Spring Boot Starter Security does not only bring in the dependencies—but it also provides the auto-configuration of the Spring Security framework.

If we try to access any of the services now, we would get Access Denied.

When we send a request to http://localhost:8080/users/Jack/todos, an example of the response is shown in the following code snippet:

{
 "timestamp": "2019-05-03T11:49:29.464+0000",
 "status": 401,
 "error": "Unauthorized",
 "message": "Full authentication is required to access this resource",
 "path": "/users/Jack/todos"
 }

The response status is 401 - Unauthorized.

The default authentication approach that is auto-configured is called basic authentication.

Basic authentication is one of the simplest authentication mechanisms that is present with the HTTP protocol. When an API is protected with basic authentication, you need to send a basic authentication header to access the API. The basic authentication header is Base64, an encoded combination of the user ID and password.

You might be wondering—where are the user ID and password?

The default auto-configured user ID is user, and the default password is printed in the log at the server startup.

An example from the log is as follows:

Using default security password: 3fb5564a-ce53-4138-9911-8ade17b2f478

Underlined in the preceding code snippet is the default security password that is printed in the log.

We can use Postman to fire a request with basic authentication. The default Username is user, and we can pick up the underlined Password from the log.

The following diagram shows how basic authentication details can be sent, along with a request:

As you can see, authentication succeeds, and we get a proper response back.

We can configure the user ID and password of our choice in application.properties, as shown here:

spring.security.user.name=user-name
spring.security.user.password=user-password