Is it necessary to encrypt or hash passwords with spring security and ldap?

Question

I have a frontend where a user logs in. It makes a request to a backend which has Spring security and it searches the user in LDAP.

Here's the simple code of my frontend request with ajax:

function login() {

$.ajax({
    url : 'http://localhost:8080/log',
    type : 'POST',
    contentType : 'application/json',
    data : JSON.stringify({
        "user" : $("#loginUser").val(),
        "password" : $("#loginPass").val()
    }),
    success : function(jqXhr, textStatus, data) {



        localStorage.setItem("user",$("#loginUser").val());
        window.open("../dashboard/home.html", "_self");

        console.log(data);
    },
    error : function(jqXhr, textStatus, errorThrown) {
        console.log(errorThrown);
    }
});

}

I need to know if it's necessary to add some security by hashing or encrypting because in some way I'm sending the plain password to the backend, and within the server that's getting the LDAP information.

thanks in advance.

Answer 1

Use https (http over TLS) if you're sending the username and password in the body of the POST request. You might need to configure your server to set this up. Doing so will ensure no one else can decipher the contents of your request.

By the time the request reaches your Spring web app, the username and password will be in "plaintext", which you can then use to authenticate by using your LDAP server. You can use LDAP over TLS for a secure connection to your server. If you're using Spring Security, check out the spring-ldap documentation for an overview of how Spring abstracts certain elements of an LDAP connection, and the Spring Security reference to see how you can configure the Spring Security framework to seamlessly authenticate a user by accessing an LDAP server.