Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Basic HttpClient Authentication

 
sam wootton
Ranch Hand
Posts: 94
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Many thanks for any help or advice.

I have an HttpClient that sits inside a Swing desktop application, that communicates to a Servlet.

I need to provide authentication for the Servlet (hosted on my machine). I read:

http://hc.apache.org/httpclient-3.x/authentication.html

and


http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html#d5e858



... but obviously its a security risk, me providing those username/pwd in the client-side code.

Am i missing something obvious? I dont want to put my servers username and password in to client / swing code.

Regards, Sam
 
William P O'Sullivan
Ranch Hand
Posts: 859
Chrome IBM DB2 Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use a property file and hash the password.

Not un-hackable but would allow password to be changed in future.

You could also obfuscate the password String inside the class so as to prevent curious eyeballs for spotting it.

WP
 
sam wootton
Ranch Hand
Posts: 94
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi William,

Thanks for your response.

Wouldnt a property file be even worse? This is a client-side .exe / .appl / .jar file that is distributed.

Is hard-coding the username/pwd in the client really the only way? What if the authentication details change?

Whats the best way to obfuscate / encrypt username/pwd from client -> server?

I guess i could set up a linux/server user per user who can use the client software? But that, again, is a huge security risk.

Regards, Sam
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic