This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin for Android App Development and have Peter Sommerhoff on-line!
See this thread for details.
Win a copy of Kotlin for Android App Development this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

How to add authentication cookie to the Spring-REST api response?  RSS feed

 
Ranch Hand
Posts: 632
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am securing my REST API using Basic-Auth. I came to know that for a stateless API, the backend should send a cookie(with 'httpOnly' & 'secure' flag) for basic authentication, which then will be carried with each request. But I have few doubts here:

1.  What should be the name of that cookie?
2.  How to set the cookie?
3.  How Spring security layer identifies and extracts the Base64 encoded credentials from that cookie?

As of now, this is my security config:

And since I have no Idea from where to set that authentication cookie, I am trying this:

http://localhost:8080/login is a URL which is basic auth protected, if the user provides correct credentials, then it sends the authentication cookie with the response.

But again, I have no idea where to bring the username password for this current user.
 
Bartender
Posts: 20353
111
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If Spring is tapping into J2EE container security, the simple - but insecure - way to login would be to send a url in the form http://username:password@hostname:8080/myapp/...."

It's insecure in that anyone can see the credentials by sniffing the net for stuff aimed at port 8080.

J2EE container security creates a cookie named jsessionid, and that points to the HttpSession for that user. Note, however, that a common reason for using ReST is to be scalable across multiple servers, in which case an HttpSession is not going to work unless you specially configure all the servers. So for scalable, an alternative authentication and authorization system would be required. I've never studied Spring Security in depth enough to advise past this point, though.

When the server creates a cookie, the client and server trade that cookie back and forth automatically. At least when you're using popular clients and servers. You're own your own if you want to do it using brute-force socket communication.
 
Puspender Tanwar
Ranch Hand
Posts: 632
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JSESSIONID won't work for me, because I am using the RESTful, the stateless API. So, no space for JSESSIONID.
However, creating an authentication cookie will maintain the statelessness of the application, because there will be no state maintained by the server, only the client would save a cookie which will be carried with each request.

Yes, sending credentials in URL is a terrible idea.
 
Sheriff
Posts: 21603
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Basic authorization doesn't work with cookies (for as far as I know at least). I know two ways of sending it:
1) In the URL as Tim said.
2) In the "Authorization" header. The header value should be "Basic " followed by the result of base64-encoding "username:password". For instance, if your username is "puspender" and your password is "mypassword", you base6e-encode "puspender:mypassword", and the entire header value would be "Basic cHVzcGVuZGVyOm15cGFzc3dvcmQ=".
 
Tim Holloway
Bartender
Posts: 20353
111
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, "basic-auth" isn't authorization, it's basic authentication. And since, when you define it in web.xml, that means that you're invoking the J2EE Container Managed Security system, which keeps your authenticated identity in an HttpSession, and HttpSession is something you don't want ---- oops.

The practice in this case would actually be to have a ReST service to authenticate, and that ReST service would then return a token, which I suppose could be carried in a cookie, but is often simply passed as a URL argument (we're assuming that this was all done via SSL, so no outsiders could see the token). Doing it this way avoids creating a Session, although, alas, it also loses the fine-grained URL protection that container-managed security would provide.

There's probably something in Spring Security to address this common situation, but I'm not well read on the topic, so the best place to inquire would be the Spring forum itself.
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!