I'm trying to implement a RESTful web service using Spring. I've set up Spring Security to work on the links that apply to the REST service. I make calls to this web service from an Android application. What I've done now is connect to it using Basic Authentication. What I'm struggling with is finding decent information about how secure this really is. I figure I should at least be making these calls through SSL or something no?
My code on the Android client that calls the REST client
public MyClass callRest() {
final String url = "http://10.0.2.2:8080/myservice/rest/getSomething";
HttpAuthentication authHeader = new HttpBasicAuthentication(username,
password);
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
requestHeaders.setAccept(Collections
.singletonList(MediaType.APPLICATION_JSON));
RestTemplate restTemplate = new RestTemplate();
restTemplate.getMessageConverters().add(
new MappingJacksonHttpMessageConverter());
try {
ResponseEntity<MyClass> response = restTemplate.exchange(url,
HttpMethod.GET, new HttpEntity<Object>(requestHeaders),
MyClass.class);
return response.getBody();
} catch (HttpClientErrorException e) {
return new MyClass();
}
}
So what I've put in my Spring Security config right now:
<http auto-config='true'>
<intercept-url pattern="/rest/**" access="ROLE_USER"
requires-channel="https" />
</http>
I can't figure out where to go from there, because now the connection doesn't work anymore of course because of the https. I can't seem to find decent examples of how to figure this out using the Resttemplate.
Any help?
HTTP Basic Authentication is reasonably safe when used over HTTPS since the user and password fields are sent over an encrypted connection so they are much less vulnerable to man-in-the-middle attacks. There are some interesting points here: Securing an API: SSL & HTTP Basic Authentication vs Signature
In my opinion, if you are making a API with access to user's sensitive data (i.e. bank account details, credit card numbers, email addresses and passwords) then you may want a more secure approach because HTTP Basic Authentication is succeptible to brute force attacks as it is always available (unless you build in deterrents such as maximum retries etc.) If your API is for a game or basic business data then there should be less attraction for a hacker to spend the time on it.
Does your server support HTTPS - often you need to pay extra for a HTTPS certificate or you have to use a shared once which give you a subdomain on a shared HTTPS domain - i.e. https//your-site.your-hosting-provider.com/. You need to check this perhaps.
UPDATE 1: Your problem appears to be with your server and not with your program. Check out this blog post for information about how to set up HTTPS on your Tomcat Server. You need to do this before you can use HTTPS from your Spring application - looking at your code, there doesn't seem to be a problem other than your server.
Also try this.
UPDATE 2 Once you have access, you will then need to trust the certificate on the Android device (or your Java installation if you were making a desktop/web application). It needs to be trusted because you created it yourself rather than a CA authority. See this answer: Trusting all certificates using HttpClient over HTTPS (Not the part about trusting all certificates - this can be dangerous).
Related
I know that this question is answered several times but i couldn't figure out how should i do this.
How should i send critical information like passwords etc. My Host provider grants SSL certification.
Should i do it with HttpPost or it needs to be more secured.
Here is my POST snippet.
HttpPost post = new HttpPost("http://example.com/");
NameValuePair[] data = {
new NameValuePair("a", "b"),
new NameValuePair("c", "d")
};
post.setRequestBody(data);
InputStream in = post.getResponseBodyAsStream();
Any help would be appreciated.
You are confusing the request type (POST, GET, etc) with the transport method (HTTP, HTTPS).
If you have been provided with an SSL cert you should set your server up to listen on a secure connection (usually 443 for HTTPS, but not necessarily for a server).
Your calls should then be routed to https://[your_server]/. They will then be secure.
And really, you should look into using a library for making requests. You are probably going to hit the 'network traffic on the main thread' warning quite soon. Look into 'Fast Android Networking' or 'Volley'.
Hello every professional,
I'm a new in Android development, recently, I just get into Android area, now I encountered a problem when I tried to access server application with HTTPS request (Like https://DEVELOPMENT_SAMPLE.com/project), we use Spring for Android to handle request, and use ApacheHTTP Server + Tomcat + SSL` as a deployment environment. When I use HTTP request instead of HTTPS request and remove SSL from the deployement environment, the access can be successfully handled. I share the related code from here:
RestTemplate restTemplate = new RestTemplate();
restTemplate.getMessageConverters().add(new GsonHttpMessageConverter());
restTemplate.getMessageConverters().add(new StringHttpMessageConverter());
HttpComponentsClientHttpRequestFactory factory = new
HttpComponentsClientHttpRequestFactory();
factory.setConnectTimeout(1000 * 15);
restTemplate.setRequestFactory(factory);
I know There are two native HTTP clients available on Android, the standard J2SE facilities, and the HttpComponents HttpClient. The standard JS2SE facilities are made available through the SimpleClientHttpRequestFactory, while the HttpClient is made available through the HttpComponentsClientHttpRequestFactory. The default ClientHttpRequestFactory used when you create a new RestTemplate instance differs based on the version of Android on which your application is running.
But the question I want to ask is how to make my HTTPS is available for Android client? I guess some change should be made in getting Connection object.
Thanks so much.
Yes, Android can communicate with HTTPS. Read this link:
Accepting a certificate for HTTPS on Android
See also this excellent article:
Making Android SSL Work Correctly
In my asp.net mvc4 project, I am using ApiControllers to serve both web clients and mobile clients. To secure the web services, I am using the [Authorize] annotation.
So for now, the web client is working fine. However, when I tend to invoke some Web API from a mobile application (e.g. Android), I got an error.
when I looked back at code snippet:
[Authorize]
public List<double> GetSomeInfo(int param1, string param2)
{
User user = SessionData.CurrentUser;
// do something using user.UserId
// ....
}
Session Data does hold user connected properties only when he is connected to the Web App. But in the case of mobile clients, Session Data is null. So, is there any appropriate method to resolve this problem.
In my opinion, I think that userId should be provided as a parameter for any Web API that may need it to do achieve some treatment.
What do you think ?
You are talking about two different things :
Session
As Darrel said, Web Api was not design to support Asp.net Session. HTTP and Rest Services are stateless – and as a result each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP.
So, do not rely on Session Variables, but add more paramters in your request.
Of course, there are a way to use session in Web Api, I suggest you to to use it.
Authentication
Because working with only paramaters ( such as UserId, AccountId, ...) is not very secure, you have to use Authentication and Authorization. I highly suggest you to read the security section in asp.net web api web site. Web Api support many authentications (Basic, OAuth, Windows, Custom, ...). You have to choose what is the best for you.
Web API was not designed to support sessions as they are a HTTP anti-pattern. You can get the currently authenticated user by accessing Thread.CurrentPrincipal if you have setup the necessary authentication mechanisms.
I have a RESTful rails backend where http requests(GET, PUT, POST, etc.) have much to do with controller actions (index, new, create, etc.)
I am building an android app, and I built an api_key controller that assigns all users with an api_key where from the mobile app, every request sends this api_key for verification.
Every request from android to rails has params[:api_key] for verification and it works.
Up until now, I have used both HttpPost and HttpGet, but I know that GET is insecure because it sends the parameters in the header. I don't want someone to sniff the api_key in the header when I send HttpGet requests.
Then, is it possible to simply use HttpPost even in controller actions that generally require GET requests?
Thanks
Using the POST HTTP method does not make the data any more secure, if someone intercepts it then they can retrieve the API key whether it is attached to the URL or in a form.
If you are worried about security, then you may want to think about using HTTPS or some kind of secure authentication system.
With rails the method just determines where rails will route the request to. As long as the request ends up in the right action, in the correct controller then rails will provide the key in the params hash exactly the same whether it is attached to the URL as a paramater or in a form.
So basically i need my android app to connect to a web service using a url as such
"http://username:password#0.0.0.0" aka basic authentication.
obviously the username and password are checked by the web app before allowing access and otherwise doesn't allow the request.
my issue is that all the methods i try always say unauthorised (response code 401) regardless of what combination of classes and methods ive used to try and connect to the the url.
The web app in question is designed to return things only is un/pw clears otherwise it returns nothing, the web app and un/pw etc have all be checked and cleared.
so does anyone no the correct way to send a request to a url like that and have it work correctly?
android api8 btw
UPDATE
Turns out my issue is due to the web app using NTLM windows authentication which is not supported directly by androids/apache http library, investigating appropriate workarounds now
Here's some code form a really old project of mine. I used basic auth for some web service, and this worked at the time. I'm not sure if there are updated api's since then (this was Android 1.6), but it should still work.
HttpGet request = new HttpGet();
request.setURI(new URI(url));
UsernamePasswordCredentials credentials =
new UsernamePasswordCredentials(authUser, authPass);
BasicScheme scheme = new BasicScheme();
Header authorizationHeader = scheme.authenticate(credentials, request);
request.addHeader(authorizationHeader);
Basically, Basic HTTP auth is a simple hash of the user and password. The browser allows you to stuff these values in the url, but it actually does the work of adding the basic auth header to your request.