4

We are building a Restful service using Grails framework and are providing security for it using Spring Security plugin. I wanted to check with you all on best approach to take when you want to authenticate using Custom Authorization header. More on this approach can be read here Custom HTTP Authorization Header

In my case, client id and secret is stored in Ldap and header comes with SHA1 encryption. What would be the best approach to implement this using Spring Security?

I have asked same question in Grails mailing list too.

Any insight would be helpful. Thanks.

~Abhi

Community
  • 1
  • 1
Abhijith Prabhakar
  • 1,325
  • 3
  • 12
  • 24
  • It's not really clear from your question what you're asking or what you already have. Also, what is the SHA1 for? Hashing authentication data you send doesn't add any security. – Shaun the Sheep Mar 18 '13 at 02:36
  • Hi Luke, We wanted to extend authorization header and not use plain base64 encoding. Hence we used SHA1 encryption. We store clientid and secret as plain text in LDAP. So, I was looking for an approach where I could write a filter which would first decrypt header and then authenticate against LDAP. Hope this makes it clear. – Abhijith Prabhakar Mar 18 '13 at 15:25
  • Not really. If an attacker intercepts the SHA-hash in the header they can just send it themselves, as it is equivalent to the username/password. So it doesn't make your authentication more secure than basic authentication. You need to use HTTPS. Also, you shouldn't store passwords as plain text on the server side. – Shaun the Sheep Mar 18 '13 at 17:47
  • Thanks Luke, I understand your point, we are using Https and also adding salt. With this post, I was looking at an approach using Spring Security when you have custom authorization header. What exactly header contains and how to decrypt them can be changed. – Abhijith Prabhakar Mar 18 '13 at 18:48
  • Salt won't make much difference either. Salting is used for storing hashed passwords, but you are storing them as plain text. – Shaun the Sheep Mar 19 '13 at 12:40
  • I am hitting the same wall, I want to create an encrypted client, and I imagine that using some crypto library I can send any encrypted data in the headers, with a secret, that is also known on the server, therefore the data in transit should be safe, given the fact the client is also encrypted, but I think it's a little bit over my knowledge base. To protect items in localStorage I use Stanford JavaScript Crypto Library. – Arthur Kovacs Mar 26 '14 at 22:14

2 Answers2

11

You have to implement your own Filter, Authentication Provider and Authentication token (to pass data to your Provider).

See:

Igor Artamonov
  • 35,450
  • 10
  • 82
  • 113
0

List item

If you are using basic authorization header, then following configuration works for you in context-security.xml file.

< http  auto-config="true" use-expressions="true" pattern="/project/api/**">
        < intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="${security.requires.channel}" method="POST"/>
        < custom-filter ref="basicAuthenticationFilter" position="PRE_AUTH_FILTER"/>
    < /http>    
    < beans:bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
        < beans:property name="authenticationManager" ref="authenticationManager" />
        < beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />      
    < /beans:bean>

I have used same approach for rest services But you need to be careful that whatever scheme you use for encoding username and password, same scheme you should use in filter for decoding 'Authorization' header information. If you are using some custom scheme for encoding 'Authorization' header, then you need to extend 'BasicAuthenticationFilter' and provide appropriate decoding of 'Authorization' header

SkyWalker
  • 28,384
  • 14
  • 74
  • 132
Rajdeep
  • 270
  • 2
  • 11