HTTP basic authentication (BA) is a simple authentication mechanism. When a web client requests any secured web resources, server sends an HTTP response with status code 401 (Unauthorized) and WWW-Authenticate HTTP header like WWW-Authenticate: Basic realm="realm here". And browser pops up a login dialog prompting for User name and Password for that realm.

This example shows how to configure HTTP basic authentication using Spring Security framework.

Tools and Technologies used in this article

  1. Spring Framework 3.1.4
  2. Spring Security 3.1.4
  3. Spring Tool Suite 3.2
  4. JDK 1.6
  5. Tomcat 7

We'll modify our previous post Spring Security 3 Hello World Example to configure HTTP Basic authentication.

**Note: **
HTTP Basic authentication scheme is not a secure method for user authentication, if connection between a Web Client and the server is not secured. User's credentials are encoded with BASE64 during transmission, but not encrypted or hashed. So if there is a possibility of credentials being intercepted, basic authentication can be used over HTTPS.

1. Modify Spring Security Configuration

Just add in Spring Security configuration xml to configure HTTP basic authentication.
File: WEB-INF/spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
    <http>
        <intercept-url pattern="/secured/*" access="ROLE_USER" />
         
        <!-- Adds Support for basic authentication -->
        <http-basic/>
    </http>
 
    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="srccodes" password="password" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
 
</beans:beans>

2. Overall Project Structure

Overall Project Structure

3. Demo

Start the server and deploy the web application. Try to open the URL http://:/spring-security-http-basic-authentication/secured/mypage.

HTTP Response Header sent by the server

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Spring Security Application"
Content-Type: text/html;charset=utf-8
Content-Length: 981
Date: Mon, 09 Sep 2013 10:47:14 GMT

Browser will open the authentication dialog prompting for username and password.
HTTP basic authentication dialog

For wrong credentials, following authentication failure message will also be displayed.
authentication failure message

For correct username (srccodes) and password (password), you'll be able to view the secured page.
view the secured page

HTTP Request Header sent to the server

GET /spring-security-http-basic-authentication/secured/mypage HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=896331E26095C95449516FCBF2E0E93C; __atuvc=28%7C31%2C0%7C32%2C0%7C33%2C215%7C34%2C59%7C35
Authorization: Basic c3JjY29kZXM6cGFzc3dvcmQ=

Note: 'c3JjY29kZXM6cGFzc3dvcmQ=' is Base64 encoded version of 'username:password' i.e. 'srccodes:password'.
Note: Basic authentication does not provide any logout functionality. Close the browser to logout.

Download SrcCodes

All code samples shown in this post are available on GitHub.

References