What is httpBasic method in spring security?

Question

I override configure(HttpSecurity http) method in SampleSecurityConfig Class like this

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/delete/**").hasRole("ADMIN")
        .anyRequest().authenticated()
        .and()
        .formLogin().and().httpBasic();
}

If i don't use httpBasic method, it seems no problem occurred.

what does httpBasic method exactly do?

Answer 1

Calling this method on HttpSecurity will enable Http Basic Authentication for your application with some "reasonable" defaults.

It will return a HttpBasicConfigurer for further customization.

You can test this by curl and passing a header like Authorization: Basic bzFbdGfmZrptWY30YQ== but base64 encoding a valid username/password combination.

Documentation for httpBasic

Answer 2

What are we saying by calling httpBasic() ?

• When httpBasic() is called, we are telling Spring to authenticate the request using the values passed by the Authorization request header. If the request is not authenticated you will get a returned status of 401 and a error message of Unauthorized

What is actually happening when httpBasic() is called ?

• By calling httpBasic(), an instance of the BasicAuthenticationFilter is added to the filter chain. The BasicAuthenticationFilter will then proceed with trying to authenticate the request in the typical Spring Security fashion. If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder, which can then be used for future authentication purposes.