By Marone: October 2019 | last update: December 2019
Secure Spring boot with basic authentication
Goal
in this article we are going to protect a spring boot rest api in a simple way usingSpring security
with basic authentication . This is part 1 of a series of articles on spring security topic
Used technologies
JDK 1.8Maven 3.2 (Spring boot 2.x and Spring security 5.x)
Maven
Rest api
Configuration
@EnableWebSecurity
ist not necessary. Spring Security is on the classpath, hence EnableWebSecurity will be added automaticaly- All urls are public except
/protected
and/admin
- The
/protected
url is protected by the USER role - The
/admin
url is protected by the ADMIN role - For testing purposes, the user credentials are stored in the memory
- After Spring Security 5.0 plain text passwords are not allowed anymore, so we us the prefix
{noop}
Let's test
- Calling http://localhost:8080/protected without credentials returns
"401, Unauthorized"
- The admin endpoint expect user with Role=Admin, passing a user with other Role will cause a
"403, Forbidden"