So I am making an app for Android that needs a web backend. The website is being build in Ruby on Rails. It has a client facing side (pretty HTML pages) but I also want it to be able to serve information to my Android app via JSON. However, I don't want the whole world to be able to get this JSON as it contains some possibly dangerous information. How do I lock down the JSON-formatted pages and still make them accessible from the Android app?
For the record, I am using Rails 3.1 has_secure_password for on-site user authentication, and I'd like to have some routes that are open for HTML requests but locked for JSON (for example, the /users url should be accessible as HTML but as JSON it should only be accessible from my app with some security method).
Is there any way to do this, or does the API have to be a separate app (that would be hugely inconvenient with the DB setup, etc.)?
CLARIFICATION:
Basically what I want to do is create a secure token-based JSON API from my Rails app,and I don't want to use Devise or something that will force me to change how i am already storing my user/pass information.
Depending on which version of rails you are using, part of the work is already done with the respond_to method, which allows you to serve both JSON and HTML for the same url.
Now, to lock down JSON access, you could define a method that checks app access, and call it whenever serving up the JSON response
def with_access_check()
if allowed # Or any verification you want.
yield
else
# Raise a 403 maybe?
end
end
# Then in every method that needs a check:
respond_to :json { with_access_check { render :json => #stuff } }
Finally, unless you're serving very different data on the json and html views (which is weird if you're using the same url for both) consider that nothing can stop an attacker/malicious user from extracting that very same data from your HTML.
Related
One of the requirements for our native mobile apps is to retrieve a config JSON that can easily be changed during production. For example, in our apps, we will hit up a URL that returns a JSON response containing features that the business wants enable, disabled or list of base URLs:
GET https://ourwebsite.com/mobile_config/
RESPONSE
{
"enableFeatureA": true,
"enableFeatureB": false,
"baseUrls": [
"foo",
"bar"
]
}
To meet the requirement of it being configurable during runtime, we're planning to use a content management system, which has a publishing feature. We've recently been looking into AEM as our new publishing tool. My idea is to save a JSON file into the AEM content manager, and when a GET request is made to the URL, the backend will read the JSON file and return it as an 'application/json' content type. However, I can't find any obvious way to achieve the result of returning the contents of the JSON file when making a request using AEM.
Being fairly new to AEM, my guess is just create a jsp file to read the contents. But how do I return it? How do I manage the 'routes'? Do I need to set up a template? Is this the best approach?
Any guide is appreciated.
AEM reserves the use of .json as an extension; it uses it for RESTful views of content in a JSON format. You might have luck using a different file extension, such as filename.foo - but it'll probably give you the wrong mimetype unless you configure Dispatcher to fix this. This probably isn't the most considerate approach.
In short, if you upload a .json file into the DAM, you won't get what you expect. You'll end up with a path that looks something like /content/xyz/abc.json - but it'll render with the AEM JSON code, and give you the properties from the datastore instead of your file.
It is possible to turn off AEM JSON output, but it tends to break things as noted in the Security Checklist. Besides it tends to be blocked in Dispatcher configuration anyway most of the time (depending on local policy).
One approach, assuming that Dispatcher does allow JSON requests (or that you are able to permit this safely) is to create a JSON.jsp a page or component, and have the JSON data as a property. This also can have side effects in the authoring interface, as the JSON can interfere with the edit dialogues.
I think the best option might be to use static replication to publish the file onto a static webserver. This is done as a separate replication queue. There's a related question here that may help.
I have recently done something pretty much identical to what you are asking. I created a featureToggling AEM component to allow runtime authoring of specific features of standalone angular applications. The angular application looks to the JSON content stored for my featureToggle component as the app initialises and enables/disabled features based on the values stored.
The component itself is a multifield that allows me to add multiple feature types with a toggle switch to turn them on or off. The JSON for ALL AEM pages is actually exposed by appending .infinity.json to the end of the url. My angular app simply reads from and interprets the JSON on initialise then shows/hides features of the app.
EG: http://[mysite]/[featureTogglePagename].infinity.json
I am developing a native android application that will post data to a php page. The php page will then update, delete, insert records into a mysql database. Using the app should be the only time the php page is called from. I have been reading, and it seems that using tokens to validate each request is the way to go. I just really don't understand how to do this from a native android application. Authentication is something I don't have experience in. I want to ensure that using the application is the only way that the php backend can modify the database to prevent outside attacks. Can anyone point me in the right track? Any help would be greatly appreciated.
Simplest way to achieve that is to have some random string stored in the Android application. You have to make sure that this string cannot be easily extracted from the app after decompilation. This can be achieved by using proguard + not storing the entire string in one place in the app (for example you can create a set of methods that can be used to generate that random string). You need to make requests to the server using HTTPS. You can then make the app send this string in every request. Server should successfully respond to the requests that contain this string (for example sent in POST parameter) and return an error for all other requests (you need to implement a check on the server to achieve that).
Im building this app (using Unity3d) for a city hall and I need to split the content from the actual app since content must be easily changeable without having to update the app itself.
I want to host the content on a server and use http get/post messages to retrieve the data. I also need to have a web editor (kinda like a CMS) so that the client can change the content himself.
In the editor I would just have a list of "rooms", where each "room" would be one of three types (i.e. text screen, slideshow or audio). Depending on what type the room is, different parameters should be visible and editable.
What language you suggest I write the server in? (the server that the app would contact in order to obtain the up-to-date content) Python i'm guessing here?
What would be the easiest way to build the browser editor? Javascript and django?
If you know Python already and don't want to have to support maintaining a web server for your client it would probably be easy to host the web portion of your app on Google's App Engine. It's relatively easy to use App Engine to serve a simple a web form where the client could edit content and upload binaries. The form could be built using Jinja or Django-style templates, and the data would be written to App Engine's datastore. (also, it's easy to restrict access to the form to app administrators to prevent accidental/malicious edits)
Then the Unity app would query a page on the App Engine server to see if there's new content using the WWW object. The server would make a quick memcache/datastore query and return a JSON response telling Unity if there's more stuff to download or not.
I've done all of this in past projects, so I'm sure it's workable, and a lot of relevant code can be found in App Engine's tutorials and via some light Googling.
I would also look at Wordpress as a CMS. You can create custom forms for different post types. Each "room" type could also be a category type and have custom fields for data to be inputed.
There are loads of plugins to get up and running without too much coding. But you can also dig in and customize with some PHP coding.
The great thing about Wordpress is that media handling, Database interface, user management, privilege and editorial controls, to hand off to a client, are all there. There are loads of tutorials and documentation to get the platform to work for your needs.
Android get connected easily with cloud server.I don't know about others. You can connect using JSON and PHP for this.
You can use .net platform as an backend server.
You could also build Webservices. On my project we work with it. You could also do it with PHP. Try this link: Androidhive.info/how-to-connect-android-with-php
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
What are the best ways to connect site and show it's data on an android application ? Also does I have to create anything on server where the site is for using JSON ? I am new to programming web android application's, though I searched a lot I didn't find anything which would explain me straight to the point.
You're on the solid ground starting out using JSON as the interchange between the two.
Alot of popular mobile apps like Twitter and Foursquare have restful APIs set up to interact with their mobile clients by exchanging HTTP requests that contain data formatted as JSON. Most of the communication between the two can be accomplished with HTTP requests using the standard GET and POST methods.
A good place to start would be setting up some server endpoints that output this data and then setting up your android app to request and parse this data just like a browser would. You just need to set the appropriate mimetypes on your server end (application/json).
Most modern server-side languages have implemented modules/functions that can take their native data structures and approximate them in serialized JSON (PHP's json_encode(), python's json.dumps() etc) These can be used to output data from within the app or database to your mobile client where it can be interpreted and used in the Java environment there.
To pass back JSON you need to set the mime type (http://stackoverflow.com/questions/477816/the-right-json-content-type), which is application/json.
If you are passing back JSON or XML then the client just needs to make the appropriate http call, most likely GET, perhaps POST, to actually retrieve the information.
You can use something like this as a starting point:
http://lukencode.com/2010/04/27/calling-web-services-in-android-using-httpclient/