Monday, December 21, 2020

How HTTP Basic Authentication works in Spring Security?

In the last article, you have learned how to enable Http basic authentication in Spring security-based Java application, and now we'll go one step further to understand how exactly http basic authentication works in Spring security. If you remember, when you use HTTP Basic for authentication purposes, the client, like a browser or a rest client sends login credentials in the http request header. The header is aptly named "Authorization," and it contains a Base64 encoded string, which is created by concatenating username and password using a colon. For example, if the username is "johnsmith" and the password is "JOHN3214" then they will be concatenated as "johnsmith:JOHN3214" before encoded using base 64 encoding algorithms.

The server, when receives such a request, extracts the value of the "Authorization" header and decodes the content of this header using the same algorithm Base64 for authenticating the user.

If you remember, we used <http-basic>l; in XML configuration or httpBasic() method on HttpSecurity object to enable basic authentication.

Now, let's see how exactly Spring security supports Http Basic Authentication and how things move inside Spring security space when it receives a login request. Http basic authentication is enabled at the server end.

Btw, a good knowledge of the Spring framework is desirable for Spring Security, hence if you are not familiar with Spring fundamentals, I suggest you first go through a beginner course like Spring Framework 5: Beginner to Guru on Udemy to learn basics. This is also the most up-to-date Spring course and covers the Spring 5.0 version.




How Spring Security Process Http Basic Authentication Requests

When you use the <http-basic>l; configuration element, Spring Security's BasicAuthenticationFitler comes into the picture, which basically checks if the incoming HTTP request contains the "Authorization" header or not and its value starts with "Basic".

A BasicAuthenticationEntryPoint strategy is also configured into the ExceptionTranslationFilter on startup, which is required to handle request doesn't contain "Authorization" header.

When you make an http request to a protected URL,l /admin/users from the browser without adding the "Authorization" header, then Spring Security throws an access-denied exception that is handled by the ExceptionTranslationFilter.

This filter then delegates to a particular implementation strategy of the AuthenticationEntryPoint interface, which is the BaicAuthenticationEntryPoint in our case.

Here is a nice diagram that shows the workflow of how HTTP Basic Authentication works in the Spring Security application. This gives a nice overview of the Spring Security filter chain and how both successful and unsuccessful authentication is handled. Though, if you want to learn more, I recommend a comprehensive spring security course like the Spring Security Certification Class by Eugen Paraschiv of Baeldung.


How Http Basic Authentication works in Spring Security?



This class adds the header "WWW-Authenticate: Basic real="Spring Security Application" to the response and then sends an HTTP status code of 401 (Unauthorized) to the client like to your browser, which knows how to handle this code and work accordingly i.e., it shows a dialog box prompting for username and password, like below:

How Http Basic Authentication works in Spring Security?


When you put the username and password and submit the request, the request again follows the filter chain until it reaches the BasicAuthenticationFilter.

This filter checks the request headers, location for the Authorization header starting with "Basic," like this, "Authorization: Basic CDWhZGRpbjpvcGVuc2AzYW1l".

The BaicAuthentictionFilter then extracts the content of the "Authorization" header and uses the Base64 algorithm to decode the login credentials to extracts the username and password from the decoded String.

Once it has that information, the filter creates a UsernamePasswordAuthenticationToken object and sends it to the authentication manager for authentication in the standard way.

If you don't know the role of AuthenticationManager on spring-security login, then you can learn more about that in John Thompson's Spring Security Core: Beginner to Guru Course on Udemy. 




The authentication manager will ask the authentication provider (like in memory, JDBC backed, or LDAP based) to retrieve the user and then create an Authentication object with it. This process is standard and independent of using HTTP basic for authentication, like, applicable for digest authentication as well.

If you are working on RESTful web services, you can also use the curl command to send an HTTP request with an "Authorization" error for HTTP basic authentication. I have found curl an easy way to test web services by sending various HTTP command from the command line.

 You can also see my post on how to test RESTful web services to find out some practical examples of curl, e.g., sending post request, sending a request with HTTP Basic and Digest authentication, etc.

Btw, as I have said before, basic authentication is not secure, anyone who can intercept the request can decode the password. Hence it is only used for testing purposes. In contrast, more sophisticated digest authentication and OAuth are used in the real-world application, particularly if you are want to secure your REST API.

If you want to learn more about how to use OAuth in your application, I suggest you join Learn Spring Security OAuth online training course by Eugen, one of the most practical resources to learn OAuth from scratch.

How Http Basic Authentication works in Spring Security and REST API



I'll tell you more about securing REST API in coming articles, but if you can't wait, I suggest you check out REST with Spring MasterClass, which is recently updated for Spring Framework 5 and Spring Security 5 as well.  And, if you love reading books then Spring Security in Action is another great resource I recommend to an experienced Java developer who wants to master Spring Security in depth. 


That's all about how does HTTP basic authentication works inside Spring Security. You have seen the full workflow of what happens when an HTTP request hits a protected URL which requests basic authentication. It's basically the BasicAuthenticationFilter, which does most of the job along with BasicAuthenticationEntryPoint.

Other Spring Security tutorials and Resources 

Thanks for reading this article, if you like my explanation of how Http Basic Authentication works in Spring Security, then please share this article with your friends and colleagues. If you have any questions about feedback, then please drop a note.

P. S. - If you like to learn from free resources, then you can also check out my list of free courses to learn Spring MVC and Spring Boot online. The list contains some free courses from Udemy, Pluralsight, Coursera, and other resources to learn the Spring framework.

4 comments :

Inego said...

BasicAuthenticationFitler -- Fitler -> Filter ;)

javin paul said...

Ah, Fitler :-) thanks

sshalem said...

how Spring Security tells the browser to add the Authorization header in the Request headers?

javin paul said...

HEllo sshalem, Spring security doesn't tell browser to add Authorization header, it modifies the HTTP request by itself and add Authorization header. You can checkout the code of spring security API for more details

Post a Comment