1. Basic authentication

Client side

step-1) Base64 encode the string username:password
step-2) Add the encoded string to HTTP header of the requests
name: “Authorization”, value = “Basic <base64EncodedCredentials>”
step-3) Make sure to use the https and not http

String plainCredentials = "username:password";
String base64EncodedCredentials = new String(Base64.encodeBase64(plainCredentials.getBytes()));

HttpHeaders headers = getHeaders();
headers.add("Authorization", "Basic " + base64EncodedCredentials);


Server side (e.g. using the Spring’s WebSecurityConfigererAdapter)

Provide a class that has annotation @EnableWebSecurity and extends from WebSecurityConfigurerAdapter to implement following two methods.
1) configure(HttpSecurity http) – to configure the BasicAuthenticationEntryPoint to be used when authentication fails or a request is made without authentication. If we don’t provide this then Spring’s default implementation will direct the user to a login screen which may or may not exist in your application.
2) configureGlobal(AuthenticationManagerBuilder auth) – to configure the inMemoryAuthentication (list of users and their bcrypted passwords).

Basic authentication is often used with stateless clients which pass their credentials on each request. It’s quite common to use it in combination with form-based authentication where an application is used through both a browser-based user interface and as a web-service. However, basic authentication transmits the password as plain text so it should only really be used over an encrypted transport layer such as HTTPS.

2. Digest authentication

The credentials are encrypted(not just encoded like the basic authentication) using a hash function to the following items.
username
password
server supplied nonce (a nonce is an arbitrary number that can be used just once)
the HTTP method
the requested URI

Since Basic Authentication uses unencrypted base64 encoding, it should generally only be used where transport layer security is provided such as https.

Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication. It is not, however, intended to replace strong authentication protocols, such as public-key or Kerberos authentication.