Spring Security 6 with basic authentication
In this tutorial, we are going to set up Spring Security in a Spring Boot servlet application and configure an in-memory user to test authentication.
Pre-requisites
- This tutorial uses Maven for dependency management.
- Spring Security 6 requires JDK 17
Step 1 : Add the Spring Security dependency to the applications pom.xml if using Maven or the build.gradle if using Gradle
The spring-boot-starter-security dependency is used to secure spring applications that are accessed via the internet and that are vulnerable to security attacks. Spring security can be used on any Spring project in a flexible and extensible way.
pom.xml
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>build.gradle
dependencies {
implementation "org.springframework.boot:spring-boot-starter-security"
}Just by including the security dependency on the applications classpath, the application will be behind an authentication filter requiring any incoming requests to be authenticated before gaining access to application resources.
Step 2 : Create a WebSecurityConfig class to customize filters to require requests to the application to be authenticated
Create a configuration class annotated with @Configuration and @EnableWebSecurity.
package security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
protected void configure(HttpSecurity http) throws Exception {
//configure any requests to the application to require http basic authentication
http
.authorizeHttpRequests()
.anyRequest()
.authenticated()
.and()
.httpBasic();
}
@Bean
public UserDetailsService users() {
//Create an in-memory user that will be able to authenticate to the application
UserDetails user = User.builder()
.username("user")
.password("{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
It is also possible to configure a user in the application.properties file instead of a bean UserDetailsService
spring.security.user.name=#user name
spring.security.user.password=#passwordStep 3 : Run the application, it should start up on http://localhost:{port}
(Note: default port is 8080 but if you’ve configured a different port for your application to run on then just use that)
A security password is generated on application startup and the default username is ‘user’.
$ ./mvnw spring-boot:run
...
INFO 23689 --- [ restartedMain] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: 8e557245-73e2-4286-969a-ff57fe326336
...Step 4 : You will be prompted to login or authenticate before you can access the application. Use the user and password configured in the UserDetailsService to authenticate.
$ curl -i http://localhost:8080/some/path
HTTP/1.1 401
...
$ curl -i -u user:$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW http://localhost:8080/some/path
HTTP/1.1 200
...
