I’m using tomcat 6, spring mvc 3.0.0 and spring security 3.0.0, and since the passwords I store in the database are sha1 hashed, I can’t use digest authentication (section 9.2.1 of the documentation spells that out). For this reason, I need to make authentication happen through https.
Due to potential processing overhead, I want to keep as much of the traffic in regular http as possible. Is there a way I can make spring use https for unathenticated requests, then use http once authentication is done? I think this is done with a ChannelProcessingFilter of some sort, but I’m stumped as to the particulars.
Here’s my application-security.xml file as it currently stands:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="sha"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="path.to.myUserDetailsServiceImpl">
</beans:bean>
</beans:beans>
Thanks for the help.
If at any point you pass a session id over HTTP you are violating OWASP A9. An attacker doesn’t need the password if he has the session id. I would not implement this feature in your application, https is very light weight and I think you should look into saving resources in places that doesn’t mean that your clients will be hacked.