Combine custom user provider with hashed passwords with http basic to backend api

Question

I have a REST API and a frontend for that API, both written in Symfony2.
In the frontend I have written a custom user provider to create a user object in the frontend, based on information from the backend like (hashed) password, salt, etc.
Per this documentation: http://symfony.com/doc/current/cookbook/security/custom_provider.html

However, for most of my API requests I require HTTP Basic authentication credentials. But as far as I know, for Basic I need the plaintext password. Which I don't have on the frontend side, I just have the hashed version of my custom user provider.

Can I somehow use HTTP basic with that hashed password version?
Or can I intercept the _username and _password fields of the login form on the frontend, and save them on the session (not sure if that's proper, but it would fix it for now)

I've tried the latter, by POSTing the login form to my own URL instead of to 'login_check', so I can see the _username and _password fields, but after that I need to forward it to '/login-check' to let Symfony2 do it's magic. This keeps failing though, because he 'can't find the controller' (when using normally, Sf2 intercepts login_check calls without me setting a controller, but I guess it doesn't when you start messing with it)

Any advice would be welcome,

Cheers,

Dieter

Answer 1

If you hashed the password prior to transmitting it to the server then this hashed password would become the new password.

HTTP Basic Auth is commonly used as a RESTful authentication method, however it must be over SSL. If you are using a cryptographic nonce as a session id, you still need to pass this value over SSL for all requests or you will be in violation of OWASP A9 and all users can be compromised.