Basic and Digest Authentication

Basic and Digest authentication are methods used to protect web resources. Basic authentication is simpler but less secure, while Digest authentication provides better security by hashing credentials. This guide covers key concepts and steps for setting up both Basic and Digest authentication in your Spring Boot application, including adding dependencies, configuring security, and protecting endpoints.

Key Concepts of Basic and Digest Authentication

• Basic Authentication: Sends the user's credentials (username and password) encoded with Base64 in the request header.
• Digest Authentication: Hashes the user's credentials using a challenge-response mechanism, providing better security.
• Security Configuration: Configuring Spring Security to use Basic or Digest authentication.

Adding Dependencies

Include the Spring Security dependency in your pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Configuring Basic Authentication

Configure Basic authentication by extending WebSecurityConfigurerAdapter and overriding the configure(HttpSecurity http) method:

Example: SecurityConfiguration.java (Basic Authentication)

// SecurityConfiguration.java
package com.example.myapp.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user")
            .password(passwordEncoder().encode("password"))
            .roles("USER")
            .and()
            .withUser("admin")
            .password(passwordEncoder().encode("admin"))
            .roles("ADMIN");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
    }
}

Configuring Digest Authentication

Configure Digest authentication by extending WebSecurityConfigurerAdapter and overriding the configure(HttpSecurity http) method:

Example: SecurityConfiguration.java (Digest Authentication)

// SecurityConfiguration.java
package com.example.myapp.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user")
            .password(passwordEncoder().encode("password"))
            .roles("USER")
            .and()
            .withUser("admin")
            .password(passwordEncoder().encode("admin"))
            .roles("ADMIN");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic()
            .and()
            .digestAuthentication();
    }
}

Securing Endpoints

Protect specific endpoints by specifying access rules:

Example: SecurityConfiguration.java

// SecurityConfiguration.java
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
        .authorizeRequests()
        .antMatchers("/public/**").permitAll()
        .anyRequest().authenticated()
        .and()
        .httpBasic()
        .and()
        .digestAuthentication();
}

Testing Authentication

Test Basic and Digest authentication using tools like Postman or curl to ensure they are configured correctly:

Example: Testing Basic Authentication with curl

$ curl -u user:password http://localhost:8080/protected

Example: Testing Digest Authentication with curl

$ curl --digest -u user:password http://localhost:8080/protected

Key Points

Conclusion

Basic and Digest authentication provide simple and effective ways to protect web resources. By understanding and configuring these authentication methods, you can secure your Spring Boot application and ensure only authorized users have access to protected endpoints. Happy coding!