Over a million developers have joined DZone.

Basic HTTP Authentication Sample Application

DZone's Guide to

Basic HTTP Authentication Sample Application

· Integration Zone ·
Free Resource

Discover how you can get APIs and microservices to work at true enterprise scale.

Basic HTTP authentication solve following security problems.

  • Get username and password from http request
  • Fetch the applicable method security details
  • Verify if user is authorized to access the API
  • Return valid error codes in case of invalid access

In this tutorial, we show you how to develop a simple RESTful web service application with HTTP basic authentication using Cuubez framwork.

Technologies and Tools used in this article:

  1. cuubez 1.1.0
  2. JDK 1.6
  3. Tomcat 6.0
  4. Maven 3.0.3
  5. Intellij IDEA 13.1.1

Note: If you want to know what and how REST works, just search on Google, ton of available resources.

1. Directory Structure

This is the final web project structure of this tutorial.

2. Standard Web Project

Create a standard Maven web project structure.

mvn archetype:generate -DgroupId=com.cuubez -DartifactId=basic_authentication -DarchetypeArtifactId=maven-archetype-webapp -DinteractiveMode=false

Note: To support IntelliJ IDEA, use Maven command :

mvn idea:idea

3. Project Dependencies

Cuubez is published in Maven repository. To develop cuubez REST application , just declares “cuubez-core” in Maven pom.xml.

File : pom.xml


4. REST Service

Simple REST service with basic HTTP authentication annotations.

  • @PermitAll?: Specifies that all security roles are allowed to invoke the specified method(s)
  • @RolesAllowed?: Specifies the list of roles permitted to access method(s)
  • @DenyAll?: Specifies that no security roles are allowed to invoke the specified method(s)


    privatestaticLog log =LogFactory.getLog(UserResource.class);

    publicResponse userGet(@HeaderParam(value ="name")String name,@PathParam(value ="userId")String id,@QueryParam(value ="age")Double age){

        User user =newUser(id, age, name);

    publicvoid userPost(User user){
        log.info("POST = ["+ user +"]");

    publicvoid userPut(User user){
        log.info("PUT = ["+ user +"]");


5. Authentication filter

The security interceptor is build by implementing com.cuubez.core.Interceptor.RequestInterceptor? interface. This interface has one method which need to implement.


    privatefinalInterceptorResponseContext ACCESS_FORBIDDEN =newInterceptorResponseContext("No access",HttpServletResponse.SC_FORBIDDEN);

    publicInterceptorResponseContext process(InterceptorRequestContext interceptorRequestContext){


            return ACCESS_FORBIDDEN;//Return access denied to user


            returnnull;//Return null to continue request processing


            //get encoded user name and password
            String encodedUserName = interceptorRequestContext.getHeader("userName");
            String encodedPassword = interceptorRequestContext.getHeader("password");

            //decode user name and password
            String decodedUserName =newString(Base64.decodeBase64(encodedUserName.getBytes()));
            String decodedPassword =newString(Base64.decodeBase64(encodedPassword.getBytes()));

            //get allowed user roles
            String[] allowedRoles =((RolesAllowed) interceptorRequestContext.getAnnotation(RolesAllowed.class)).value();

            //Access userAccessor to retrieve user details(UserAccessor is not providing by framework, developer need to implement it according their requirement)
            UserAccessor userAccessor =newUserAccessor();
            String role = userAccessor.getUserRole(decodedUserName, decodedPassword);

            if(isAllow(allowedRoles, role)){
                return ACCESS_FORBIDDEN;




    privateboolean isAllow(finalString[] allowedRoles,finalString userRole){

        for(String allRole : allowedRoles){



This interceptor mechanism provide full flexibility to developer.

6. web.xml

The ContextLoaderListner? context listener has to be deployed in order to create the registry for cuubez ,while the ServiceInitiator? servlet is used so that incoming requests are correctly routed to the appropriate services. We have configured the specific servlet, named “cuubez”, to intercept requests under the “/rest/” path.

File : web.xml

  <display-name>Employee Example</display-name>


6. Demo

In this example, web request from “projectURL/rest/users/{userId}” will match to “UserResource?, via @Path("/users/{userId}").

1. GET request

(GET resource annotated by @PermitAll? annotation. Specifies that all security roles are allowed to invoke the specified method(s))

2. POST request

(POST request annotated by @RolesAllowed? annotation. ADMIN role permitted to access method(s))

  • Forbidden request (Wrong encoded(Base64) user name and password passed as a header variables)

  • Successful request (Correct encoded(Base64) user name and password passed as a header variables)

3. PUT request

(PUT resource annotated by @DenyAll? annotation. Specifies that no security roles are allowed to invoke the specified method(s))

7. Download

Download Basic Authentication Sample Application - Basic-Authentication.zip

APIs and microservices are maturing, quickly. Learn what it takes to manage modern APIs and microservices at enterprise scale.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}