I am using Spring Oauth 2
to secure a web application and to implement a three Legged security system and when it comes to using a
grant_type=password
I've noticed that the URL used to get a token for a user is:
Method : POST + Basic-Authentication header for the client
http://host:port/api/oauth/token?grant_type=password&username=xxxxx&password=xxxx
And my question:
Is this approach secure enough since it shares user's credentials on the URL
,if it is not what are the alternatives or improvements?
Is adding an SSL
certification to the host would be a solution to that ?
Thanks
Plaintext authentication over an encrypted medium is not uncommon - so unencrypted passwords over an encrypted connection.
However , I would not send credentials in the URL. It looks bad and the same user might bookmark that URL.
You can put the credentials in the HTTP Header instead, and as long as you're sending them over an encrypted connection its ok.
The other option you have is:
tl;dr
The easiest solution is, HTTPS and plaintext credentials in the HTTP Headers
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.