Requires HTTP Basic credentials (the Authorization: Basic header) on each request and verifies them against the configured users or user data provider. On success the request continues and an HTTP Basic security scheme carrying the username is attached to the exchange; the Authorization header is removed before the request is forwarded. A missing or invalid credential is rejected with 401 and a WWW-Authenticate challenge. See the examples under examples/security/basic-auth and the tutorial tutorials/security/30-Basic-Authentication.yaml.
basicAuthentication:
[ removeAuthorizationHeader: true | false ] # default: true
users: # built-in store
- username: alice
password: secret
...
# or, instead of users, a pluggable provider:
[ staticUserDataProvider | htpasswdFileProvider | jdbcUserDataProvider | ldapUserDataProvider ]
Whether to strip the Authorization header after successful authentication so the credentials are not forwarded to the backend. Set to false when the backend also validates them.