Hey guys. I'm using QNetworkAccessManager to fetch data from a REST server using get requests and it works great. I would like to introduce some authentication however I have some security concerns and since this is not my field of expertise I figured here would be a good place to double check what's going on :)
Firstly I am aware that I can pack authentication credentials in to the request header, however if I understand correctly this is essentially going to expose them pretty much in plain text. Therefore the logical solution would be to secure the connection with SSL, i.e. use a HTTPS request instead. I'm led to believe that HTTPS headers are encrypted so everything at this point should be nice and secure. QNetworkAccessManager is pretty transparent in terms of SSL so here is a question. Is it sufficient to simply modify my query from "http://foobar" to "https://foobar" and to handle the possible QNetworkReply::sslError() signal?
If so would my credentials be SSL encrypted in the following snippet where I'm packing them into the intial request? Or do I need to wait for the QNetworkAccessManager::authenticationRequired() signal to be emitted before providing those credentials?
// Create request QNetworkRequest request; request.setUrl( QUrl( "https://myRestServer.com/myQuery" ) ); // Pack in credentials QString concatenatedCredentials = username + ":" + password; QByteArray data = concatenatedCredentials.toLocal8Bit().toBase64(); QString headerData = "Basic " + data; request.setRawHeader( "Authorization", headerData.toLocal8Bit() ); // Send request and connect all possible signals QNetworkReply*reply = manager->get( request ); connect( reply, SIGNAL(readyRead()), this, SLOT(slotReadyRead()) ); connect( reply, SIGNAL(error(QNetworkReply::NetworkError)), this, SLOT(slotError(QNetworkReply::NetworkError)) ); connect( reply, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(slotSslErrors(QList<QSslError>)) );
Thanks in advance, Aaron.
I think you are right, but it's always good to double-check. Try looking at your packets with some sniffer (like Wireshark).