| Author |
Basic HttpClient Authentication
|
sam wootton
Ranch Hand
Joined: Apr 16, 2011
Posts: 48
|
|
Hi,
Many thanks for any help or advice.
I have an HttpClient that sits inside a Swing desktop application, that communicates to a Servlet.
I need to provide authentication for the Servlet (hosted on my machine). I read:
http://hc.apache.org/httpclient-3.x/authentication.html
and
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html#d5e858
... but obviously its a security risk, me providing those username/pwd in the client-side code.
Am i missing something obvious? I dont want to put my servers username and password in to client / swing code.
Regards, Sam
|
 |
William P O'Sullivan
Ranch Hand
Joined: Mar 28, 2012
Posts: 860
|
|
Use a property file and hash the password.
Not un-hackable but would allow password to be changed in future.
You could also obfuscate the password String inside the class so as to prevent curious eyeballs for spotting it.
WP
|
|
sam wootton
Ranch Hand
Joined: Apr 16, 2011
Posts: 48
|
|
Hi William,
Thanks for your response.
Wouldnt a property file be even worse? This is a client-side .exe / .appl / .jar file that is distributed.
Is hard-coding the username/pwd in the client really the only way? What if the authentication details change?
Whats the best way to obfuscate / encrypt username/pwd from client -> server?
I guess i could set up a linux/server user per user who can use the client software? But that, again, is a huge security risk.
Regards, Sam
|
|
 |
|
|
subject: Basic HttpClient Authentication
|
|
|
0
