---

By Marone: October 2019 | last update: December 2019

---

Secure Spring boot with basic authentication

Goal

in this article we are going to protect a spring boot rest api in a simple way using Spring securitywith basic authentication . This is part 1 of a series of articles on spring security topic

Used technologies

JDK 1.8
Maven 3.2 (Spring boot 2.x and Spring security 5.x)

Maven

Rest api

Configuration

• @EnableWebSecurity ist not necessary. Spring Security is on the classpath, hence EnableWebSecurity will be added automaticaly
• All urls are public except /protected and /admin
• The/protected url is protected by the USER role
• The/admin url is protected by the ADMIN role
• For testing purposes, the user credentials are stored in the memory
• After Spring Security 5.0 plain text passwords are not allowed anymore, so we us the prefix {noop}

Let's test

• Calling http://localhost:8080/protected without credentials returns "401, Unauthorized"
• The admin endpoint expect user with Role=Admin, passing a user with other Role will cause a "403, Forbidden"

References

• Spring Security Reference
• Spring boot hello world

• spring boot
• security
• spring-security