Bird
Raised Fist0
Spring Bootframework~10 mins

HTTP Basic authentication in Spring Boot - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - HTTP Basic authentication
Client sends HTTP request
Server checks Authorization header
Is header present?
NoRespond 401 Unauthorized
Yes
Decode Base64 credentials
Validate username and password
Are credentials valid?
NoRespond 401 Unauthorized
Yes
Grant access to requested resource
The client sends a request with credentials encoded in the Authorization header. The server decodes and validates them, then allows or denies access.
Execution Sample
Spring Boot
http.httpBasic();
// Client sends header: Authorization: Basic base64(user:pass)
// Server decodes and checks credentials
// If valid, request proceeds
// If invalid, server responds 401
This code enables HTTP Basic authentication in Spring Boot, where the server checks the Authorization header for valid credentials.
Execution Table
StepActionInput/ConditionResultServer Response
1Client sends HTTP requestNo Authorization headerServer checks header401 Unauthorized
2Client sends HTTP requestAuthorization: Basic dXNlcjpwYXNzServer decodes Base64 to 'user:pass'Proceed to validation
3Server validates credentialsUsername='user', Password='pass'Credentials valid?If valid, grant access; else 401
4Credentials validYesAccess granted to resource200 OK with resource
5Credentials validNoAccess denied401 Unauthorized
💡 Execution stops when server either grants access (200 OK) or denies with 401 Unauthorized.
Variable Tracker
VariableStartAfter Step 2After Step 3Final
Authorization HeaderNoneBasic dXNlcjpwYXNzBasic dXNlcjpwYXNzUsed for validation
Decoded CredentialsNone'user:pass''user:pass'Checked for validity
Credentials Valid?UnknownUnknownTrue or FalseDetermines access
Key Moments - 3 Insights
Why does the server respond with 401 Unauthorized if the Authorization header is missing?
Because the server requires credentials to allow access. Without the header, it cannot authenticate the client, so it denies access as shown in execution_table step 1.
How does the server get the username and password from the Authorization header?
The server decodes the Base64 string in the header to get 'username:password', as shown in execution_table step 2.
What happens if the credentials are incorrect?
The server responds with 401 Unauthorized and denies access, as shown in execution_table step 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the server response when the Authorization header is missing?
A200 OK
B403 Forbidden
C401 Unauthorized
D500 Internal Server Error
💡 Hint
Check step 1 in the execution_table where no Authorization header is present.
At which step does the server decode the Base64 credentials?
AStep 2
BStep 1
CStep 3
DStep 4
💡 Hint
Look at the 'Action' and 'Result' columns in execution_table step 2.
If the credentials are invalid, what will the final server response be?
A200 OK
B401 Unauthorized
C404 Not Found
D302 Redirect
💡 Hint
See execution_table step 5 for invalid credentials.
Concept Snapshot
HTTP Basic authentication sends username and password encoded in the Authorization header.
Server decodes Base64 string to get credentials.
If credentials are valid, access is granted; otherwise, 401 Unauthorized is returned.
In Spring Boot, enable with http.httpBasic().
Always use HTTPS to protect credentials.
Full Transcript
HTTP Basic authentication works by the client sending an HTTP request with an Authorization header containing the username and password encoded in Base64. The server checks if this header is present. If missing, it responds with 401 Unauthorized. If present, the server decodes the Base64 string to extract the username and password. Then it validates these credentials. If valid, the server grants access to the requested resource and responds with 200 OK. If invalid, it responds again with 401 Unauthorized. In Spring Boot, this is enabled by calling http.httpBasic() in the security configuration. It is important to use HTTPS to keep credentials safe during transmission.

Practice

(1/5)
1. What does HTTP Basic authentication do in a Spring Boot application?
easy
A. It protects web resources by requiring a username and password.
B. It encrypts all data sent between client and server automatically.
C. It allows users to log in without any credentials.
D. It disables security for all endpoints.

Solution

  1. Step 1: Understand HTTP Basic authentication purpose

    HTTP Basic authentication requires users to provide a username and password to access protected resources.

  2. Step 2: Identify what it does in Spring Boot

    Spring Boot uses HTTP Basic to prompt for credentials before allowing access to endpoints.

  3. Final Answer:

    It protects web resources by requiring a username and password. -> Option A

  4. Quick Check:

    HTTP Basic authentication = username and password protection [OK]
Hint: Remember HTTP Basic always asks for username and password [OK]
Common Mistakes:
  • Thinking HTTP Basic encrypts data by itself
  • Assuming it allows access without credentials
  • Confusing it with disabling security
2. Which of the following is the correct way to enable HTTP Basic authentication in a Spring Security configuration?
easy
A. http.authBasic();
B. http.enableBasicAuth();
C. http.httpBasic();
D. http.basicAuthentication();

Solution

  1. Step 1: Recall Spring Security method for HTTP Basic

    The correct method to enable HTTP Basic is httpBasic() on the HttpSecurity object.

  2. Step 2: Match the exact method name

    Only http.httpBasic(); matches the official Spring Security syntax.

  3. Final Answer:

    http.httpBasic(); -> Option C

  4. Quick Check:

    Enable HTTP Basic = http.httpBasic() [OK]
Hint: Look for exact method name: httpBasic() [OK]
Common Mistakes:
  • Using incorrect method names like enableBasicAuth()
  • Confusing method names with similar words
  • Missing parentheses in method call
3. Given this Spring Security configuration snippet, what happens when a user accesses a protected endpoint?
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpBasic();
medium
A. The user can access the endpoint without any credentials.
B. The user is redirected to a custom login page.
C. The server returns a 404 Not Found error.
D. The user is prompted to enter username and password via browser popup.

Solution

  1. Step 1: Analyze the configuration

    The configuration requires authentication for any request and enables HTTP Basic authentication.

  2. Step 2: Understand HTTP Basic behavior

    HTTP Basic triggers a browser popup asking for username and password when accessing protected resources.

  3. Final Answer:

    The user is prompted to enter username and password via browser popup. -> Option D

  4. Quick Check:

    httpBasic() = browser login popup [OK]
Hint: httpBasic() triggers browser popup for credentials [OK]
Common Mistakes:
  • Thinking it redirects to a login page
  • Assuming no credentials are needed
  • Confusing 404 error with authentication failure
4. Identify the error in this Spring Security configuration for HTTP Basic authentication:
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .httpbasic();
medium
A. Method name should be httpBasic() with capital B.
B. authorizeHttpRequests() should be authorizeRequests().
C. authenticated() should be permitAll().
D. No error, configuration is correct.

Solution

  1. Step 1: Check method names carefully

    The method to enable HTTP Basic is httpBasic() with a capital B, not httpbasic().

  2. Step 2: Verify other methods

    authorizeHttpRequests() is correct in Spring Security 6+, and authenticated() is appropriate to require login.

  3. Final Answer:

    Method name should be httpBasic() with capital B. -> Option A

  4. Quick Check:

    Method names are case-sensitive = httpBasic() [OK]
Hint: Check method capitalization carefully [OK]
Common Mistakes:
  • Using wrong method case like httpbasic()
  • Confusing authorizeHttpRequests with older authorizeRequests
  • Changing authenticated() to permitAll() incorrectly
5. You want to secure your Spring Boot REST API with HTTP Basic authentication but only for the endpoints under /admin/**. Which configuration snippet correctly applies HTTP Basic only to those endpoints?
hard
A. http.httpBasic().authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
B. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic();
C. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()).httpBasic();
D. http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").permitAll()).httpBasic();

Solution

  1. Step 1: Understand the requirement

    Only endpoints matching /admin/** should require authentication; others should be open.

  2. Step 2: Analyze each option

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); correctly requires authentication for /admin/** and permits all other requests. Other options either require authentication for all requests, permit all requests, or incorrectly permit the /admin/** paths.

  3. Final Answer:

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/admin/**").authenticated().anyRequest().permitAll()).httpBasic(); -> Option B

  4. Quick Check:

    Secure only /admin/** = authenticated() on matcher + permitAll() others [OK]
Hint: Use requestMatchers for specific paths, then set auth [OK]
Common Mistakes:
  • Applying authentication to all endpoints instead of specific ones
  • Permitting admin endpoints by mistake
  • Misordering authorizeHttpRequests and httpBasic calls