2

I have deployed Apache Solr 6.6.1 with basic authentication by following their reference guide. At the end they have discussed how to use curl with security. For my case, I am using REST API to query SOLR. Due to Basic Authentication i am using this query. https://user:pswd@serverhost/solr/... in this way my user & paswd will expose. i want to know the safest method to use basic authetication with REST API that will not be exposed to external worl.

Usama Tahir
  • 65
  • 2
  • 13

1 Answers1

1

As you can see here:

The use of these URLs is deprecated. In Chrome, the username:password@ part in URLs is even stripped out for security reasons. In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

You don't need to expose it in your URL, you should add an "Authorization" Header to your request. The value will have "username:password" encoded in Base64, which is not safe, but since you're using https, it will be protected.

The full value of the header will be something like "Basic dXNlcm5hbWU6cGFzc3dvcmQ=". It's formed by the type of authentication ("Basic") plus a whitespace plus the value of "username:password" encoded in Base64.

Alessandro Hoss
  • 395
  • 4
  • 8
  • can you please provide me an example of this? how to form this ("Basic dXNlcm5hbWU6cGFzc3dvcmQ=") encoded value and use it in https request. ? – Usama Tahir Oct 09 '17 at 11:29
  • It depends how you want it. A lot of Rest clients (PostMan, ARC, ...) will do this automatically when you set the authentication to basic and provide the credentials. In java you can build an http client with something like this: https://stackoverflow.com/a/3283496/4891223 – Alessandro Hoss Oct 09 '17 at 13:56
  • I want to use it as a url which we provide to browser adress bar and it should return us data without prompting login. i want a complete url format having basic authentication user&pswd in it but in encoded form. – Usama Tahir Oct 10 '17 at 05:01
  • If you can't handle the request to add headers, you won't be able to make it protected. Headers will be protected by ssl encryption, the URL won't. Even if it was possible to use the base64 encoded form directly in the url, it wouldn't be safer than the plain text version, because base64 can be easily decoded. – Alessandro Hoss Oct 10 '17 at 13:40