Understanding and Implementing HttpBasic Authentication in Spring Security

Hello everyone, I am Chen. This is the 13th article in the "Spring Security Advanced" series.

Application Scenarios of HttpBasic

HttpBasic is the simplest and most primitive authentication method provided by Spring Security. It merely encodes the username:password pair with Base64, which is reversible, making it unsuitable for protecting important data.

It is only appropriate for low‑risk situations where a minimal barrier is needed for a small number of users.

Integrating HttpBasic with Spring Security

Although this authentication mode is not critical, understanding it is essential for later topics.

1. Add Maven Dependency

Add the Spring Security starter dependency:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

2. Spring Security Configuration

For Spring Boot 2.x (Spring Security 5.x) the default is form‑login, so we need to enable HttpBasic:

/**
 * @author 公众号：码猿技术专栏
 * @url    www.java-family.cn
 * @description Spring Security configuration class
 */
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic() // enable HttpBasic authentication
            .and()
            .authorizeRequests()
            .anyRequest()
            .authenticated(); // all requests require authentication
    }
}

Run the application; the console will print a generated password like:

Using generated security password: 00af0f93-7103-4c8a-87a4-23a050a4285c

The default username is user . You can also set custom credentials in application.yml:

spring:
  security:
    user:
      name: admin
      password: admin

Principle of HttpBasic

The flow is:

Encode username:password with Base64 (e.g., admin:admin → YWtaW46YWRtaW4=).

Send the value in the HTTP Authorization header as Basic YWtaW46YWRtaW4=.

The server’s BasicAuthenticationFilter extracts the header and decodes it using Base64.

If the decoded credentials match, the request proceeds; otherwise it is rejected.

Because Base64 is reversible, the method is easy to crack with tools like PostMan.

The core logic resides in the BasicAuthenticationFilter#doFilterInternal() method.

For further learning, the author also offers a Spring Cloud Alibaba video series covering middleware, OAuth2 micro‑service authentication, gray‑release, and distributed transactions.