3

I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID

However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin

My questions/confusions are:

  1. For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?

  2. For Sing-in I'm thinking about using Authenticator in Dropwizard.

  3. I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5

brandonscript
  • 57,554
  • 29
  • 142
  • 204
birdy
  • 8,476
  • 22
  • 98
  • 170
  • 1
    Have you read their [authentication](http://dropwizard.codahale.com/manual/auth/#oauth2) documentation? OAuth2 is going to be the most secure and RESTful approach; as for sending creds in plaintext, are you building a web front-end? If so, serve your site over https and it won't be a problem. – brandonscript Dec 17 '13 at 16:49
  • I don't envision any external apps using the API for data. My api will just be used by my app's mobile and web interface. Wouldn't Oauth2 be an overdo for this? – birdy Dec 17 '13 at 18:55
  • OAuth2 is a great approach to ensure that each logged in user receives their own access token that you can track and manage. Short of dropping the API altogether (and using just session/cookies) it's still the best and most scalable approach. Do the work now, it'll last (forever?) – brandonscript Dec 17 '13 at 18:56
  • Maybe I'm not following correctly. If I go down OAuth2 route I have to register my app with one of the OAuth2 providers e.g. google, github, etc. right? And then I can use that token to authorize the user? ... – birdy Dec 17 '13 at 19:14
  • No no no... Dropwizard supports OAuth2 on the back end - so you would implement your own OAuth2 service, and then have the browser perform the auth handshake with it; completely independent from Google, et al. – brandonscript Dec 17 '13 at 19:16
  • Ah, roger that. much better. I'll find more info on how to implement OAuth2 with drop wizard. Users can "signup" with Oauth2 as well? – birdy Dec 17 '13 at 19:17
  • Yes they can. Looks like their docs are pretty good too, and being open source, you should find lots of examples. – brandonscript Dec 17 '13 at 19:20

2 Answers2

1

Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation:

http://dropwizard.codahale.com/manual/auth/#oauth2

OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why?

Things to note:

  • when dealing with authentication, you should always host over HTTPS to ensure transport encryption
  • Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure.
  • Implementing this does not involve using any third party "social" authentication services such as Google or Facebook.
Community
  • 1
  • 1
brandonscript
  • 57,554
  • 29
  • 142
  • 204
1

Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.

If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).

You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.

After loading the project, look for WebFormClientAuthenticator which will get you in the right area.

The general principles involved with Dropwizard authentication are discussed in this blog article. Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.

It's all MIT license so just use it as you need.

Gary Rowe
  • 6,934
  • 2
  • 34
  • 56
  • Thanks. I am looking through the code and implementing my simple service in parallel. I had one more question - http://stackoverflow.com/questions/20662871/how-to-do-basic-authentication-of-a-resource-in-dropwizard – birdy Dec 18 '13 at 16:04