이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Basic authentication

Red Hat build of Quarkus 3.20

Red Hat Customer Content Services

Abstract

This guide introduces HTTP Basic authentication as a minimal-resource technique for securing Quarkus application endpoints. It details the use of the Authorization header for transmitting Base64-encoded credentials and highlights the need for HTTPS to protect these credentials during transmission. It discusses limitations such as lack of encryption for credentials, the need to send credentials with each request, and the increased complexity of managing credentials within the application. Implementation guidance and references to additional security resources, including enabling Basic authentication and role-based access control (RBAC), are also provided.

Providing feedback on Red Hat build of Quarkus documentation

To report an error or to improve our documentation, log in to your Red Hat Jira account and submit an issue. If you do not have a Red Hat Jira account, then you will be prompted to create an account.

Procedure

Click the following link to create a ticket.
Enter a brief description of the issue in the Summary.
Provide a detailed description of the issue or enhancement in the Description. Include a URL to where the issue occurs in the documentation.
Clicking Submit creates and routes the issue to the appropriate documentation team.

Chapter 1. Basic authentication

HTTP Basic authentication is one of the least resource-demanding techniques that enforce access controls to web resources. You can secure your Quarkus application endpoints by using HTTP Basic authentication. Quarkus includes a built-in authentication mechanism for Basic authentication.

Basic authentication uses fields in the HTTP header and does not rely on HTTP cookies, session identifiers, or login pages.

1.1. Authorization header

An HTTP user agent, like a web browser, uses an Authorization header to provide a username and password in each HTTP request. The header is specified as Authorization: Basic <credentials>, where credentials are the Base64 encoding of the user ID and password, joined by a colon.

Example:

If the user name is Alice and the password is secret, the HTTP authorization header would be Authorization: Basic QWxjZTpzZWNyZXQ=, where QWxjZTpzZWNyZXQ= is a Base64 encoded representation of the Alice:secret string.

The Basic authentication mechanism does not provide confidentiality protection for the transmitted credentials. The credentials are merely encoded with Base64 when in transit, and not encrypted or hashed in any way. Therefore, to provide confidentiality, use Basic authentication with HTTPS.

Basic authentication is a well-specified, simple challenge and response scheme that all web browsers and most web servers understand.

1.2. Limitations with using Basic authentication

The following table outlines some limitations of using HTTP Basic authentication to secure your Quarkus applications:

Table 1.1. Limitations of HTTP Basic authentication
Limitation	Description
Credentials are sent as plain text	Use HTTPS with Basic authentication to avoid exposing the credentials. The risk of exposing credentials as plain text increases if a load balancer terminates HTTPS because the request is forwarded to Quarkus over HTTP. Furthermore, in multi-hop deployments, the credentials can be exposed if HTTPS is used between the client and the first Quarkus endpoint only, and the credentials are propagated to the next Quarkus endpoint over HTTP.
Credentials are sent with each request	In Basic authentication, a username and password must be sent with each request, increasing the risk of exposing credentials.
Application complexity increases	The Quarkus application must validate that usernames, passwords, and roles are managed securely. This process, however, can introduce significant complexity to the application. Depending on the use case, other authentication mechanisms that delegate username, password, and role management to specialized services might be more secure.

1.3. Implementing Basic authentication in Quarkus

For more information about how you can secure your Quarkus applications by using Basic authentication, see the following resources:

1.4. Role-based access control

Red Hat build of Quarkus also includes built-in security to allow for role-based access control (RBAC) based on the common security annotations @RolesAllowed, @DenyAll, @PermitAll on REST endpoints and CDI beans. For more information, see the Quarkus Authorization of web endpoints guide.

1.5. References

Chapter 2. Enable Basic authentication

Enable Basic authentication for your Quarkus project and allow users to authenticate with a username and password.

2.1. Prerequisites

You have installed at least one extension that provides an IdentityProvider based on username and password. For example:

The following procedure outlines how you can enable Basic authentication for your application by using the elytron-security-properties-file extension.

2.2. Procedure

In the application.properties file, set the quarkus.http.auth.basic property to true.
```
quarkus.http.auth.basic=true
```
Optional: In a non-production environment only and purely for testing Quarkus Security in your applications:
1. To enable authentication for the embedded realm, set the quarkus.security.users.embedded.enabled property to true.
```
quarkus.security.users.embedded.enabled=true
```
2. You can also configure the required user credentials, user name, secret, and roles. For example:
```
quarkus.http.auth.basic=true
quarkus.security.users.embedded.enabled=true
quarkus.security.users.embedded.plain-text=true
quarkus.security.users.embedded.users.alice=alice 1
quarkus.security.users.embedded.users.bob=bob 2
quarkus.security.users.embedded.roles.alice=admin 3
quarkus.security.users.embedded.roles.bob=user 4
```
  1 3
  The user, alice, has alice as their password and admin as their role.
  2 4
  The user, bob, has bob as their password and user as their role.
  For information about other methods that you can use to configure the required user credentials, see the Configuring User Information section of the Quarkus "Security Testing" guide.
  Important
  Configuring user names, secrets, and roles in the application.properties file is appropriate only for testing scenarios. For securing a production application, it is crucial to use a database to store this information.

2.3. Next steps

For a more detailed walk-through that shows you how to configure Basic authentication together with Jakarta Persistence for storing user credentials in a database, see the Getting started with Security by using Basic authentication and Jakarta Persistence guide.

2.4. References

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.