I searched similar question here. Couldn't found one, so please excuse if this is duplicate.
I am writing a RESTful webservice using Spring 3.0.5. There will be few REST services which requires user authentication to update few database tables. Our system has USER table, so the authentication should happen against this table. The client is Android devices. The REST request/responses will be XML (not JSON or HTML). Now I have to implement security for the requests. I did search in forums/mailing list, but not able to find a solution for this. Any guide/ideas would be greatly appreciated.
Thanks in advance.
I suspect you'll need to add username and pw to the payload of your rest methods and have the client collect and pass those along.
If you do, you'll need to consider security implications. Encrypting the pw collected from the user and decrypt in your service before passing along or maybe you'd consider simply requiring SSL connection to be sufficient.
Also, you want to make sure youre using POST and not GET to connect to the service as that would expose the username and pw stuff in the url.
Related
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
I am trying to make an android app that requires a user to login against a MS SQL Database.
Having read around the most popular way seems to be to use JSON to do this however I'm not sure how secure this would be (especially if there is no SSL being used).
My question is what are the alternatives available and if JSON is the best/easiest way to achieve this how can I make it more secure? Is this also how big companies (such as dropbox etc) do this?
When I first started Android programming I was told that making a direct connection to the database is considered bad practice, and that an interface (JSP, PHP, .NET) should always be used. I don't know if this is a security thing or not but it would probably be the best for you.
If possible, create a .NET (or whatever server-side language you are comfortable with; .NET would probably be the easiest if you're working with a MS SQL server) page and talk to it over HTTPS (there's your security) and pass it the login info using POST. You could use JSON but name value parameters would accomplish the same thing. Have your page connect to the DB and test the information you pass it against whatever is in it. Then pass back a value that says whether it is correct or not in the response.
EDIT:
This looks like a decent guide to getting HTTPS set up on Android (just browsed through it quickly so I can't vouch for it 100%).
JSON is just the form you pass data in.
Noone stops you from using SSL for the connection. Or encrypting the JSON data in your own way.
I have created an Android app that communicates with a PHP web server. They both send JSON to each other. My app is almost finished, however there is one thing left to do: authentication.
Since the user's username and password will be stored in Android SharedPreferences, is there any need to use PHP sessions, given that the user won't need to enter the username/password at every request?
Since I can just send the username and password in the HTTP POST header for every request, and that I will be using SSL, is this sufficient? I guess I could add an extra field in the header called 'random' that just adds a random value, just to use as a salt so that the encrypted SSL payload will be different every time.
The reason why I don't want to use sessions is that my Android App would either have to handle cookies, or managed the storage of the session ID.
If there are some serious cons to using my method above, then I'm more than happy to use sessions.
Personally, I'm against sending the username and password in the request each time. One thing you could do is generate a unique ID when they log in, and store that in a database on your server, then just pass that instead of the username and password.
I think Google have given this a lot of thought, so doing something similar to what they do wouldn't be a bad idea. If you look at the way they do their
login process, i.e. https://accounts.google.com/o/oauth2/auth
and especially their
token freshining, i.e. https://accounts.google.com/o/oauth2/token
it might feel like overkill, but you might come away with some ideas that could be valuable to your own implementation.
EDIT: oops, almost forgot the documentation link: https://developers.google.com/accounts/docs/OAuth2
I believe that you will be fine with what you have now. As long as you make sure that the user info is securely transfered. The salt is a good idea. It really just depends on how secure you want it.
It is very bad practice to send account credentials in every request.
I think the better way to use Google OAuth2 API - it is VERY simple and safer than local accounts database. Have you considered that option?
I am very new to writing apps so please bear with me!
I am writing an app that needs to communicate securely with a java server (under my control).
Firstly to login to the server, and then send data back and forth. What is the best way of doing this?
My first thoughts was to communicate to a webpage via ssl with the username and password. e.g. login.php with user=xxx and pass=zzz as posted variable. The site returns a random string and saves it in the database.
If the user then stays logged in, this string is saved on the app. This is then sent with every communication. e.g. set_temp.php with string=123456 and temp=20
This seemed easiest to complete, and I have done most of this.
Alternatively, my other thoughts was to go through a sockets approach and commumicate with the Java server directly. Would this be more secure? Is this even possible?
Or are there any other suggestions? How do the big apps like facebook and gmail secure data?
Thanks
Matt
Use SSL protocol. You can create API services on the server and communicate with them. To keep the user logged in use SessionID. Take a look at DefaultHttpClient() class.
I hope this is useful :)
I would use a webservice on your java machine to communicate with. All requests are via HTTPS and you can login the user via the webservice. Also I would add a time limit to the users loggedin session to ensure that he is logged out properly after some time limit.
I'm trying to get json data from a django view (login required)
into a new android app I'm working on.
I would like to authenticate the user against the django login
and keep the cookie/session for all the django view calls to
get data from the server.
I did some googling but nothing helped me,
even if I guess it should be a quite common task.
Maybe I'm facing the problem from a wrong point of view..
So I'll switch the question to:
how can I do some user authenticated json request/response to a django server?
Any clue?
You have to do as the website expects, and you need to persist the session cookie.
What I did is using XML-RPC to do all the transfers.
Not exactly sure if it's the best way, considering django's xml-rpc support is some kind of a hack.
Here's a very detailed XML-RPC handler for django:
https://code.djangoproject.com/wiki/XML-RPC
then, setup ur client end on android.
When communication is okay. Start writing server end API.
from django.contrib.auth import authenticate
and use this function to do authentication.
Then for sessionId stuff, you need to go to backend db to manually do them: https://docs.djangoproject.com/en/dev/topics/http/sessions/
as u can see, this is why I don't think it's the best way. You can't send httprequest, hence most django build-in functions doesn't work.