return new InMemoryUserDetailsManager(user);
}
Drag options to blanks, or click blank then click option'
Amake
Bcreate
Cget
Dbuild
Attempts:
3 left
💡 Hint
Common Mistakes
Using create() or get() will cause compilation errors as these methods do not exist.
Forgetting to call build() will leave the user incomplete.
3fill in blank
hard

Fix the error in the method signature to override the configure method for authentication manager.

Spring Boot
@Override
protected void configure(AuthenticationManagerBuilder [1]) throws Exception {
    [1].inMemoryAuthentication()
        .withUser("admin")
        .password("adminpass")
        .roles("ADMIN");
}
Drag options to blanks, or click blank then click option'
Amanager
Bauth
Cauthentication
Dbuilder
Attempts:
3 left
💡 Hint
Common Mistakes
Using a different parameter name than the one used inside the method causes errors.
Not matching the parameter name with its usage inside the method.
4fill in blank
hard

Fill both blanks to disable CSRF protection and enable HTTP Basic authentication.

Spring Boot
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().[1]()
        .and()
        .[2]();
}
Drag options to blanks, or click blank then click option'
Adisable
Benable
ChttpBasic
DformLogin
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'enable()' instead of 'disable()' for CSRF disables nothing.
Using 'formLogin()' instead of 'httpBasic()' changes the authentication method.
5fill in blank
hard

Fill all three blanks to create a user with username 'guest', password 'guestpass', and role 'GUEST'.

Spring Boot
UserDetails guest = User.withDefaultPasswordEncoder()
    .username("[1]")
    .password("[2]")
    .roles("[3]")
    .build();
Drag options to blanks, or click blank then click option'
Aguest
Bguestpass
CGUEST
DADMIN
Attempts:
3 left
💡 Hint
Common Mistakes
Mixing up roles or passwords causes authentication failures.
Using 'ADMIN' role instead of 'GUEST' changes user permissions.

Practice

(1/5)
1. What does HTTP Basic authentication do in a Spring Boot application?
easy
A. It protects web resources by requiring a username and password.
B. It encrypts all data sent between client and server automatically.
C. It allows users to log in without any credentials.
D. It disables security for all endpoints.

Solution

  1. Step 1: Understand HTTP Basic authentication purpose

    HTTP Basic authentication requires users to provide a username and password to access protected resources.

  2. Step 2: Identify what it does in Spring Boot

    Spring Boot uses HTTP Basic to prompt for credentials before allowing access to endpoints.

  3. Final Answer:

    It protects web resources by requiring a username and password. -> Option A

  4. Quick Check:

    HTTP Basic authentication = username and password protection [OK]
Hint: Remember HTTP Basic always asks for username and password [OK]
Common Mistakes:
  • Thinking HTTP Basic encrypts data by itself
  • Assuming it allows access without credentials
  • Confusing it with disabling security
2. Which of the following is the correct way to enable HTTP Basic authentication in a Spring Security configuration?
easy
A. http.authBasic();
B. http.enableBasicAuth();
C. http.httpBasic();
D. http.basicAuthentication();

Solution

  1. Step 1: Recall Spring Security method for HTTP Basic

    The correct method to enable HTTP Basic is httpBasic() on the HttpSecurity object.

  2. Step 2: Match the exact method name

    Only http.httpBasic(); matches the official Spring Security syntax.

  3. Final Answer:

    http.httpBasic(); -> Option C

  4. Quick Check:

    Enable HTTP Basic = http.httpBasic() [OK]
Hint: Look for exact method name: httpBasic() [OK]
Common Mistakes:
  • Using incorrect method names like enableBasicAuth()
  • Confusing method names with similar words
  • Missing parentheses in method call
3. Given this Spring Security configuration snippet, what happens when a user accesses a protected endpoint?
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic();
medium
A. The user can access the endpoint without any credentials.
B. The user is redirected to a custom login page.
C. The server returns a 404 Not Found error.
D. The user is prompted to enter username and password via browser popup.

Solution

  1. Step 1: Analyze the configuration

    The configuration requires authentication for any request and enables HTTP Basic authentication.

  2. Step 2: Understand HTTP Basic behavior

    HTTP Basic triggers a browser popup asking for username and password when accessing protected resources.

  3. Final Answer:

    The user is prompted to enter username and password via browser popup. -> Option D

  4. Quick Check:

    httpBasic() = browser login popup [OK]
Hint: httpBasic() triggers browser popup for credentials [OK]
Common Mistakes:
  • Thinking it redirects to a login page
  • Assuming no credentials are needed
  • Confusing 404 error with authentication failure
4. Identify the error in this Spring Security configuration for HTTP Basic authentication:
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpbasic();
medium
A. Method name should be httpBasic() with capital B.
B. authorizeHttpRequests() should be authorizeRequests().
C. authenticated() should be permitAll().
D. No error, configuration is correct.

Solution

  1. Step 1: Check method names carefully

    The method to enable HTTP Basic is httpBasic() with a capital B, not httpbasic().

  2. Step 2: Verify other methods

    authorizeHttpRequests() is correct in Spring Security 6+, and authenticated() is appropriate to require login.

  3. Final Answer:

    Method name should be httpBasic() with capital B. -> Option A

  4. Quick Check:

    Method names are case-sensitive = httpBasic() [OK]
Hint: Check method capitalization carefully [OK]
Common Mistakes:
  • Using wrong method case like httpbasic()
  • Confusing authorizeHttpRequests with older authorizeRequests
  • Changing authenticated() to permitAll() incorrectly
5. You want to secure your Spring Boot REST API with HTTP Basic authentication but only for the endpoints under /admin/**. Which configuration snippet correctly applies HTTP Basic only to those endpoints?
hard
A. http.httpBasic().authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
B. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic();
C. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()).httpBasic();
D. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").permitAll()).httpBasic();

Solution

  1. Step 1: Understand the requirement

    Only endpoints matching /admin/** should require authentication; others should be open.

  2. Step 2: Analyze each option

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); correctly requires authentication for /admin/** and permits all other requests. Other options either require authentication for all requests, permit all requests, or incorrectly permit the /admin/** paths.

  3. Final Answer:

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); -> Option B

  4. Quick Check:

    Secure only /admin/** = authenticated() on matcher + permitAll() others [OK]
Hint: Use requestMatchers for specific paths, then set auth [OK]
Common Mistakes:
  • Applying authentication to all endpoints instead of specific ones
  • Permitting admin endpoints by mistake
  • Misordering authorizeHttpRequests and httpBasic calls