Security aspects of server authentication
by, 02-24-2012 at 08:04 PM (464 Views)
To do communication with non-trusted web applications or websites, extra care shall be taken while using the default credentials. Activation of the preemptive authentication is done, or for a specific authentication when credentials have not been given explicitly and default credentials would be used by the host HttpClient so that to get authentication with the targeted site.
To avoid giving the critical & sensitive credentials to some non-trustable website, you shall be narrowing down the scope of credentials. Host shall always be specified when it is known.
In production applications, null value setting is not recommended for the realm or the host. This would be resulting in the credentials that have been sent, for the authentication attempts. This setting usage shall be limited till debugging, only.
Java Code:// To be avoided unless in debug mode Credentials defaultcreds = new UsernamePasswordCredentials("username", "password"); client.getState().setCredentials(AuthScope.ANY, defaultcreds);