It has just occurred to me that when my Flex application does a ChannelSet.login, it is essentially sending the username and password over the wire in an unencrypted form to the BlazeDS server. While I use the binary AMF protocol over an AMFChannel, it would take nothing for somebody to sniff these passwords.
Most of my clients do not want to run their application on an https (SSL) protected site. So what is the best way to do this? I use Spring security on the backend to do authentication.
Should I encrypt the credentials myself before calling login? I guess then I would need to know the server-side encryption algorthym.
Thoughts?
Without SSL you can only resort to a shared encryption technique between client and server. In that case you can implement a custom LoginCommand in BlazeDS that will decrypt the incoming encrypted username/credentials for use on the server side.
There are other techniques (SSO, PreAuthentication, SessionKeys) but if your clients wont shell out for SSL or be prepared to force their users to use a self signed Selg Signed SSL certificate, then i doubt they will go for the alternatives.
If you are that worried about the username/password being comprpmised, then the minimum requirement is SSL when using ChannelSet.login with username/password.
A good solution in my humble opinion is a login via HTTPS with username/password, which the issues a session key, you can then use the username/sessionkey over HTTP to check that an oncoming non-secure request is from an authemticated user. The sessionkeys timeout after an arbitrary amount of time.