Joost de Ruijter Joost de Ruijter - 10 months ago 84
reST (reStructuredText) Question

Spring security REST api custom HTTP basic authentication

For my application i want to implement HTTP basic authentication in combination with symmetric encryption. The base64 encoded username and password get encrypted with an encryption key when sent, and decrypted with the same key when recieved by the REST api.

So far i managed to implement HTTP basic authentication. I am not sure how i can add the extra layer of encryption.

I do have some kind of idea how i can make this work. What i've got so far is:

  1. Before authentication gets invoked by spring, retrieve the encrypted string from the headers.

  2. Decrypt the string using the encryption key

  3. Save the decrypted information in the headers

  4. Invoke authentication with the new headers (now containing base64 encoded username + password)

Am i on the right track, and if so, how do i go about implementing this in Spring?

Answer Source

Don't try to reinvent the wheel. Just use a standard SSL (HTTPS) secure connection instead of the proprietary symmetric encryption of yours: A) it's far more easy to achieve B) it's far more secure than what you are trying to do. Please note though that there are better ways to authenticate to a REST API.

Some resources about securing Basic Authentication with SSL: HTTPS and BASIC authentication HTTP Basic Authentication Over SSL for REST API

As I wrote there are better ways to secure a REST API in a stateless manner. For example digitally signed tokens. It can be combined with SSL. In fact it's become a standard to expose your API through HTTPS no matter what authentication method you choose.

It's a wide topic but if you want to learn about some of the core REST authentication methods have a look at JHipster. It's a cool web application generator (with SpringBoot + Angular 1.5 stack). It's well documented and friendly even to non-experienced developers. It comes with a wizard where you can choose the authentication method. Have a look at JSON Web Token (JWT) which is an implementation of token-based authentication. I'd recommend having a look at other auth methods as well (OAuth is another one worth mentioning).