Minimalistic Basic Auth configuration with Spring Boot Security

This post aims to address the minimal configuration required to set up basic auth for all the endpoints and a single static user. If you are looking for a bit more flexible solution such as protecting parts of the application or reading users from a database-backed store here is a great resource to get started. Here instead we will cover only the base setup by heavily relying on the spring boot autoconfiguration. A full list of features enabled in the autoconfiguration can be found on this link.

We will start with adding the spring boot security dependency to our project. If you are starting a new project here is a spring starter configuration link used for this post.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Without further configuration, all the application endpoints now require basic auth username/password pair to access. Also, spring boot doesn’t rely on the browser’s default basic auth username/password prompt but provides a custom HTML page on the /login path.

Default spring security Basic Auth login form

In the rest of the tutorial, we will use a command-line tool cURL to make it easier to follow the tutorial.

By default spring uses a predefined username of “user” and a new password is generated on every application start and displayed in the application logs.

2022-06-19 14:36:06.842 WARN 11765 --- [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: c30bea2b-0890-4e95-902e-db55d03b8a00
This generated password is for development use only. Your security configuration must be updated before running your application in production.

To test the setup we can use the following curl command. Remember to update the command password with one printed in your logs.

curl -u 'user:c30bea2b-0890-4e95-902e-db55d03b8a00' localhost:8080

My example application responds with 404 as I don’t have anything on the root path, depending on your setup the response might differ.

The dynamic nature of the password doesn’t make it inpractical for development where restarts are very often and expected. Luckily, the password can be easily set via the application.properties file. The application.properties files are usually located on the src/main/resources/application.propertiespath.

spring.security.user.password=password

To test it update the previously used curl command with the new password (the -u curl option will concatenate and base64 encode username/password as per basic auth requirements). :

curl -u 'user:password' localhost:8080

If however, you are planning to use this basic configuration outside of the development environment, storing passwords as plain text in the git repository might not be the best option. An alternative approach is setting the password value as an environment variable.

SPRING_SECURITY_USER_PASSWORD=password

or

spring_security_user_password=password

In spring, environment variables are case insensitive so it doesn’t matter which one you decide to use.

Besides the password being configurable via the application properties there are also options to overwrite the default username and assign a list of roles as shown here.