Reputation: 42050
Suppose I have a simple Java server application, which implements a few web (REST
) services. The application is deployed as war
in Tomcat
. Now I would like to add user authentication as follows:
Add a plain text file users
with user names and passwords on the server side. User is required to send both user name and password with each request and the server tests them against the file.
In order to prevent sending passwords as clear text I am considering one-way encryption just like one used in /etc/passwd
. So users will be required to encrypt their passwords before sending them in the requests.
Does this approach make any sense? Is there any "ready-to-use" implementation of this approach in Java?
Upvotes: 1
Views: 1066
Reputation: 15206
There are a ton of ways to skin this cat. First, you probably want to use digest authentication or SSL form-based authentication, since relying on a client-side hash can be subjected to replay attacks.
My recommendation would be to use Spring Security. Take a look at this example of HTTP digest authentication.
Another way might be to use the servlet container to accomplish this for you. Take a look here for both digest and form-based auth techniques.
Also, you should really read up on proper password storage techniques for web applications. Make sure you're using a sufficiently complex (aka slow) hashing algorithm like bcrypt and give each password a unique salt. Finally, make sure the transport of credentials is secure, either by using HTTP digest authentication (alright), or by using SSL form-based authentication (better).
Upvotes: 1
Reputation: 8896
Yes, there is a lot of existing good authentication solutions, from BASIC (via SSL), OAuth, Kerberos, Spring Security etc. I suggest making a research on WS-Security topic, as there are many layers (container, filters, application itself) where the authentication can take place.
Upvotes: 1
Reputation: 50
Use a RESTful framework like Jersey for example. But for authentication you must implement session management with request filters. As for users management you should use a database like MySQL.
Upvotes: 1
Reputation: 2739
Spring Security? This a non-intrusive way of securing web apps and very flexible in how the data can be stored - i.e. a plain text file, xml or a database of usernames and passwords.
Upvotes: 3