I thought I had read somewhere a while ago that Android apps send their id in HTTP requests made from within the app.
I seemed to remember that the id was sent as the HTTP referrer.
I cannot, however, find any mention of this anywhere now.
Did I dream it, or is the id sent somewhere else?
(I understand the unreliability and spoofability of the HTTP referrer header)
Is there any other way to identify which app is making a request to an HTTP server?
I am not sure if your question is generic or for all http requests.
I think following link can help you
https://cloud.google.com/appengine/docs/java/appidentity/
Related
I am new to web development. I had a web project with EJS templating. It redirects directly from the server. Using res.redirect() . I want to create a server for web and mobile both.
Question is... When i use res.json() it sends JSON data to client side. Can work for both.
It is possible to use res.redirect() for both. Web and mobile.
Pros and cons of res.rediret and res.json
Please explain. I appreciate your suggestions in adv. Thanks.
It is possible to use res.redirect() for both. Web and mobile.
If you mean can you use res.redirect() as an alternative to res.json() then the answer is NO. res.redirect() is not an alternative to res.json. res.redirect() only sends a code and a URL back to the client, there is no data in the response. You will still need to use res.json or res.send to get the data you need. Every time you use res.redirect() you are sending a response to the client telling them to make a brand new request to another location. You're not sending any real data. The android app will not get any content till you use res.json or res.send. Redirects just tell the client go get the data from somewhere else.
Below are example responses to an android app when the server uses res.json and res.redirect
res.redirect("/user")
//Response to Android app
302 /user
The response above means what you want is located at "/user" so the mobile app will need to make a request to
res.json(user)
//Response to Android app
{
name: "Arpit Yadav",
phone: 555-555
}
res.redirect sends status code 302 (if not specified), and location (route) to browser, after which browser redirects the request to the specified location, whereas res.json sets Content-Type: application/json and sends data to the browser.
Redirection is generally meant for browser only, but, you can use it for mobile. In that case, you have to handle the logic to re-request with updated location received from server that is not recommended.
In nutshell, both have different purpose. res.redirect to move clients to different route and res.json to actually sends the data.
I am confronting myself with a problem that I do not know how to interpret. I am doing a project using Android and Google App Engine. When I am trying to save information in Google App Engine's Big Table, directly from the servlet (hardcoded) - the save is performed with no problem. But when I am trying to save data from my Android device, the save is not performed and the log indicates Apache-HttpClient/UNAVAILABLE error. To be more specific:
405 55ms 0kb Apache-HttpClient/UNAVAILABLE (java 1.4)
82.155.246.249 - - [10/Jun/2013:05:20:59 -0700] "POST /servletnamehere HTTP/1.1" 405 306 - "Apache-HttpClient/UNAVAILABLE (java 1.4)" "appnamehere.appspot.com" ms=56 cpu_ms=21 cpm_usd=0.000034 app_engine_release=1.8.0 instance=00c61b117cede3f754aa1ece730dc88287a20199
I have seen that 405 HTTP error appears in the context of a POST method ( "405 errors often arise with the POST method. You may be trying to introduce some kind of input form on the Web site, but not all ISPs allow the POST method necessary to process the form." ) => indeed, I am trying to perform add (the object is a JPA Entity) in the database using a POST method. The data I am receiving from my Android device is serialized, through an input stream (in my case, working with JSON is not an option, these are the specifications).
Also, 306 HTTP error reffers to switch proxy. While the porevious error might be a bit intuitive, this one is beyond my student knowledge.
I have followed the instructions of this tutorial (http://trumpy.cs.elon.edu/joel/sigcse2011/), which is indeed what I need, but I really cannot figure out what I did wrong. I took again the procedure, stept by step, but I don't see the flaw.
Any help will be indeed appreciated. If I should post some code, I'll gladly do it.
Best wishes,
Cropcircles
LATER EDIT:
Now I get 417 HTTP error expectation failed. I have seen that I am supposed to set a certain parameter on false, but this workaround was available only for .NET. Is there anyone who knows what's the correspondent of the following, in Java? I am really really confused.
<system.net>
<settings>
<servicePointManager expect100Continue="false" />
</settings>
</system.net>
This is not an answer, but is too long for a comment and may be helpful, so here goes...
First, it's hard to tell what's going on here because there is limited info. Try to post more of the logging either on the client or on the server. Go to the server console and get more info, for instance, or add debugging in the client. I'd start by trying to make the POST from a debug/testing tool like hurl.it: http://www.hurl.it/ (hurl is a nice web front end to a command line HTTP client named curl, see curl itself if you want a more advanced peek). That way you can test and poke around and make SURE your server side works as you expect with a generic client. Then build other clients (like Android).
Second, "Apache-HttpClient/UNAVAILABLE" is not an error, it's just the user-agent String -- so ignore that part. (UNAVAILABLE is where the version typically is, but some impls don't have access to the version sometimes, it seems.)
Third, the 405 response code IS an error, it means POST is not allowed at the server you are trying to POST to. That can either be because POST is not allowed at all on said server, or you're violating some security policy (such as same origin).
If it's AppEngine, first check the APP you are using and make sure it supports POST (look for info on how to do POST at AppEngine to solve, for instance: google app engine: 405 method not allowed). When you say you can do it directly from a "servlet," do you mean that a POST from a different client works? (Servlet is a server side technology, so that's a little confusing.) If so then make sure your Android app is doing the client part the same way to the same host (multipart vs urlencoded, etc).
For a little more on the security stuff, which could be involved, see this post: Google App Engine + jQuery Ajax = 405 Method Not Allowed.
I've had the same trouble and in my case It was an error due to no write permission on server side area.
I was following an android test to write on a file a value transmitted in async way via POST method.
Apache received the POST request but was not able to write the data on the file due to security permission on it.
I'm trying to authenticate a mobile application for the Android platform to a custom node.js server api. I would like to use Google OAuth2 tokens for this rather than roll my own authentication, since Android devices with Google Play installed make this available to app developers. I'm using the GoogleAuthUtil.getToken call from the Google Play Services library, documented here. I'm trying to follow the advice outlinedin this android developers blogpost
The getToken method is returning in my case a long 857 byte string. If I try to pass this token to Google's TokenInfo endpoint, it returns:
{'error': 'invalid_token', 'error_description': 'Invalid Value'}
What am I doing wrong here? In the 'scope' of the getToken call, I am sending:
audience:server:client_id:**i_put_my_clientid_here**. I have a clientid generated for "installed applications". Using this client id, the call to getToken doesn't work at all. When I generated a client id for a "service account", the call succeeds, but I get an 857 byte token that fails when passed to the TokenInfo endpoint as described above.
EDIT:
I also created a client id for "web applications", as it appears that is the right client id to use when calling getToken. But the behavior is the same, I get back an 857 byte token that doesn't validate when calling Google's endpoint.
How can I properly get a valid auth token using Google Play services on Android? Once I have the right token, what is the right node.js library to validate it server side? Can I use passport-google-oauth ?
Hm, this is really a comment rather than an answer, but I can’t put newlines in those:
it has to be the web-side Clent ID that goes in the put_my_clientid_here spot
if GoogleAuthUtil.getToken() gives you a String withou throwing an Exception, it really ought to be valid. When you hit tokeninfo, did you use ...tokeninfo?id_token=<857-byte-value-here>
if you’re a rubyist, grab the google-id-token gem and see if it can validate your 857-byte token.
If you just want to read the contents of the data returned by GoogleAuthUtil.getToken then the process is very simple. The returned data is simply a JWT. So all you'd have to do is split the data by the . character, and then base64 (url) decode each piece.
It gets slightly more complicated if you want you want to verify the message's authenticity. Simply use your favorite crypto library to do the verification. The 3rd component of the JWT is the signature of the data and the Google certs are publicly available; that's all you need to verify the message.
For a week I have been looking into how to validate GoogleAuthUtil tokens received in Android Client application at Node.js server using passport.js
Finally I came across passport-google-token passport strategy which perfectly performs the task.
https://www.npmjs.com/package/passport-google-token
More details are present in the above link.
The official node SDK lets you do that now.
Here's the link: https://github.com/google/google-auth-library-nodejs/blob/master/lib/auth/oauth2client.js#L384
I'm not too familiar with the details of how Android works with respect to handing a token from the device to the server. My general impression, however, is that you don't go through the typical web-based OAuth dance. Instead, you directly call the "user info" endpoint, which will return the info corresponding to the user who holds the token, or reject the request if the token is invalid. There's some discussion on this related question:
validating Android's authToken on third party server
In effect, the token becomes a secret that is shared between both the device and your server, so its important to protect it.
There are a couple strategies for Facebook and Twitter that were developed to do similar things using tokens from iOS devices:
https://github.com/drudge/passport-twitter-token
https://github.com/drudge/passport-facebook-token
You can take some inspiration from them and tweak it to talk to Google's endpoints. Let me know how this turns out. I'd love to see a similar "passport-google-token" strategy, so if you implement one, let me know and I'll link to it!
I creating an application that can teather the wifi and act as like a firewall to manage the sessions to their clients .
for example:
If i manage the clients http requests and response..after i authenticated the request ,then only the url has to be visible for them.otherwise it has to say page blocked.
In an Example provided by the google https://developers.google.com/analytics/devguides/collection/android/v2/sessions
It says it can manage sessions But I cant able to integrate it my project .Can anyone worked projects similar to this or anyone used analystics-api, help me to work on this
And how can i get the request page url from the user..
Try this example in your activity ..From this code you able manage your http requests and responses..session-handling-Exampe
Hope will help you..
In my android app i keep getting timeouts in the messages between the app and my server.
In an attempt to see if the problem is in the app or my server,
i want to try and Send an HTTP request from my app to
some other server i am sure is up and reliable and then see if i get timeouts.
Is there any server address i can check against?
Thanks in advance!
BTW : i am using a glass Fish servlet for my server
We've successfully sent a simple HTTP GET to google.com -- with a couple of fall-backs (I've also seen internic.org used) in the past, in similar cases.