Spring Security — Basic Authentication for REST APIs
Hello there and welcome to my new article on spring security. I hope you are a beginner just like me with good knowledge of spring boot development and if so, this article is for you.
Today I am going to talk about HTTP Basic authentication and how we can implement the Basic authentication for a REST-based spring boot application. This article covers Basic authentication details at an intro level and a quick demonstration on what we are doing.
About Basic Authentication
It is a very simple authentication scheme built in to HTTP protocol where user pass the credential required for authentication with every request.
Enabling Basic Authentication
Enabling Basic authentication is very simple. We have to include the Authorization header in our request. This Authorization header value has two parts.
- It should begin with the keyword ‘Basic’ followed by a white space character.
- Base64 encoded value of username and password.
- The username and password values must be joined together with a colon ‘:’ character as separator.
Authorization: Basic YWRtaW46dGVzdA==Note: Here I used the username ‘admin’ and password ‘test’. So the actual input for Base64 encoding will be ‘admin:test’
About REST Endpoint
I have created two sample REST endpoints and this will be used for the demonstration purpose. This endpoint is designed to return a list of activities from the server when authentication is successful and if authentication fails, it will return Error 401 Unauthorized.
GET http://localhost:8080/api/v1/billing/activities
GET http://localhost:8080/api/v1/billing/activities/{id}Testing without Authorization Header
As you can see from the above screenshot, the server has responded with Error 401 Unauthorized when the Authorization header is missing from the request. Note the error message here.
Testing with Invalid Credentials
As you can see from the HTTP request, it contains an Authorization header and I added some random Base64 encoded value which is not ‘admin:test’. So, the server has responded with Error 401 Unauthorized. Take a look at the message it says Bad credentials.
Testing with Valid Credentials
This time I used the second REST endpoint to test with the right credentials. Now take a look at the server response. It contains the requested activity which is identified with an id and the Status OK 200. This resource is represented in HATEOS format.
The basic authentication demo is now complete. If you are comfortable please proceed to the next chapter where the implementation is explained.
Spring Security — Implementing Basic Authentication
Questions and Answers
Q: Do we have to include the authorization header and credentials with every request?
A: Actually this is not required at all. The browser will automatically send the basic authentication header with every request following successful authentication. This means that in the following requests you don’t need to include the authorization header itself.
Q: How to invalidate the previous authentication?
A: It is possible to invalidate the previous authentication. We will see how to do it using spring security. We can add logout support and spring will do the REST. Once logout support is added, we can call the below-given end point to invalidate and then exit.
http://localhost:8080/logoutAs you can see, once the logout is called the server responds with Status 204.
Q: Which tool is used for endpoint testing?
A: Here I am using Visual Studio Code and REST Client extension. Another alternative is Postman or a web browser.
Now with the last question, we have completed the introduction to Basic authentication. Got some questions? Post it as a comment 🙂
Next: Spring Security — Implementing Basic Authentication
Thank you for reading
Seyed Sahil
Originally published at http://sydlabz.wordpress.com on April 23, 2020.
