I am creating a simple API database using an xAgent, Another application is requesting data by sending in a query in the request headers and I process the header and send back the requested data, so far so good.
I now need to add some sort of authentication to this request. but without using Domino authentication. if I use postman and send in a username and password as "basic authentication" that is not correct Domino sends back the following:
nHTTP: user [xxx.xxx.xxx.xxx] authentication failure using internet password
So if I send in username and password in a Basic Authentication request, Domino will try to login the user to Domino. However I do not want to do that.
I want to provide my own username and password that the request must match to get the data. (So if correct username/password is sent in I will send back the data anonymously to the user)
I am guessing that using Authenticated requests feature will somehow make it safer.
Can I set Domino to ignore the authenticated request for my application so that I can handle it in code?
or should I just let the external application send in username and password in the request header as base64?
advice needed
thanks
Thomas
Just use another header (it is YOUR Api), i.e. X-Auth and handle it by yourself.
But keep in mind that this lowers the security if you make a mistake...
Related
I created a node rest API using firebase to log in users. The body is a JSON with a username and password. How can I login users on my spring application and secure user passwords and not put it directly in the post request? This is how my API logs in a user I send it the JSON:
{
email: test#test.com,
password: 123456
}
In spring I can send that JSON to the API but I feel like saving a password in a model and sending it is not the proper way to go. How do I do this?
I've looked at spring security and I'm so confused. It encodes a password but my API doesn't know the encoded password? If someone can help me with this I would appreciate it.
You wouldn't use a POST for this. You would use the authorization header and HTTPS for encryption. In regards to your API not knowing the encrypted password, that is ideal. You could have your spring application generate a token that could be linked to the account. Then you could use that token on the API to perform validation for requests. You can validate by sending a request from the API to the spring server to check if the token is valid.
I'm building a REST service and right and have run into a problem. Right now the functionality is this: a user can post their username and password and if it's correct I return a JWT token for them.
What do I need to do in order to make a client use this token when they request something from a protected endpoint? I'm new to web in general and I don't know where to go from here.
First, you have to save the JWT somewhere. In a browser, the best options are in cookies or local storage (see where to store your jwts for an example on how).
Second, you need to pass the JWT back to the server with your next request. You will have to retrieve the JWT from wherever you stored it and include it in the request. How you do this depends on where the server expects your JWT to go and what framework you use for making requests. For example, if your JWT goes in one of the request headers, here is an example for setting request headers with a jquery ajax request.
I'm trying to create RestApi first time. Looking for assistance after reading text present online.
My requirement is, I want to create an rest api which will be having username and password. Password will be in encrypted format. So when this api client will request to a web server, that password will be decrypted first on server side and then if the user name and password authenticates then it will send back a temporary token with expiry date. Then again that token will be used in rest api to request data from the web server in xml format.
How can we achieve this ?
And I also want to understand if we encrypt a password in client server then how its get decrypts on web server side. Is the same instance travels from client to web server side while making request ?
Second, The data which I'm trying to consume from web server are the email ids of users which registers on website. My question, If user is getting registered on website then website must be storing those email ids somewhere like in database right ? And my restApi will be accessing the code on web-server side which is responsible to get email ids from database in xml format. Is my understanding correct ?
First, don't concern yourself directly with encrypting details client-side and decrypting them server-side. If you are using TLS/HTTPS (which you should be) then all is well, everything is already encrypted.
The token generation is slightly more difficult but still easy enough. A commonly used and simple to implement method is to use JWT tokens. The general idea is that you create a JSON object like the following:
{ "userID": "FC5A47CC", "expiry": "12/10/2017" }
And then run it through an HMAC using a key only your server knows. You append the result of the HMAC to the JSON object using base64 encoding and then send this to your client after they have logged in.
Using this method, authentication is very fast, as your web server won't need to make any requests to your database server to determine if the token is valid. You can read more about JWT here. I've answered a similar question in more detail here.
As your question asks, these userIDs will obviously need to be stored in your database.
Seems like you want client app to consume resources on behalf of user. I propose OAuth 2.0, which provides mechanism, which you have described to access protected resources without storing passwords. Client app requests a username and password from the user (for example by using a login form) and then send that credentials to the server. Upon receipt and validation server returns token to the client. Client stores token locally and discards username and password. All subsequent request are authorized by token, which can be accomplished using a custom HTTP header, for example X-Auth-Token. Server can optionally provide a refresh token along with the access token, which is used by client to obtain new access token, once current expires. HTTPS/SSL technology is required by OAuth 2.0, so data over wire will be encrypted.
There are 4 roles defined by OAuth 2.0 :
1) Authorization Server — does identity verification and grants token to the client app.
2) Resource Server — Server which hosts actual protected user resource.
3) Resource Owner — User willing to provide access to his protected resource.
4) Client — application that gets access to a user’s resources.
You can use Spring Security OAuth framework to implement this requirement.
I have a Java+Spring application.
Assuming the browser settings are all correct and site is allowed, is it possible to retrieve logged in AD user credentials from an http request? Which fields are they? AUTH_USER? Are they coming with every request (GET, POST, PUT, DELETE etc).
I've successfully integrated AD authentication, with the user manually typing in their AD user and password. Now i am wondering, can login be done more automatically, retrieving credential from a browser's request?
I don't think this is possible. If you want an elegant solution instead of checking each user/password in your filter for example, have an eye to JWT. You could encapsulate your AD user in it and send the token to the client, itself sending back to you in a header.
The counterpart is that you have to integrate all the jwt part, as long as JWT is not native in Spring. I'm currently working on a personal project to integrate jwt and that's not so easy for someone starting with Spring Security.
This link seems ok for Spring
I've been learning spring-ws for little over a week and I've set up a simple web service.
I'm testing it using soapui and specifying a username and password in the request properties.
My web service has no security layer nor do I want to add one. I just need to pull the username and password out of the request to make requests to another service. I don't want to have to specify a username or password in my request body itself.
All I want to do is retrieve the username and password from the request from soapui. Does anyone know where the username and password are in the request? Are they in a http header or the soap header. The soap header appears to be empty in soapui.
I have tried writing my own interceptor to my endpoint and getting the soap header but it appears to be empty.
I have also tried retrieving them using SecurityContextHolder.getContext().getAuthentication();
but this returns null.
I also tried to interrogate the HttpServletRequest from my endpoint to see if the user details were in there, sadly not.
Does anyone have any ideas or good knowledge of this area?
Since there is not authentication in your application, your server does not prompt for authentication and the parameters you specify in soapUI are never used (not included in the http request). Furthermore there is not point using
SecurityContextHolder.getContext().getAuthentication()
since you don't have authentication, there is no authenticated user and it returns null as you said.
If you need username/password to access another resource, you should specify them as configuration parameters in your web service.