• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How safe is to pass username & password in HTTP header:REST

 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I am new to web services and came to a scenario where user credentials are being proposed to be passed through HTTP Accept header. The scenario is:

1> consumer requests for a resource
2> Request comes to a Facade layer of the application
3> the layer validates whether the consumer is trusted or not. This is done through a config file which contains the information of a list of trusted user.
4> if the consumer is not trusted , the username & password is passed in a HTTP Header , later an interceptor intercepts the request , fetches the information in header and calls further service to authenticate the consumer..

Waiting for some prompt reply..
Thanks in advance!!
Amrit Pandey
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's not the correct HTTP header to use. What's wrong with using HTTP Authentication? Assuming that is secured via HTTPS, of course, but it sounds as if the scheme you're describing would need encryption as well.
 
Greenhorn
Posts: 18
Hibernate Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Amrit,
For secure transaction (URL will change from http to https) install SSL and host the application, If you are hosting normal webapplication.
If you are hosting a webservice SSL is not feasible solution, please refer http://java.sun.com/developer/technicalArticles/WebServices/security/.
For webservices you have to provide the security at SOAP layer.

Make use of hashing mechanisms (whirlpool now powerful) to store the password.

 
Amrit pandey
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf /Muhammad,
Thanks for your prompt replies.. First of all sorry for mentioning the wrong header (accept ) .

Yes we are using web service , but assumption is to use REST instead of SOAP.

Idea is that if s consumer is not trusted I.e application does not know what kind of consumer it is then user credential will be passed in the HTTP HEADER. Which will be intercepted by Apache CXF interceptor for the authentication.

Would like to hear from you guys on this .
Thanks
Amrit Pandey
 
Azahrudhin Mohammad
Greenhorn
Posts: 18
Hibernate Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi
Sorry for the delayed response , As per your latest update you have a wbeservice which will be accessed by unknown user, how to validated that is that what you mean to say.

When you publish Webservice you will choose the authentication mechanism any one from below.

01. SSL (https) , which normal in any web application. This is used for only for secure transaction to happen.
02. Passing authentication parameters in the header, this will be published by webservice wsdl , who ever want to use the webservice they have to comply with the process.
03. Certificate Authentication , here client will generate the certificate and using that certificate user has to request based on that response will be served.
You can achieve through Axis2,cxf,jax-ws......

 
Oh. Hi guys! Look at this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic