Hey,
I have a Jersey 1.x based platform, which in some cases has to work as
a proxy and forward HTTP requests. And in some of those cases, they
are authenticated using HTTP Basic.
I have to decode the Authorization header into username/password to
check credentials against the database -- no surprise there. I also
know I can use HTTPBasicAuthFilter to pass these credentials on to the
Client request.
But where do I store these credentials in the meanwhile? One obvious
choice would be to store username/password in my SecurityContext
implementation, where they would remain request-scoped.
I wonder however if this is normal practice, or is there a better way?
Storing credentials in memory is considered security risk, to some extent:
http://www.oracle.com/technetwork/java/seccodeguide-139067.html#2
Martynas