Do you know of a web server that I can install on Android (like i-jetty) that would allow hosting applications that are secured with Basic authentication and session cookies ? i-jetty seem to work but does not support session cookies (it seems).
Related
I am hoping this is a simple yes or no answer. I have search and there is never a clear answer, so I am hoping to gain this knowledge.
I have a web service running under https. The server has a SSL installed for the main url that the service runs under.
I have created a tablet Android app and a desktop Windows app that both talk to the web service. Since the web service is https, is all the data that passes between both apps and the web service encrypted? If so, is the username/password that gets passed initially to authenticate with the web service?
Thanks so much!
SSL and HTTPS only encrypts the data while it transits from the client to the server. once it comes to rest on your client or server it is unencrypted.
As for the username and password it depends on what type of Authentication you are using. if you are using Basic Auth, then yes the credentials are encrypted while in transit, but you can look around and see why HTTP Basic auth isnt a good idea for other reasons.
I am developing Cordova app communicating with some server API. I want authorize users with web tokens instead of cookies as I understood this is more secure.
I also understood that I need to encrypt users' info in the token and pass to server somehow (& decrypt?)... What is the correct & secure way to pass web tokens to server from Cordova app?
It is very essential for me to build high level security.
Then implement oauth2 flow over SSL connection.
I have a webapp that is built with Django. It works fine for use on the web, but now I am building a Android app. I am not sure how to go about authenticating the Android app the the Django backend, securely.
This webapp has user profiles. A user can register/login/logout using the web interface. The relevant part of urls.py looks like this:
urlpatterns += patterns('',
url(r'^accounts/login/$', 'django.contrib.auth.views.login', name='login'),
url(r'^accounts/logout/$', 'django.contrib.auth.views.logout', name="logout"),
)
My understanding is that after the user successfully completes accounts/login there is some cookie deposited on the browser which is used for the rest of the connections. Is this correct?
When on an Android device, given a username and password, what is the proper or best way authenticate the user to the Django backend? Do I need to get the cookie like in the browser or is there a better way?
There's a couple of ways you could do authentication, but using the existing Django session support and the cookies it uses is probably the best way.
When you connect to a Django page with the Session Middleware enabled (which you need for login) it'll set a session cookie (generally called 'sessionid', although you can customise that). The users (not) logged in state is stored server-side in a session linked by this session id (unless you're using the cookie-based sessions but's that's an item for another post).
So your Android app can just get the login page, fish out the sessionid (and csrftoken) cookies and then make a post with the username, password, sessionid and csrftoken.
That's the easy way. There's more complex options, which mostly involve making a custom view that spits back JSON and generally starts providing an API for your mobile apps as opposed to make them pretend they're browsers, but that's somewhat more complex on the Django side.
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.
I'm helping build an Android application that is in synchronization with a Ruby on Rails application. We are working with Android 2.2 and Rails 3.x and Apache on Ubuntu.
This is something that is very new to me. You can register and login from the Android device. In both of these cases a username and password are sent to the server. In other cases where there is synchronization with the Rails application and Android, when a user is logged in, an authentication token is tagged to the end of the URLs. The creation and authentication of these tokens is handled with Devise.
My question is this:
What would be the best way to secure the passing of usernames, passwords, and tokens back and forth between Rails an the Android device?
What about using encrypted communication, for example SSL (HTTPS)?
It is fairly easy to configure Apache for HTTPS communication and it is also natively supported on Android devices.