Spring Security Basic Auth with digest over http for stateless APIs

2
votes

Some clients/customers would use web app for offline large scale purposes with user management system. In this regards, they provide a real pain deploying the app with HTTPS support. Let a lone the UN-trust warning by browsers for self signed certificates which makes customers complain.

  • In this use case, for sake of argument. What are the options to use secure user authentication over HTTP ?

I've been trying to use Spring Security with Spring Boot to secure stateless APIs using Basic Authentication but I'd like to control the base64 header encryption/decryption avoiding sending the credentials in very easy to decrypt base64 string.

@Override
    protected void configure(HttpSecurity http) throws Exception {
      http.csrf()
          .disable()
          .cors()
          .and()
          .authorizeRequests()
          .antMatchers("/login")
          .permitAll()
          .and()
          .httpBasic();
    }

This method configuration extending WebSecurityConfigurerAdapter. I've tried to take a look at the source code of BasicAuthenticationFilter and found out it uses BasicAuthenticationConverter creating new object so I can't provide custom converter as bean to control the base64 decryption with more strong alternative (or an extra one).

Also this breaks Basic Auth standard anyway. Digest Auth stores password as text and this is not an option for me .

So,

  • Is there anyway to use Basic Auth with HTTP controlling the base64 decryption trying to reach a bit to what HTTPS offers ?

  • Or using Digest Auth with encrypted stored passwords ?

2
javaspring-bootspring-securitybasic-authenticationdigest-authentication

2 Answers

2
votes

Is there anyway to use Basic Auth with HTTP controlling the base64 decryption trying to reach a bit to what HTTPS offers ?

Yes. Taking Basic Authentication as example to extend here. You'll need to create filter on your requests to do whatever you want with the base64 encoding in your header. You can encrypt your Authorizaion header which contains username:password value before encoding to base64.

username:password >> encryption >> encode to base64

Then in that filter, you do the decryption and recreate the base64 pure form

request header Authorization encrypted >> decode from base64 >> decryption >> encode username:password to base64 >> continue filter chaine to BasicAuthenticationFilter

You can add the filter before BasicAuthenticationFilter like

http.addFilterBefore(tokenFilter(), BasicAuthenticationFilter.class);

Note that this is customized workaround to extend basic authentication but it's not standard way of handling basic auth.

Or using Digest Auth with encrypted stored passwords ?

Digest Auth not that secured over HTTP but for better idea about how it works, you may take a look to this answer

Concept of Digest authentication - does it really work?

You will get more secure option using your first option than the second. But your best solution is to use HTTPs. Security is major concern and subject and you should spend some time trying to figure out what's best for your case.

1
votes

There is no alternative to use HTTPs but to answer your question, yes you can do your own control to send encrypted data and create a servlet filter for decryption of sent data on every request or sensitive requests.