aspose file tools*
The moose likes Web Services and the fly likes How safe is to pass username & password in HTTP header:REST Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "How safe is to pass username & password in HTTP header:REST" Watch "How safe is to pass username & password in HTTP header:REST" New topic
Author

How safe is to pass username & password in HTTP header:REST

Amrit pandey
Greenhorn

Joined: Jun 28, 2010
Posts: 19
Hi,
I am new to web services and came to a scenario where user credentials are being proposed to be passed through HTTP Accept header. The scenario is:

1> consumer requests for a resource
2> Request comes to a Facade layer of the application
3> the layer validates whether the consumer is trusted or not. This is done through a config file which contains the information of a list of trusted user.
4> if the consumer is not trusted , the username & password is passed in a HTTP Header , later an interceptor intercepts the request , fetches the information in header and calls further service to authenticate the consumer..

Waiting for some prompt reply..
Thanks in advance!!
Amrit Pandey


Thanks & Regards,
Amrit Pandey
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
That's not the correct HTTP header to use. What's wrong with using HTTP Authentication? Assuming that is secured via HTTPS, of course, but it sounds as if the scheme you're describing would need encryption as well.
Azahrudhin Mohammad
Greenhorn

Joined: Sep 04, 2012
Posts: 18

Hi Amrit,
For secure transaction (URL will change from http to https) install SSL and host the application, If you are hosting normal webapplication.
If you are hosting a webservice SSL is not feasible solution, please refer http://java.sun.com/developer/technicalArticles/WebServices/security/.
For webservices you have to provide the security at SOAP layer.

Make use of hashing mechanisms (whirlpool now powerful) to store the password.


Thanks and Regards,
azahrudhin.mohd@gmail.com
Amrit pandey
Greenhorn

Joined: Jun 28, 2010
Posts: 19
Hi Ulf /Muhammad,
Thanks for your prompt replies.. First of all sorry for mentioning the wrong header (accept ) .

Yes we are using web service , but assumption is to use REST instead of SOAP.

Idea is that if s consumer is not trusted I.e application does not know what kind of consumer it is then user credential will be passed in the HTTP HEADER. Which will be intercepted by Apache CXF interceptor for the authentication.

Would like to hear from you guys on this .
Thanks
Amrit Pandey
Azahrudhin Mohammad
Greenhorn

Joined: Sep 04, 2012
Posts: 18

Hi
Sorry for the delayed response , As per your latest update you have a wbeservice which will be accessed by unknown user, how to validated that is that what you mean to say.

When you publish Webservice you will choose the authentication mechanism any one from below.

01. SSL (https) , which normal in any web application. This is used for only for secure transaction to happen.
02. Passing authentication parameters in the header, this will be published by webservice wsdl , who ever want to use the webservice they have to comply with the process.
03. Certificate Authentication , here client will generate the certificate and using that certificate user has to request based on that response will be served.
You can achieve through Axis2,cxf,jax-ws......

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How safe is to pass username & password in HTTP header:REST