I'm newbie in development and I have to develop android sdk. It's going to wrap network API and provide OAuth 2.0 authentication functionality. Also web sockets for session ending and push notifications will be included in sdk. I'm planning to use Facade design pattern:
public interface SdkFacadeInterface {
AuthenticateRequest authenticate(); // http request
StartCallRequest starCall(); // http request with establishing websocket connection, push notification sending
SelectGatewayRequest selectGateway(); //http request
EndCall endCall(); // http request called after web sockets connection closes
HistoryRequest getHistory(); // http request
void setFirebaseToken(Context context, String firebaseToken);
interface Builder {
Builder setCliendId(String cliendId);
Builder setClientSecret(String clientSecret);
Builder enablePushNotifications(booleanenablePushNotifications);
Session build();
}
}
After authentication I need to save refresh token and access tocken to the phone storage, I'am planning to use SharedPrefs for it. I have the following questions:
What architecture should I use? Is there some architectural patterns for sdks which I can use
Maybe you know some sdk on github which I can use as reference for my project.
Can I use retrofit for http request or I rather use AsynTask with HttpUrlConnection so my sdk will have as little external dependencies as possible
Sdk development is different from applications development, what should I take in consideration for developing sdk(all suggestions and ideas a welcomed)
How should I handle bad input from clients, should I throw exception or just write error to logs (Log.e(..))
Thanks in advance
Related
I am developing Android native application integrated with IBM MobileFirst backend.
I have issue with some operations that required custom authentication with predefined realm for example ("testAuthRealm")
and when I call any operation that requires authentication and user is not authentication it is returning a response with some details:
WL version: 7.1
Anyway, I can detect from the response that the user is not authenticated
but I think this is not a good way to check authentication.
my inquiry:
is there any supported method from the MF SDK to check user authorization for realm?
is that good to check authorization from the response?
advise please
If you request a protected resource, the server response will contain the authorization status required ( based on your custom authenticator implementation). This server response would kick off the challenge handling procedure in your client application. This is by design. Refer to Custom Authentication documentation. This way you need not separately check for the authorization status yourselves and then try to login.
Is there any supported method from the MF SDK to check user authorization for realm?
You can consider one of the following APIs in the client SDK:
a) isAuthorizationRequired
b) getUserIdentity
c) getLoginName
d) getUserName
Is that good to check authorization from the response?
Challenge handling at the client will depend on the status of authorization(from the server response). Based on this status, you either handle the challenge or allow access. So, you need to check and verify the server response to complete the authentication flow.
I'm working on an android apps. I am using ionic framework. In some pages I need to get data from a web server and the result is an object json.
My problem is if some one arrives to GET the pages where I get the json data, one can fetch all my database data by changing the http request.
Is there any way that can improve security of my apps?
You should make some kind of authentication mechanism, for example, a token in the header, that way you know wether the user has access to that resource or not.
So when you make your request you can generate a configuration for that particular request.
Example:
var url = "http://yourserver.com/api/your/path";
var config = {
"headers": {
"Authorization": "Bearer someBearerFromTheServer"
}
};
$http.get(url, config);
The backend implementation for this to work depends on the language you use. Here google is your best friend.
A more advanced way to do this, is to use interceptors in the $http service and attach the token to the header in every request, but be careful, you should secure this so you won't send your credentials to every request you make (sometimes your app might need to request data from another server).
You can read more about $http services and its configurations in the $http service documentation.
Regards
Would like to use Retrofit for handling network requests between Android Client and GAE endpoints.
GAE endpoints give Client/Server endpoint libraries to handle all the networking and also Oauth2 authentication which is nice.
Retrofit helps well for asynchronous call, cancellation, parallel calls...so is better than android client asynctask.
So can this Retrofit lib be configured with Appengine GAE endpoints or need to go through normal GAE servlet?
Just to clarify my question and make answers clear for any who read this :
I had for my App :
Client side : cloud endpoint library generated by google plug in for eclipse
Back end side GAE : different API with methods coded in JPA such as :
#ApiMethod(name = "insertMyShareItem")
public ShareItemData insertMyShareItemData(ShareItemData shareitemdata) {
logger.log(Level.SEVERE, "insertMyShareItem");
}
Advantages of google cloud endpoint was endpoint libray , easy use of Auth2 and automatically use of secure connections via HTTPS
Now I want to give up Async task in order to implement Retrofit or Volley. I understood I cannot use google cloud endpoint anymore and need to transform my methods on GAE Back end side in methods which extends HttpServlet so I can access them by URL call with normal setup of Retrofit.
Which means now I need to care :
how I pass my object to Retrofit and how I retrieve them on back end
how I transform Retrofit HTTP call in a HTTPS call for secure connection
how I implement and manage Auth2 and tokens between Client and GAE back end to establish secure authentication.
This is what I understood from search and below answers.Thks
Use the Google Cloud API URL as the base URL and proceed with the normal setup of Retrofit. I don't think it is a big deal. Here is a link to a tutorial that could help you get started with Retrofit.
[source]
In my asp.net mvc4 project, I am using ApiControllers to serve both web clients and mobile clients. To secure the web services, I am using the [Authorize] annotation.
So for now, the web client is working fine. However, when I tend to invoke some Web API from a mobile application (e.g. Android), I got an error.
when I looked back at code snippet:
[Authorize]
public List<double> GetSomeInfo(int param1, string param2)
{
User user = SessionData.CurrentUser;
// do something using user.UserId
// ....
}
Session Data does hold user connected properties only when he is connected to the Web App. But in the case of mobile clients, Session Data is null. So, is there any appropriate method to resolve this problem.
In my opinion, I think that userId should be provided as a parameter for any Web API that may need it to do achieve some treatment.
What do you think ?
You are talking about two different things :
Session
As Darrel said, Web Api was not design to support Asp.net Session. HTTP and Rest Services are stateless – and as a result each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP.
So, do not rely on Session Variables, but add more paramters in your request.
Of course, there are a way to use session in Web Api, I suggest you to to use it.
Authentication
Because working with only paramaters ( such as UserId, AccountId, ...) is not very secure, you have to use Authentication and Authorization. I highly suggest you to read the security section in asp.net web api web site. Web Api support many authentications (Basic, OAuth, Windows, Custom, ...). You have to choose what is the best for you.
Web API was not designed to support sessions as they are a HTTP anti-pattern. You can get the currently authenticated user by accessing Thread.CurrentPrincipal if you have setup the necessary authentication mechanisms.
I'm trying to implement a RESTful web service using Spring. I've set up Spring Security to work on the links that apply to the REST service. I make calls to this web service from an Android application. What I've done now is connect to it using Basic Authentication. What I'm struggling with is finding decent information about how secure this really is. I figure I should at least be making these calls through SSL or something no?
My code on the Android client that calls the REST client
public MyClass callRest() {
final String url = "http://10.0.2.2:8080/myservice/rest/getSomething";
HttpAuthentication authHeader = new HttpBasicAuthentication(username,
password);
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
requestHeaders.setAccept(Collections
.singletonList(MediaType.APPLICATION_JSON));
RestTemplate restTemplate = new RestTemplate();
restTemplate.getMessageConverters().add(
new MappingJacksonHttpMessageConverter());
try {
ResponseEntity<MyClass> response = restTemplate.exchange(url,
HttpMethod.GET, new HttpEntity<Object>(requestHeaders),
MyClass.class);
return response.getBody();
} catch (HttpClientErrorException e) {
return new MyClass();
}
}
So what I've put in my Spring Security config right now:
<http auto-config='true'>
<intercept-url pattern="/rest/**" access="ROLE_USER"
requires-channel="https" />
</http>
I can't figure out where to go from there, because now the connection doesn't work anymore of course because of the https. I can't seem to find decent examples of how to figure this out using the Resttemplate.
Any help?
HTTP Basic Authentication is reasonably safe when used over HTTPS since the user and password fields are sent over an encrypted connection so they are much less vulnerable to man-in-the-middle attacks. There are some interesting points here: Securing an API: SSL & HTTP Basic Authentication vs Signature
In my opinion, if you are making a API with access to user's sensitive data (i.e. bank account details, credit card numbers, email addresses and passwords) then you may want a more secure approach because HTTP Basic Authentication is succeptible to brute force attacks as it is always available (unless you build in deterrents such as maximum retries etc.) If your API is for a game or basic business data then there should be less attraction for a hacker to spend the time on it.
Does your server support HTTPS - often you need to pay extra for a HTTPS certificate or you have to use a shared once which give you a subdomain on a shared HTTPS domain - i.e. https//your-site.your-hosting-provider.com/. You need to check this perhaps.
UPDATE 1: Your problem appears to be with your server and not with your program. Check out this blog post for information about how to set up HTTPS on your Tomcat Server. You need to do this before you can use HTTPS from your Spring application - looking at your code, there doesn't seem to be a problem other than your server.
Also try this.
UPDATE 2 Once you have access, you will then need to trust the certificate on the Android device (or your Java installation if you were making a desktop/web application). It needs to be trusted because you created it yourself rather than a CA authority. See this answer: Trusting all certificates using HttpClient over HTTPS (Not the part about trusting all certificates - this can be dangerous).