Hi,

I want to discuss a design decision I have to make. I have a server application which is split into two parts, a domain service and a view service. The view service accesses the domain service using Spring's HTTPInvoker. I have integrated Spring security in both layers, the view service uses org.springframework.security.authentication.rcp.Re moteAuthenticationManager to perform a remote authentication. Since I want to protect service methods in the domain service I use the org.springframework.security.remoting.httpinvoker. AuthenticationSimpleHttpInvokerRequestExecutor to propagate the current authentication from the view service to the domain service. This works like a charm (after setting erase-credentials="false").

Problems arise when I use rememberme-cookies. The authentication is restored using a UserDetailsService, but since the password in the database is hashed, the authentication contains no usable credentials. But I need the raw password for AuthenticationSimpleHttpInvokerRequestExecutor to create a basic authentication.

Is this a use case where the change from a hash-based password digesting to a two way encryption-based password storage makes sense?

Or can I use some spring magic, which I just have overlooked?

Greetings,
Karl

First law of distributed computing : Don't do it :). (Sorry could resist myself).

2 way encryption-based passwords aren't secure and I would consider it a security hole if one would introduce something like that just for a remember-me function. Shouldn't the remember-me function also use the RemoteAuthenticationManager instead of a local provider based one.

Either that or you might want to look at a SSO solution.

First law of distributed computing : Don't do it :). (Sorry could resist myself).

Not a chance ;-)
Its an educational project for my students, with a single domain service instance (from me) and about 30 view service instances (from my students). In my opinion, this approach is more manageable opposed to clustering 30 JPA entity-managers accessing a common database.


2 way encryption-based passwords aren't secure and I would consider it a security hole if one would introduce something like that just for a remember-me function. Shouldn't the remember-me function also use the RemoteAuthenticationManager instead of a local provider based one.

You are right, it is probably not worth the hassle. But using the RemoteAuthenticationManager doesn't help, since the raw password (which is needed) is not available in remember-me scenarios.


Either that or you might want to look at a SSO solution.
I was afraid to get this answer ;-)

Thanks anyway!

I was afraid to get this answer ;-)

Well you can go with two way encryption but IMHO that is a security risk which you don't want to introduce.