how to send password to spring boot restful webservice

Question

I am beginner in the topic of web services and security. I want to write a spring boot restful web service for login. I can send on url as a parameter but it is not safe to send password in same way. So what is the way to pass password to the web service?

As I read on net people mention about hashing password (but it is not safe enough as I understand) and usind md5 etc. As I am quite beginner, it does not make a clear picture in my mind.

So which way should I follow to send password to restful web service?


Show source
| rest   | security   | spring-boot   | web-services   2017-01-07 23:01 3 Answers

Answers ( 3 )

  1. 2017-01-07 23:01

    The most common way is to use a POST request, and include the username and encrypted password in the payload object. Thus, on the back end you would receive it with @RequestBody.

  2. 2017-01-08 05:01

    To quickly get it up and running, send the password in POST request so that its not visible in the URL.

    Typically during login, the password is sent to server not its hash. The site needs to be https to avoid attackers sniffing the password.

    Also, all subsequent requests to server can use a token (given by the server) known as X-Auth-Token. This token is stored as cookie on user's machine and can have expiry time for session invalidation.

    On the server side, passwords should be stored in encrypted manner for which Bcrypt is advised.

    There is lot more to web-security in addition to POST & Hashing. I suggest watching (first 2) excellent video presentations from Rob Winch. He is lead on Spring Security project.

    The good news is, Spring boot makes lot of these complicated solutions easily configurable. Check out the same site and this repo for other such features' implementations.

  3. 2017-01-10 02:01

    As stated, basic hashing client side doesn't really make sense as the client would know the hashing algorithm anyway so not really hiding anything. Using HTTPS ensures no one can read your wire data. You can read more about HTTPS and public/private keys on wikipedia.

    You could put the password in the body or also as a Authorization header as "Authorization": "Basic username:password". (https://en.wikipedia.org/wiki/Basic_access_authentication). URLs are usually bad since ppl like to copy paste URLs into emails, etc.

    The important thing is this should be traded in for a token which doesn't contain the password. If this is a web app, then you are storing in HTML5 local storage or as a cookie. If Android/iOS, they have ways to store as "preferences".

    I wrote a little info awhile back on the different tokens and ways to store them: https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/

◀ Go back