Spring Security HTTP Basic Authentication Example
HTTP basic authentication (BA) is a simple authentication mechanism. When a web client requests any secured web resources, server sends an HTTP response with status code 401 (Unauthorized) and WWW-Authenticate HTTP header like WWW-Authenticate: Basic realm="realm here". And browser pops up a login dialog prompting for User name and Password for that realm.
This example shows how to configure HTTP basic authentication using Spring Security framework.
Tools and Technologies used in this article
We'll modify our previous post Spring Security 3 Hello World Example to configure HTTP Basic authentication.
**Note: **
HTTP Basic authentication scheme is not a secure method for user authentication, if connection between a Web Client and the server is not secured. User's credentials are encoded with BASE64 during transmission, but not encrypted or hashed. So if there is a possibility of credentials being intercepted, basic authentication can be used over HTTPS.
1. Modify Spring Security Configuration
Just add in Spring Security configuration xml to configure HTTP basic authentication.
File: WEB-INF/spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<intercept-url pattern="/secured/*" access="ROLE_USER" />
<!-- Adds Support for basic authentication -->
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="srccodes" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
2. Overall Project Structure
3. Demo
Start the server and deploy the web application. Try to open the URL http://:/spring-security-http-basic-authentication/secured/mypage.
HTTP Response Header sent by the server
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Spring Security Application"
Content-Type: text/html;charset=utf-8
Content-Length: 981
Date: Mon, 09 Sep 2013 10:47:14 GMT
Browser will open the authentication dialog prompting for username and password.
For wrong credentials, following authentication failure message will also be displayed.
For correct username (srccodes) and password (password), you'll be able to view the secured page.
HTTP Request Header sent to the server
GET /spring-security-http-basic-authentication/secured/mypage HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=896331E26095C95449516FCBF2E0E93C; __atuvc=28%7C31%2C0%7C32%2C0%7C33%2C215%7C34%2C59%7C35
Authorization: Basic c3JjY29kZXM6cGFzc3dvcmQ=
Note: 'c3JjY29kZXM6cGFzc3dvcmQ=' is Base64 encoded version of 'username:password' i.e. 'srccodes:password'.
Note: Basic authentication does not provide any logout functionality. Close the browser to logout.
Download SrcCodes
All code samples shown in this post are available on GitHub.