0

I'm trying to implement a RESTful web service using Spring. I've set up Spring Security to work on the links that apply to the REST service. I make calls to this web service from an Android application. What I've done now is connect to it using Basic Authentication. What I'm struggling with is finding decent information about how secure this really is. I figure I should at least be making these calls through SSL or something no?

My code on the Android client that calls the REST client

  public MyClass callRest() {
    final String url = "http://10.0.2.2:8080/myservice/rest/getSomething";

    HttpAuthentication authHeader = new HttpBasicAuthentication(username,
            password);
    HttpHeaders requestHeaders = new HttpHeaders();
    requestHeaders.setAuthorization(authHeader);
    requestHeaders.setAccept(Collections
            .singletonList(MediaType.APPLICATION_JSON));

    RestTemplate restTemplate = new RestTemplate();
    restTemplate.getMessageConverters().add(
            new MappingJacksonHttpMessageConverter());
    try {
        ResponseEntity<MyClass> response = restTemplate.exchange(url,
                HttpMethod.GET, new HttpEntity<Object>(requestHeaders),
                MyClass.class);
        return response.getBody();
    } catch (HttpClientErrorException e) {
        return new MyClass();
    }

}

So what I've put in my Spring Security config right now:

<http auto-config='true'>
    <intercept-url pattern="/rest/**" access="ROLE_USER"
        requires-channel="https" />
</http>

I can't figure out where to go from there, because now the connection doesn't work anymore of course because of the https. I can't seem to find decent examples of how to figure this out using the Resttemplate.

Any help?

Eels
  • 625
  • 1
  • 6
  • 8
  • 1
    What do you mean it doesn't work - are you getting any errors or is it just not returning a response? Did you try requesting "https" too because your request is still set to "http". – Tony Day Jan 04 '13 at 09:45
  • I know it's still set to http, but whether I change that or not: if I try to make a connection to the web service now I receive an SSLException. – Eels Jan 04 '13 at 10:18
  • What's the SSLException? Add it to your question, it will really help. – Tony Day Jan 04 '13 at 10:58
  • org.springframework.web.client.ResourceAccessException: I/O error: Connection closed by peer; nested exception is javax.net.ssl.SSLException: Connection closed by peer – Eels Jan 04 '13 at 11:01
  • Can you access the URL in the web browser over HTTPS? I don't think you have the certificates in place or configuration to use HTTPS. – Tony Day Jan 04 '13 at 12:07
  • Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. – Eels Jan 04 '13 at 12:09
  • You're right, I don't, that's why I'm asking how to set this up using Spring – Eels Jan 04 '13 at 12:10

1 Answers1

1

HTTP Basic Authentication is reasonably safe when used over HTTPS since the user and password fields are sent over an encrypted connection so they are much less vulnerable to man-in-the-middle attacks. There are some interesting points here: Securing an API: SSL & HTTP Basic Authentication vs Signature

In my opinion, if you are making a API with access to user's sensitive data (i.e. bank account details, credit card numbers, email addresses and passwords) then you may want a more secure approach because HTTP Basic Authentication is succeptible to brute force attacks as it is always available (unless you build in deterrents such as maximum retries etc.) If your API is for a game or basic business data then there should be less attraction for a hacker to spend the time on it.

Does your server support HTTPS - often you need to pay extra for a HTTPS certificate or you have to use a shared once which give you a subdomain on a shared HTTPS domain - i.e. https//your-site.your-hosting-provider.com/. You need to check this perhaps.

UPDATE 1: Your problem appears to be with your server and not with your program. Check out this blog post for information about how to set up HTTPS on your Tomcat Server. You need to do this before you can use HTTPS from your Spring application - looking at your code, there doesn't seem to be a problem other than your server.

Also try this.

UPDATE 2 Once you have access, you will then need to trust the certificate on the Android device (or your Java installation if you were making a desktop/web application). It needs to be trusted because you created it yourself rather than a CA authority. See this answer: Trusting all certificates using HttpClient over HTTPS (Not the part about trusting all certificates - this can be dangerous).

Community
  • 1
  • 1
Tony Day
  • 2,170
  • 19
  • 25
  • My server is a local Tomcat server – Eels Jan 04 '13 at 12:27
  • Ok, I followed those instructions and now I can access the https link through my browser. From the android client however, I get the following: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. – Eels Jan 04 '13 at 14:44
  • You now need to add the public part of your server certificate to your truststore in Java - this might have a special approach when it comes to Android though. Look at the answer provided by @elton here: http://stackoverflow.com/questions/6825226/trust-anchor-not-found-for-android-ssl-connection – Tony Day Jan 04 '13 at 14:54