HTTP Basic authentication in Spring REST web services

Alternatives to ApplicationContext.getBean
December 12, 2012
Enable logging for specific Spring modules
December 14, 2012

Writing RESTful web services is not a huge task with Spring framework. There are annotations expose by Spring which can speed up development work. Follow this Spring REST tutorial to write your first REST web service using Spring.In this tutorial, we shall add HTTP basic authentication which will ask for username and password when the REST url’s are accessed using a web browser.

Username: Spring Password:Spring

The security implementation is specific to web browsers and if you need authenticate non-HTTP clients for your RESTful web service then you go to implement BASIC authentication which I will discuss about in next tutorial. For now let us get started with HTTP based spring security.

I am not going to teach how to create REST web service using Spring as there is a tutorial already present with working code and demo. I shall list the steps to enhance it and then will provide a link to download the zip archive of application.

1) Add spring-security.xml:

Add the following xml to WEB-INF folder. This xml is used to define security related parameters. The URL’s to secure, security mechanism to be used, username and password are being configure in this xml file. This file has to be present in the classpath. We shall also need to add a reference to it in our web.xml.

<?xml version="1.0" encoding="UTF-8"?>
<beans  xmlns=""

	<security:http auto-config="true" authentication-manager-ref="authManager">
			<security:intercept-url pattern="/**" access="ROLE_USER"/>
			<security:form-login />
			 <security:logout />

	<security:authentication-manager id="authManager">
		<security:user name="spring" password="spring" authorities="ROLE_USER" />


2) Modify web.xml:

Now add the Spring security filter which intercepts HTTP requests we are interested in and throws a login form to the user. If you have worked with filters in Java EE application, configuring the spring security filter would be very easy for you. The complete web.xml is reproduced here:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="" xmlns:xsi=""








That’s it, those are the only two changes required to add basic HTTP authentication to your REST web services using Spring. I repeat again this configuration will add security only for web based clients.

Test the web service

A working demo is available on following link:

To test other REST operations, you need a REST client and access the following URL:

Add Employee :
HTTP header : Content-Type: application/xml
HTTP Authentication : user: spring, password:spring

<?xml version="1.0" encoding="UTF-8"?>

Remove Employee :

Update Employee :
HTTP header : Content-Type: application/xml
HTTP Authentication : user: spring, password:spring

<?xml version="1.0" encoding="UTF-8"?>

Download application WAR

The complete war archive of the Employee RS web service can be downloaded from the following link. This war file is tested for Tomcat7.0, JDK 1.6 and Spring 3.1.0. This contains a valid pom.xml as well as Spring 3.1.0 dependencies: