RESTful Authentication via Spring

Question

Problem:
We have a Spring MVC-based RESTful API which contains sensitive information. The API should be secured, however sending the user\'s credentials

Answer 1

You might consider Digest Access Authentication. Essentially the protocol is as follows:

1. Request is made from client
2. Server responds with a unique nonce string
3. Client supplies a username and password (and some other values) md5 hashed with the nonce; this hash is known as HA1
4. Server is then able to verify client's identity and serve up the requested materials
5. Communication with the nonce can continue until the server supplies a new nonce (a counter is used to eliminate replay attacks)

All of this communication is made through headers, which, as jmort253 points out, is generally more secure than communicating sensitive material in the url parameters.

Digest Access Authentication is supported by Spring Security. Notice that, although the docs say that you must have access to your client's plain-text password, you can successfully authenticate if you have the HA1 hash for your client.