I have a client that is POSTing an XML document to a server that requires basic authentication. Are the payload and basic authentication header included in the same request or does the authentication occur before the payload is sent? I'm trying to send sensitive information to the server? Is it possible that sensitive information could still be accessed by the server even though the authentication failed?
The request headers (which includes the Authorization header used by basic authentication) and the request message body (which is where your XML document would be copied) are conceptually part of the same message.
That message might be spread over multiple packets.
The request body will be sent separately from the body in some circumstances (for instance, in conjunction with the use of the Expect header.
The authorization header describes the client, not the server - if you send unencrypted data to the server, of course it can read it.
The usual answer is to encrypt the entire http request, so that it can only be read by a process that can access the other half of the encryption secret. In the most common use case, we use HTTPS to ensure that the request can only be read by a machine that can access the server's secret; client authorization still happens via the headers.
There are alternatives where the client proves its identify by using a specific secret in the encryption of the message (the server knows that the client is genuine by the fact that the correct matching piece successfully decrypted the message).
Related
I'm currently working on a small project where I need to create login and register functionalities for a web application. A colleague of mine had the opinion, that a login request should be done with a post request where the user credentials are stored in the body of the request. I was used to do login requests with a Get-Request where the login credentials are stored in the authentication header (e.g. with Basic-Authentication). So I've read some threads and most of them say, that a POST-Request is better than a GET-Request for login. But also some threads said, that it is better to store user credentials in a request header instead of the body. In case the credentials are stored in the header I don't understand why a GET-Request should be better than a POST-Request.
So I was wondering what you think. What are the benefits/disadvantages of Login with POST-Request and User Credentials stored in the Request-Body compared to storing them in the header via Base-Authentication (encrypted with Base64).
Thanks for any opinions.
A POST is preferable for login request, because the authentication information will be sent in the HTTP messages body rather than the URL. Although it will still be sent plain text, unless you're encrypting via HTTPS.
GET method data is sent to the server followed by the URL which will be seen to everyone.
Both GET and POST method are used to transfer data from client to server in HTTP protocol but main difference between POST and GET method is that GET carries request parameter appended in URL string, while POST carries request parameter in message body which makes it more secure way of transferring data from client to server in HTTP protocol.
In order to put some additional Information about the access- and refresh-token in a REST API response, I thought about creating a token object, that carries all the information which I want to append to the token and send it along with the usual JSON response.
Would this be less secure? If yes, why and how could I work around the security leak?
Well its possible to decrypt SSL traffic using Wireshark. You should encrypt your access token before sending it to the client in api response
I have configured my CAS server to activate REST authentication, as per these instructions. However, in order for it to work, I must submit my credentials in plain text (content type text/html or xml) and not application/x-www-form-urlencoded as per the instructions. The credentials are lost when sent in the latter format.
I am uncomfortable sending my login credentials in plain text. Is this a bug in CAS and how can it be fixed? I am assuming it is less secure to send login credentials as text content type vs application, as the latter (I assume) does hash (or somehow else obfuscates) the content sent.
I should also mention that I had to make a fix to a bug in CAS due to which credentials were being lost regardless of the content type, by implementing this solution in my maven overlay. After that, only text-based content types worked and CAS does authenticate (albeit I find it annoying that the service returns HTML and not XML/JSON or even plain text, for the ease of programmatic processing).
RELATED: REST API endpoint /v1/tickets appears to lose credential request parameters
Content-type has no effect on the confidentiality of data in the request. Sending it with application/x-www-form-urlencoded in a request is not more (nor less) secure than text/html or text/xml if only confidentiality is considered. There is no additional security value in using any of those in a request, somebody having access to the raw request source (a MitM attacker) will see request contents either way. HTTPS effectively mitigates this risk with regard to MitM attackers on the network inbetween nodes, but not on endpoints where SSL is terminated (the source and target computers, and also any node inbetween that terminates SSL, like for example a company proxy with a trusted root certificate on clients - a fairly common setup).
As for the possible security benefit of using text/plain instead of application/x-www-form-urlencoded, please see my answer to your other question. In short, using text/plain may prevent some CSRF attacks.
I have a REST service that is already secured with basic authentication using the Authorization header. This is used to access the service in general and is required for any request. i.e. "User1", "password1".
I have a "file" resource which can have an additional password associated with it (i.e a password protected Word document, PDF, etc), "docpassword". What is the best way to send sensitive information like this? I'm especially interested in how to send the password for a GET request, but I'd like to have a universal solution that will also work for POST requests.
Maybe a custom header?
The HTTP protocol defines the standard Authorization header for sending authentication data (credentials) to the server. This header is defined in the RFC 7235 (which makes the old RFC 2616 obsolete and updates the RFC 2617):
4.2. Authorization
The Authorization header field allows a user agent to authenticate
itself with an origin server -- usually, but not necessarily, after
receiving a 401 (Unauthorized) response. Its value consists of
credentials containing the authentication information of the user
agent for the realm of the resource being requested.
Authorization = credentials
[...]
Please note that the name of this HTTP header is unfortunate because it carries authentication data instead of authorization. Anyways, this is the standard headers for sending credentials in the HTTP protocol.
Once you are already using the HTTP Basic Authentication Scheme to authenticate the users in your application, I believe you are already using the standard Authorization header.
I usually do not recommend custom headers, especially when the standard headers can be used instead, but your scenario seems not so common: You need to perform two authentications on the same request.
So, maybe a custom header such as X-Auth-Document or Document-Authentication with the document's password will be fine for GET requests. If you decide not using GET and decide using POST to access this resource, you can consider sending the document's password in the request paylod.
Anyways, don't forget using HTTPS: is highly advisable once you are sending sensitive data, such as credentials, over the wire. And HTTPS will protect you against the man-in-the-middle attack.
HTTP already has an authentication method, see for example this RFC: https://www.rfc-editor.org/rfc/rfc2617
Edit after clarification of question: There is nothing preventing the server to make additional challenges, even based on single resource basis. I must admit I did not implement such a thing yet, but each authorization can have its own realm. You could specify different realms, even down to document level if you really want to. The server then can potentially make multiple challenges in each realm (first login, then document). Remember, you can cache successful authentications, either on the client (for a realm, like a browser does), or giving out cookies with a cached token.
This would have the advantage of avoiding a custom header, and be completely HTTP/REST conform. There may be some performance disadvantage, but it could be mitigated with some targeted caching.
Of course you can go with custom header if you want to, but normally REST would imply that the client goes in with no prior knowledge other than mime-types and the HTTP protocol. A custom header implies out-of-band prior knowledge.
I maybe missing an important piece of jwt concept but I'm having a hard time finding info on where the server is supposed to include the generated json web token in the response and where the client is supposed to include it in the subsequent requests. Are there any rules/guidelines/best practices on that?
The JWT should be sent to the client in the response body. In the subsequent requests you've got to include an header field called Authorization with the token.
Check this link for more details.