Spring Security's HttpBasic mode deserves to be abandoned

Today, let's talk about HttpBasic, a classic authentication mode in spring security. It was used as the default authentication mode of Spring Security before version 5.x, but it was abandoned in version 5.x. The default is the form login authentication mode.

Application scenarios of HttpBasic mode

The HttpBasic login authentication mode is the easiest way for Spring Security to implement login authentication, and it can also be said to be the simplest way.

Why is the humblest? This mode can be used to fool ordinary users, but users with a little bit of technical knowledge can crack it in minutes, because the bottom layer does not have any security settings, just make 用户名:密码 simple Base64 encryption is passed to the server, and base64 is a reversible algorithm.

Therefore, there are very few application scenarios of HttpBasic. For unimportant data, there are few users but you can consider using this method when you want to set up a heavy obstacle.

Integrate Spring Security to do it

Although this authentication mode is not very important, it is still important to understand that it is very important for subsequent learning. Let's build a project to demonstrate

1. Add maven dependencies

Add the dependencies of Spring Security directly, as follows:

 <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Pay attention to the public number: Code Ape Technology Column , reply keywords: 9527 Get the Spring Cloud Alibaba video inside Alibaba

2. Spring Security add configuration

Since Chen is using the Spring Boot 2.x version, the Spring Security at this time is the 5.x version, and the default authentication method is form authentication, so you need to configure the HttpBasic authentication mode, the code is as follows:

 /**
 * @author 公众号：码猿技术专栏
 * @url: www.java-family.cn
 * @description Spring Security的配置类
 */
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic()//开启httpbasic认证
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated();//所有请求都需要登录认证才能访问
    }
}

Start the project, there is such a series of log prints in the background of the project, and the default password is after the colon.

 Using generated security password: 00af0f93-7103-4c8a-87a4-23a050a4285c

We can log in through the browser, the default user name is user . (The login box below is not developed by us, but comes with HttpBasic mode)

Of course, we can also specify and configure the username and password through application.yml. The configuration is as follows:

 spring:
    security:
      user:
        name: admin
        password: admin

The principle of HttpBasic

The whole process is as follows:

1. First, HttpBasic mode requires that the transmitted username and password be encrypted using Base64 mode. If the username is admin and the password is admin, the string admin:admin is encrypted using the Base64 encoding algorithm. The encrypted result may be: YWtaW46YWRtaW4=.
2. Then, use Authorization as a Header in the Http request, Basic YWtaW46YWRtaW4= as the value of the Header, and send it to the server. (Note that Basic+space+encrypted string is used here)
3. When the server receives such a request, it reaches the BasicAuthenticationFilter filter, which will extract the Header value of "Authorization" and decode it using the same algorithm Base64 used to authenticate the user's identity.
4. The decoded result matches the user name and password of the login verification. If the match is successful, the filter can continue to access the filter.

Therefore, HttpBasic mode is really a very simple and simple verification mode. The encryption algorithm of Base64 is reversible. You know the above principle, and it can be cracked in minutes. We can use the PostMan tool to send Http requests for login verification.

The whole process is in BasicAuthenticationFilter#doFilterInternal() in this method, you can take a look if you are interested.

This article is published by mdnice Multiplatform