I know that this question is answered several times but i couldn't figure out how should i do this.
How should i send critical information like passwords etc. My Host provider grants SSL certification.
Should i do it with HttpPost or it needs to be more secured.
Here is my POST snippet.
HttpPost post = new HttpPost("http://example.com/");
NameValuePair[] data = {
new NameValuePair("a", "b"),
new NameValuePair("c", "d")
};
post.setRequestBody(data);
InputStream in = post.getResponseBodyAsStream();
Any help would be appreciated.
You are confusing the request type (POST, GET, etc) with the transport method (HTTP, HTTPS).
If you have been provided with an SSL cert you should set your server up to listen on a secure connection (usually 443 for HTTPS, but not necessarily for a server).
Your calls should then be routed to https://[your_server]/. They will then be secure.
And really, you should look into using a library for making requests. You are probably going to hit the 'network traffic on the main thread' warning quite soon. Look into 'Fast Android Networking' or 'Volley'.
Related
I'm trying to connect to a web server for my application that requires an SSL client certificate for authentication. From the standard documentation, I can't tell how to reuse an SSL session for multiple requests (I don't want to have to a full SSL handshake for every single request as this causes major overhead). Can someone point me in the right direction?
EDITI've seen in other posts that HttpClient might be a solution but as of Android 6.0 this has been deprecated in favor of HttpsUrlConnection. Using the following code:
SSLContext sslContext;
HttpsUrlConnection connection = url.openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());
Does a new FULL SSL handshake occur (probably right?) everytime I create a new connection. How do I reuse the session?
I can't tell how to reuse an SSL session for multiple requests
It's automatic.
(I don't want to have to a full SSL handshake for every single request as this causes major overhead)
It would cause major overhead, if it ever happened, but it doesn't.
Does a new FULL SSL handshake occur (probably right?) everytime I create a new connection?
No.
How do I reuse the session?
It should happen by default, subject to session timeouts at the server.
I'm trying to implement a RESTful web service using Spring. I've set up Spring Security to work on the links that apply to the REST service. I make calls to this web service from an Android application. What I've done now is connect to it using Basic Authentication. What I'm struggling with is finding decent information about how secure this really is. I figure I should at least be making these calls through SSL or something no?
My code on the Android client that calls the REST client
public MyClass callRest() {
final String url = "http://10.0.2.2:8080/myservice/rest/getSomething";
HttpAuthentication authHeader = new HttpBasicAuthentication(username,
password);
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
requestHeaders.setAccept(Collections
.singletonList(MediaType.APPLICATION_JSON));
RestTemplate restTemplate = new RestTemplate();
restTemplate.getMessageConverters().add(
new MappingJacksonHttpMessageConverter());
try {
ResponseEntity<MyClass> response = restTemplate.exchange(url,
HttpMethod.GET, new HttpEntity<Object>(requestHeaders),
MyClass.class);
return response.getBody();
} catch (HttpClientErrorException e) {
return new MyClass();
}
}
So what I've put in my Spring Security config right now:
<http auto-config='true'>
<intercept-url pattern="/rest/**" access="ROLE_USER"
requires-channel="https" />
</http>
I can't figure out where to go from there, because now the connection doesn't work anymore of course because of the https. I can't seem to find decent examples of how to figure this out using the Resttemplate.
Any help?
HTTP Basic Authentication is reasonably safe when used over HTTPS since the user and password fields are sent over an encrypted connection so they are much less vulnerable to man-in-the-middle attacks. There are some interesting points here: Securing an API: SSL & HTTP Basic Authentication vs Signature
In my opinion, if you are making a API with access to user's sensitive data (i.e. bank account details, credit card numbers, email addresses and passwords) then you may want a more secure approach because HTTP Basic Authentication is succeptible to brute force attacks as it is always available (unless you build in deterrents such as maximum retries etc.) If your API is for a game or basic business data then there should be less attraction for a hacker to spend the time on it.
Does your server support HTTPS - often you need to pay extra for a HTTPS certificate or you have to use a shared once which give you a subdomain on a shared HTTPS domain - i.e. https//your-site.your-hosting-provider.com/. You need to check this perhaps.
UPDATE 1: Your problem appears to be with your server and not with your program. Check out this blog post for information about how to set up HTTPS on your Tomcat Server. You need to do this before you can use HTTPS from your Spring application - looking at your code, there doesn't seem to be a problem other than your server.
Also try this.
UPDATE 2 Once you have access, you will then need to trust the certificate on the Android device (or your Java installation if you were making a desktop/web application). It needs to be trusted because you created it yourself rather than a CA authority. See this answer: Trusting all certificates using HttpClient over HTTPS (Not the part about trusting all certificates - this can be dangerous).
it is my second time asking a question on stackoverflow. I'm trying to access to my local apache server that I've set up on my desktop computer (ip that starts with ie. 192.168.1*.**)on my android phone. but somehow it does not allow me to access to the server at all! :( strangely, sometimes it does allow me to access to the server lol! but it's only one out of 20 for each attempts. Also, it doesn't allow me to access to the server on my laptop either.. I really need some help guys.. it was working fine when i was working locally within my desktop pc by using emulator. I've done quite a lot of research about it but i wasn't able to find any solutions.
Thank you guys
=====================================
ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
HttpClient client = new DefaultHttpClient(setHttpParams());
HttpPost request = new HttpPost(PATH + FILENAME);
if (json != null) {
request.setEntity(new ByteArrayEntity(json.toString().getBytes("UTF8")));
request.setHeader("json", json.toString());
} else {
request.setEntity(new UrlEncodedFormEntity(nameValuePairs));
}
HttpResponse response = client.execute(request);
so that is the code, error occurs when it tries to execute the request. request includes the apache server ip PATH (192.168.**) + FILE_NAME(ie. index.php). I know why it causes the error because i cannot access to the 192.168.* server and read the desired file. I need help with this =(
For the computer running the webserver:
Make sure that your personal firewall rules are not preventing access to the web server.
For your phone to access the webserver over the air the server needs to be accessible from the web. It could be that your machine is behind a corporate firewall which is preventing access to it from external sources.
If you simply want to access it from the phone, make sure that both the webserver and phone are on the same network i.e. they have IP addresses from the same address range. You can do that by connecting your machine to wireless AP (either via ethernet or wireless) and making sure that your phone is connected to the same wireless AP.
Moreover I just read your question again and noticed the line
it does not allow access to to the server on my laptop either
If you cannot access the webserver locally on the machine it is runnning on then there is something wrong in the way you configured your web server.
So first make sure that your web server is running and configured properly. Open a browser and go to http://localhost or http://192.168.x.x if everything is configured right you will be able to access your web pages.
Basically this is networking 101, if it is still giving you problem post some details such as what webserver, what port etc.
If you are new to networking concepts and don't know how to configure a web server say Apache just Google how to configure Apache or use something called XAMPP which is a developer friendly bundle containing Apache, MySQL, PHP, FileZilla etc. Note that XAMPP shall never be used in a production environment as its default configuration is done in a way to make it easier to install, configure and run above mentioned packages for new users.
I have a RESTful rails backend where http requests(GET, PUT, POST, etc.) have much to do with controller actions (index, new, create, etc.)
I am building an android app, and I built an api_key controller that assigns all users with an api_key where from the mobile app, every request sends this api_key for verification.
Every request from android to rails has params[:api_key] for verification and it works.
Up until now, I have used both HttpPost and HttpGet, but I know that GET is insecure because it sends the parameters in the header. I don't want someone to sniff the api_key in the header when I send HttpGet requests.
Then, is it possible to simply use HttpPost even in controller actions that generally require GET requests?
Thanks
Using the POST HTTP method does not make the data any more secure, if someone intercepts it then they can retrieve the API key whether it is attached to the URL or in a form.
If you are worried about security, then you may want to think about using HTTPS or some kind of secure authentication system.
With rails the method just determines where rails will route the request to. As long as the request ends up in the right action, in the correct controller then rails will provide the key in the params hash exactly the same whether it is attached to the URL as a paramater or in a form.
So basically i need my android app to connect to a web service using a url as such
"http://username:password#0.0.0.0" aka basic authentication.
obviously the username and password are checked by the web app before allowing access and otherwise doesn't allow the request.
my issue is that all the methods i try always say unauthorised (response code 401) regardless of what combination of classes and methods ive used to try and connect to the the url.
The web app in question is designed to return things only is un/pw clears otherwise it returns nothing, the web app and un/pw etc have all be checked and cleared.
so does anyone no the correct way to send a request to a url like that and have it work correctly?
android api8 btw
UPDATE
Turns out my issue is due to the web app using NTLM windows authentication which is not supported directly by androids/apache http library, investigating appropriate workarounds now
Here's some code form a really old project of mine. I used basic auth for some web service, and this worked at the time. I'm not sure if there are updated api's since then (this was Android 1.6), but it should still work.
HttpGet request = new HttpGet();
request.setURI(new URI(url));
UsernamePasswordCredentials credentials =
new UsernamePasswordCredentials(authUser, authPass);
BasicScheme scheme = new BasicScheme();
Header authorizationHeader = scheme.authenticate(credentials, request);
request.addHeader(authorizationHeader);
Basically, Basic HTTP auth is a simple hash of the user and password. The browser allows you to stuff these values in the url, but it actually does the work of adding the basic auth header to your request.