Spring Security: Form Login & Basic Authentication

Spring Security offers two of the most commonly used authentication methods: Form-Based Login and HTTP Basic Authentication. Understanding their differences, setup, and best practices is essential for developers building secure Spring Boot web apps or REST APIs.

Form-Based Login

Form Login allows users to authenticate using a custom login page. It’s ideal for web applications with user interfaces.

How It Works

1. User requests a protected resource.
2. Spring Security redirects to the login page (/login by default).
3. User submits username and password.
4. AuthenticationManager validates credentials using:
   • UserDetailsService: Loads user info (from database, LDAP, or in-memory).
   • PasswordEncoder: Encrypts and verifies passwords securely (e.g., BCrypt).
5. If authentication succeeds → redirect to requested page or default page.
6. If authentication fails → redirect to an error page.

Key Features

• Supports custom login pages.
• Automatic CSRF protection.
• Integrates with session management (stateful authentication).
• Allows success and failure handlers.
• Works seamlessly with role-based access control.

Example: Form Login Configuration

@Configuration
@EnableWebSecurity
publicclassSecurityConfig {

@Bean
public SecurityFilterChainfilterChain(HttpSecurity http)throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated())
            .formLogin(form -> form
                .loginPage("/login")// Custom login page
                .defaultSuccessUrl("/home")// Redirect on success
                .failureUrl("/login?error")// Redirect on failure
                .permitAll())
            .logout(logout -> logout
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
                .permitAll());

return http.build();
    }
}

Advantages of Form Login

• User-friendly and customizable UI
• Stateful session management
• Can integrate with remember-me functionality

HTTP Basic Authentication

HTTP Basic Authentication is a stateless, header-based mechanism commonly used for REST APIs or microservices.

How It Works

1. Client requests a protected endpoint.
2. Server responds with 401 Unauthorized and WWW-Authenticate header.
3. Client sends username and password encoded in Base64 via the Authorization header.
4. AuthenticationManager validates credentials.
5. If valid → request proceeds; otherwise → access denied.

Key Features

• Stateless authentication → ideal for REST APIs
• Minimal configuration, no login page required
• Must use HTTPS to protect credentials

Example: Basic Authentication

@Configuration
@EnableWebSecurity
publicclassSecurityConfig {

@Bean
public SecurityFilterChainfilterChain(HttpSecurity http)throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated())
            .httpBasic(Customizer.withDefaults())// Enable HTTP Basic
            .csrf(csrf -> csrf.disable());// Disable CSRF for APIs

return http.build();
    }
}

Advantages

• Lightweight and simple
• Ideal for APIs and microservices
• Stateless → highly scalable

Limitations

• Credentials sent on every request → must use HTTPS
• No UI support for user login

UserDetailsService – Custom User Retrieval

Spring Security uses UserDetailsService to load user-specific data (username, password, roles) from a chosen source.

Example:

@Service
publicclassCustomUserDetailsServiceimplementsUserDetailsService {
@Override
public UserDetailsloadUserByUsername(String username)throws UsernameNotFoundException {
// Load user from DB, LDAP, or in-memory
    }
}

Form Login vs HTTP Basic – Key Differences

Authentication Sources & Password Encoding

Spring Security provides flexible ways to authenticate users, supporting multiple sources depending on your application needs.

Authentication Sources

1. In-Memory Authentication
   • Ideal for testing, prototypes, or learning purposes.
   • Users are defined directly in the application configuration.
2. JDBC Authentication
   • Loads users and roles from a relational database (e.g., MySQL, PostgreSQL).
   • Supports custom queries for fetching user credentials and authorities.
3. LDAP Authentication
   • Integrates with enterprise directories.
   • Common in corporate environments for centralized user management.

Password Encoding

Storing passwords in plain text is unsafe. Spring Security requires strong password encoding.

Best Practices

1. Always use HTTPS to encrypt credentials.
2. Use strong password encoders (BCrypt or Argon2).
3. Form Login → web apps; Basic Authentication → APIs.
4. Avoid hardcoding credentials; use environment variables or properties.
5. Combine authentication with role-based access control.
6. For APIs, consider JWT or OAuth2 for scalable, stateless security.

Key Takeaways

• Form Login: Interactive, session-based, ideal for web applications.
• HTTP Basic: Stateless, simple, ideal for REST APIs and microservices.
• Both integrate with Spring Security’s AuthenticationManager, Security Filter Chain, and role-based access control.
• Always secure credentials using HTTPS and strong password encoding.

Conclusion

Form Login and HTTP Basic Authentication are foundational methods in Spring Security. By mastering them, developers can:

• Secure web applications with a login UI
• Protect REST APIs and microservices with stateless authentication
• Build scalable, secure, and maintainable Spring Boot applications