Home/ Questions/Q 9084649
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T21:03:00+00:00

I’m trying to implement a RESTful web service using Spring. I’ve set up Spring

  • 0

I’m trying to implement a RESTful web service using Spring. I’ve set up Spring Security to work on the links that apply to the REST service. I make calls to this web service from an Android application. What I’ve done now is connect to it using Basic Authentication. What I’m struggling with is finding decent information about how secure this really is. I figure I should at least be making these calls through SSL or something no?

My code on the Android client that calls the REST client

  public MyClass callRest() {
    final String url = "http://10.0.2.2:8080/myservice/rest/getSomething";

    HttpAuthentication authHeader = new HttpBasicAuthentication(username,
            password);
    HttpHeaders requestHeaders = new HttpHeaders();
    requestHeaders.setAuthorization(authHeader);
    requestHeaders.setAccept(Collections
            .singletonList(MediaType.APPLICATION_JSON));

    RestTemplate restTemplate = new RestTemplate();
    restTemplate.getMessageConverters().add(
            new MappingJacksonHttpMessageConverter());
    try {
        ResponseEntity<MyClass> response = restTemplate.exchange(url,
                HttpMethod.GET, new HttpEntity<Object>(requestHeaders),
                MyClass.class);
        return response.getBody();
    } catch (HttpClientErrorException e) {
        return new MyClass();
    }

}

So what I’ve put in my Spring Security config right now:

<http auto-config='true'>
    <intercept-url pattern="/rest/**" access="ROLE_USER"
        requires-channel="https" />
</http>

I can’t figure out where to go from there, because now the connection doesn’t work anymore of course because of the https. I can’t seem to find decent examples of how to figure this out using the Resttemplate.

Any help?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    HTTP Basic Authentication is reasonably safe when used over HTTPS since the user and password fields are sent over an encrypted connection so they are much less vulnerable to man-in-the-middle attacks. There are some interesting points here: Securing an API: SSL & HTTP Basic Authentication vs Signature

    In my opinion, if you are making a API with access to user’s sensitive data (i.e. bank account details, credit card numbers, email addresses and passwords) then you may want a more secure approach because HTTP Basic Authentication is succeptible to brute force attacks as it is always available (unless you build in deterrents such as maximum retries etc.) If your API is for a game or basic business data then there should be less attraction for a hacker to spend the time on it.

    Does your server support HTTPS – often you need to pay extra for a HTTPS certificate or you have to use a shared once which give you a subdomain on a shared HTTPS domain – i.e. https//your-site.your-hosting-provider.com/. You need to check this perhaps.

    UPDATE 1: Your problem appears to be with your server and not with your program. Check out this blog post for information about how to set up HTTPS on your Tomcat Server. You need to do this before you can use HTTPS from your Spring application – looking at your code, there doesn’t seem to be a problem other than your server.

    Also try this.

    UPDATE 2 Once you have access, you will then need to trust the certificate on the Android device (or your Java installation if you were making a desktop/web application). It needs to be trusted because you created it yourself rather than a CA authority. See this answer: Trusting all certificates using HttpClient over HTTPS (Not the part about trusting all certificates – this can be dangerous).

    • 0