I am new to web services and came to a scenario where user credentials are being proposed to be passed through HTTP Accept header. The scenario is:
1> consumer requests for a resource
2> Request comes to a Facade layer of the application
3> the layer validates whether the consumer is trusted or not. This is done through a config file which contains the information of a list of trusted user.
4> if the consumer is not trusted , the username & password is passed in a HTTP Header , later an interceptor intercepts the request , fetches the information in header and calls further service to authenticate the consumer..
Waiting for some prompt reply..
Thanks in advance!!
That's not the correct HTTP header to use. What's wrong with using HTTP Authentication? Assuming that is secured via HTTPS, of course, but it sounds as if the scheme you're describing would need encryption as well.
For secure transaction (URL will change from http to https) install SSL and host the application, If you are hosting normal webapplication.
If you are hosting a webservice SSL is not feasible solution, please refer http://java.sun.com/developer/technicalArticles/WebServices/security/.
For webservices you have to provide the security at SOAP layer.
Make use of hashing mechanisms (whirlpool now powerful) to store the password.
Thanks and Regards,
Joined: Jun 28, 2010
Hi Ulf /Muhammad,
Thanks for your prompt replies.. First of all sorry for mentioning the wrong header (accept ) .
Yes we are using web service , but assumption is to use REST instead of SOAP.
Idea is that if s consumer is not trusted I.e application does not know what kind of consumer it is then user credential will be passed in the HTTP HEADER. Which will be intercepted by Apache CXF interceptor for the authentication.
Would like to hear from you guys on this .
Sorry for the delayed response , As per your latest update you have a wbeservice which will be accessed by unknown user, how to validated that is that what you mean to say.
When you publish Webservice you will choose the authentication mechanism any one from below.
01. SSL (https) , which normal in any web application. This is used for only for secure transaction to happen.
02. Passing authentication parameters in the header, this will be published by webservice wsdl , who ever want to use the webservice they have to comply with the process.
03. Certificate Authentication , here client will generate the certificate and using that certificate user has to request based on that response will be served.
You can achieve through Axis2,cxf,jax-ws......
subject: How safe is to pass username & password in HTTP header:REST