HISPACTA Hell

Monday, April 24, 2006

Encrypting passwords in a web service environment

If your various GUIs are planning on connecting to an AuthenticationManager over a web service, the decision on where to encrypt passwords becomes non-trivial (I think).

If you've got a straight-forward application without web services, then just add a PasswordEncoder property to the daoAuthenticationProvider bean and you're done.

However, if your daoAuthenticationProvider (or whatever) is running on a remote box that your client accesses through a GUI, then you have the option of either (a) adding the PasswordEncoder to the web service's bean or (b) encrypting the password on the client side, sending it over to the web service, and have the web service's bean do a straight string-to-string comparison.

After mulling it over a little bit, I decided that I'd go with option (b) and apply the Acegi MD5 encryption at each of the client sides. It's a little more work, sure, but it means that the password isn't sent over the network in plaintext (even if the network is secured with SSL), and it means the password doesn't show up in the GET headers that are posted as part of the /j_acegi_security_check that the client depends on.

0 Comments:

Post a Comment

<< Home