Friday, January 19, 2018

How Http Basic Authentication works in Spring Security?

In the last article, you have learned how to enable Http basic authentication in Spring security based Java application and now we'll go one step further to understand how exactly http basic authentication works in Spring security. If you remember, when you use HTTP Basic for authentication purpose the client e.g. browser or a rest client sends login credentials in http request header. The header is aptly named as "Authorization" and it contains based 64 encoded string which is created by concatenating username and password using a colon. For example, if the username is "johnsmith" and password is "JOHN3214" then they will be concatenated as "johnsmith:JOHN3214" before encoded using base 64 encoding algorithms.

The server, when receives such request, it extracts the value of "Authorization" header and decodes the content of this header using the same algorithm Base64 for authenticating the user.

If you remember, we used <http-basic>l; in XML configuration or httpBasic() method on HttpSecurity object to enable basic authentication.

Now, let's see how exactly Spring security supports Http Basic Authentication and how things move inside Spring security space when it receives a login request and Http basic authentication is enabled at the server end.



How Spring Security Process Http Basic Authentication Requests

When you use the <http-basic>l; configuration element, Spring Security's BasicAuthenticationFitler comes into the picture, which basically checks if incoming HTTP request contains the "Authorization" header or not and its value starts with "Basic".

A BasicAuthenticationEntryPoint strategy is also configured into the ExceptionTranslationFilter on startup, which is required to handle request doesn't contain "Authorization" header.

When you make an http request to a protected URL e.g. /admin/users from the browser without adding "Authorization" header then Spring Security throws an access-denied exception that is handled by the ExceptionTranslationFilter.

This filter then delegates to a particular implementation strategy of AuthenticationEntryPoint interface, which is the BaicAuthenticationEntryPoint in our case.

This class adds the header "WWW-Authenticate: Basic real="Spring Security Application" to the response and then sends an HTTP status code of 401 (Unauthorized) to the client e.g. to your browser, which knows how to handle this code and work accordingly i.e. it shows a dialog box prompting for username and password, like below:

How Http Basic Authentication works in Spring Security?


When you put the username and password and submit the request, the request again follows the filter chain until it reaches the BasicAuthenticationFilter.

This filter checks the request headers, location for the Authorization header starting with "Basic" e.g. Authorization: Basic CDWhZGRpbjpvcGVuc2AzYW1l.

The BaicAuthentictionFilter then extracts the content of the "Authorization" header and uses Base64 algorithm to decode the login credentials to extracts the username and password from decoded String.

Once it has that information, the filter creates a UsernamePasswordAuthenticationToken object and sends it to the authentication manager for authentication in the standard way.

If you don't know the role of AuthenticationManager on spring security login, then, you can learn more about that in Eugen's Learn Spring Security Course.


The authentication manager will ask the authentication provider (e.g. in memory, JDBC backed or LDAP based) to retrieve the user and then create an Authentication object with it. This process is standard and independent of using HTTP basic for authentication e.g. applicable for digest authentication as well.

If you are working in RESTful web services, you can also use curl command to send HTTP request with "Authorization" error for HTTP basic authentication. I have found curl an easy way to test web services by sending various HTTP command from command line.

 You can also see my post how to test RESTful web services to find out some practical examples of curl e.g. sending post request, sending a request with HTTP basic and Digest authentication etc.

Btw, as I have said before, basic authentication is not secure, anyone who can intercept the request can decode the password, hence it is only used for testing purpose, while more sophisticated digest authentication and OAuth is used in the real-world application, particularly if you are want to secure your REST API.

I'll tell you more about securing REST API in coming articles but if you can't wait, I suggest you check out REST with Spring MasterClass which is recently updated for Spring Framework 5 and Spring Security 5 as well.
How Http Basic Authentication works in Spring Security and REST API


That's all about how does HTTP basic authentication works inside Spring Security. You have seen the full workflow of what happens when an HTTP request hits a protected URL which requests basic authentication. It's basically the BasicAuthenticationFilter which does most of the job along with BasicAuthenticationEntryPoint.

Other Spring Security tutorials and Resources 

Thanks for reading this article, if you like my explanation of how Http Basic Authentication works in Spring Security then please share this article with your friends and colleagues. If you have any questions about feedback then please drop a note. 

No comments :

Post a Comment