RESTEasy Basic Authentication example

In this tutorial we will demonstrate how to use a BASIC authentication in your REST Services using RESTEasy on the backend and the DefaultHttpClient on the client side.

Please note: this tutorial uses WildFly legacy security framework (Picketbox). If you want to learn how to secure JAX-RS Services using Elytron Security Framework check this article: Securing JAX-RS Services in WildFly applications

Setting up users in Application Realm

Firstly, we will define one user on the application server that belongs to a Role. If you want to rely on the “other” Security domain (default) it’s enough to execute the /add-user.cmd script. This script is available in the JBOSS_HOME/bin folder.

What type of user do you wish to add? 
 a) Management User ( 
 b) Application User (
(a): b

Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : jboss
Password recommendations are listed below. To modify these restrictions edit the configuration file.
 - The password should be different from the username
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
Password : 
Re-enter Password : 
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: Manager
About to add user 'jboss' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'jboss' to file '/home/francesco/jboss/wildfly-21.0.0.Final/standalone/configuration/'
Added user 'jboss' to file '/home/francesco/jboss/wildfly-21.0.0.Final/domain/configuration/'
Added user 'jboss' with groups Manager to file '/home/francesco/jboss/wildfly-21.0.0.Final/standalone/configuration/'
Added user 'jboss' with groups Manager to file '/home/francesco/jboss/wildfly-21.0.0.Final/domain/configuration/'
Is this new user going to be used for one AS process to connect to another AS process? 
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="amJvc3M=" />

In this example, we have created the “jboss” user that belongs to the “Manager” group.

Next, let’s define a simple REST Endpoint which exposes a single GET Resource:

public class SimpleRESTService {

	public String hello() {
		return "Hello ";

Then, we will add to our REST Web service application the Security Constraints so that all of our services will be available only to the Manager user:

		<description>application security constraints</description>
	<realm-name>UserRoles simple realm</realm-name>

Finally, we will specify that the web application uses the “other” Security Domain in the jboss-web.xml file:

Note: You can skip this test as the "other" Security Domain will be tested if you don't provide any. However, you need to add it if you are using another Security Domain.

That’s all. Now your REST Service will request a BASIC browser authentication when invoked.

Testing the Service

The simplest way to write a Client aware of Basic Authentication is by means of the org.apache.http.impl.client.DefaultHttpClient. This class includes a CredentialsProvider interface for setting Base64 username and password.

Here is the code:

String BASE_URL = "http://localhost:8080/security-legacy/rest/tutorial/hello";

DefaultHttpClient client = new DefaultHttpClient();

		new AuthScope("localhost", 8080),
		new UsernamePasswordCredentials("jboss", "Password1!"));

HttpGet httppost = new HttpGet(BASE_URL);

System.out.println("executing request " + httppost.getRequestLine());
HttpResponse response = null;
try {
	response = client.execute(httppost);
	BufferedReader br = new BufferedReader(new InputStreamReader(

	String output;
	System.out.println("Output from Server: \n");
	while ((output = br.readLine()) != null) {

} catch (ClientProtocolException e) {
	// TODO Auto-generated catch block
} catch (IOException e) {
	// TODO Auto-generated catch block

You should see as Response:

Output from Server:

As an alternative, you can use the plain cURL command to test the service, using the -u option to pass the authentication attributes:

curl -u jboss:Password1! http://localhost:8080/security-legacy/rest/tutorial/hello

Source code: The REST Service application is available on Github at: