By Marone: October 2019 | last update: December 2019


in this article we are going to protect a spring boot rest api in a simple way using Spring securitywith basic authentication . This is part 1 of a series of articles on spring security topic

Used technologies

JDK 1.8
Maven 3.2 (Spring boot 2.x and Spring security 5.x)


Rest api


  • @EnableWebSecurity ist not necessary. Spring Security is on the classpath, hence EnableWebSecurity will be added automaticaly
  • All urls are public except /protected and /admin
  • The/protectedurl is protected by the USER role
  • The/adminurl is protected by the ADMIN role
  • For testing purposes, the user credentials are stored in the memory
  • After Spring Security 5.0 plain text passwords are not allowed anymore, so we us the prefix{noop}

Let's test

  • Calling http://localhost:8080/protected without credentials returns "401, Unauthorized"
  • The admin endpoint expect user with Role=Admin, passing a user with other Role will cause a "403, Forbidden"