Re: [android-developers] Android Client Authentication with Spring Security 3
Kevin, You are right - pure REST service should be stateless. But as usual, life is not just black or white and there is lots of room for 'less pure' services. Technically cookie is a part of each request, so you are authenticating with every call, but using session token instead of user credentials. Without using cookies in this example, you would be storing username and password to send with each request anyway. One could argue that keeping disposable session token that expires is safer than keeping username and password, which by their nature have longer life expectancies, therefore security around them should be tighter and cookies offer exactly that. I understand that from service scalability point of view, session-less solution would be easier to scale up. As usual it is a judgement call and that's it. Daniel On 4 August 2011 20:25, Kevin Duffey andjar...@gmail.com wrote: I am wondering why you are making a call to a rest service and trying to keep state? Rest calls typically are stateless. You should pass the credentials each time and the rest service should validate those credentials each time. By storing a cookie you end up having to keep track of timeouts.. what happens in your android app when the cookie expires and you make a request again and it fails due to the cookie being bad? Are you going to ask the user to enter their credentials again? You might be better off storing the entered credentials and sending them on every request. Also, did you write the service? If so, why are you issuing a cookie? Why not just have the service check for credentials every time? On Thu, Aug 4, 2011 at 5:45 AM, Daniel Drozdzewski daniel.drozdzew...@gmail.com wrote: On 4 August 2011 13:27, Asuka c.bau...@gmx.de wrote: Hi Android Developers, I try to connect to a webapplication via my android client. In the webapplication we use spring security 3 to login. The relevant part of the login configuration looks like this: security:http auto-config='true' access-denied-page=/ accessDenied.html security:intercept-url pattern=/** access=ROLE_STANDARD / security:form-login login-page=/login.html authentication-failure-url=/login_error.html default-target-url=/ pages/start/start.html always-use-default-target=true / security:remember-me key=xxx token-validity-seconds=3 data- source-ref=dataSource/ security:logout logout-success-url=/login.html invalidate-session=false / security:session-management security:concurrency-control max-sessions=1 / /security:session-management /security:http So that means, the webapp is able to remember the user. From the android client I call a webservice: public void onLogin(final View v) { EditText username = (EditText) findViewById(R.id.editusername); EditText password = (EditText) findViewById(R.id.editpassword); client = new DefaultHttpClient(); String getToken = ; // Call Webservice HttpPost loginRequest = new HttpPost(PathContainer.baseWebservice +login?); ResponseHandlerString respstring = new BasicResponseHandler(); try { JSONObject credentials = new JSONObject(); try { credentials.put(name,username.getEditableText().toString()); credentials.put(password,password.getEditableText().toString()); } catch (JSONException e1) { e1.printStackTrace(); } StringEntity seUser = new StringEntity(credentials.toString(), UTF-8); loginRequest.setEntity(seUser); getToken = client.execute(loginRequest, respstring); if (getToken != null) { if (getToken.startsWith(token)) { String[]t= getToken.split(:); securtiytoken=t[1]; Cursor token= getContentResolver().query(URI, null, null, null, null); if(token.getCount()==0){ insertTokenIntoDB(this, securtiytoken,username.getEditableText().toString()); }else{ updateToken(this, securtiytoken,username.getEditableText().toString()); } token.close(); this.startMain();
[android-developers] Android Client Authentication with Spring Security 3
Hi Android Developers, I try to connect to a webapplication via my android client. In the webapplication we use spring security 3 to login. The relevant part of the login configuration looks like this: security:http auto-config='true' access-denied-page=/ accessDenied.html security:intercept-url pattern=/** access=ROLE_STANDARD / security:form-login login-page=/login.html authentication-failure-url=/login_error.html default-target-url=/ pages/start/start.html always-use-default-target=true / security:remember-me key=xxx token-validity-seconds=3 data- source-ref=dataSource/ security:logout logout-success-url=/login.html invalidate-session=false / security:session-management security:concurrency-control max-sessions=1 / /security:session-management /security:http So that means, the webapp is able to remember the user. From the android client I call a webservice: public void onLogin(final View v) { EditText username = (EditText) findViewById(R.id.editusername); EditText password = (EditText) findViewById(R.id.editpassword); client = new DefaultHttpClient(); String getToken = ; // Call Webservice HttpPost loginRequest = new HttpPost(PathContainer.baseWebservice +login?); ResponseHandlerString respstring = new BasicResponseHandler(); try { JSONObject credentials = new JSONObject(); try { credentials.put(name,username.getEditableText().toString()); credentials.put(password,password.getEditableText().toString()); } catch (JSONException e1) { e1.printStackTrace(); } StringEntity seUser = new StringEntity(credentials.toString(), UTF-8); loginRequest.setEntity(seUser); getToken = client.execute(loginRequest, respstring); if (getToken != null) { if (getToken.startsWith(token)) { String[]t= getToken.split(:); securtiytoken=t[1]; Cursor token= getContentResolver().query(URI, null, null, null, null); if(token.getCount()==0){ insertTokenIntoDB(this, securtiytoken,username.getEditableText().toString()); }else{ updateToken(this, securtiytoken,username.getEditableText().toString()); } token.close(); this.startMain(); }else{ Toast.makeText(this,Anmeldung fehlgeschlagen ... ,Toast.LENGTH_LONG).show(); this.loginAgain(); } } } catch (ClientProtocolException e1) { e1.printStackTrace(); } catch (IOException e1) { e1.printStackTrace(); } } The webservice looks like this @POST @Produces(MediaType.TEXT_PLAIN) @Path(/login) public String login(String credentials) { JSONObject jo = null; String name = ; String password = ; try { jo = new JSONObject(credentials); name = jo.getString(name); password = jo.getString(password); } catch (JSONException e) { e.printStackTrace(); } HttpResponse r = springSecurityCheck(name, password); for (Header h : r.getAllHeaders()) { System.out.println(h.getName() + + + h.getValue() + ); } String s = r.getFirstHeader(Location).toString(); boolean isError = s.contains(login_error); if (!isError) { Header[] cookies = r.getHeaders(Set-Cookie); for (int i = 0; i cookies.length; i++) { if (cookies[i].toString().contains( SPRING_SECURITY_REMEMBER_ME_COOKIE)) { String[] cookie = cookies[i].toString().split(=); String token = cookie[1].substring(0, cookie[1].indexOf(;)); if (token != null) { return token: + token; } } } } System.out.println( - Login from + name + failed- ); return newLogin; } After the login, a
Re: [android-developers] Android Client Authentication with Spring Security 3
On 4 August 2011 13:27, Asuka c.bau...@gmx.de wrote: Hi Android Developers, I try to connect to a webapplication via my android client. In the webapplication we use spring security 3 to login. The relevant part of the login configuration looks like this: security:http auto-config='true' access-denied-page=/ accessDenied.html security:intercept-url pattern=/** access=ROLE_STANDARD / security:form-login login-page=/login.html authentication-failure-url=/login_error.html default-target-url=/ pages/start/start.html always-use-default-target=true / security:remember-me key=xxx token-validity-seconds=3 data- source-ref=dataSource/ security:logout logout-success-url=/login.html invalidate-session=false / security:session-management security:concurrency-control max-sessions=1 / /security:session-management /security:http So that means, the webapp is able to remember the user. From the android client I call a webservice: public void onLogin(final View v) { EditText username = (EditText) findViewById(R.id.editusername); EditText password = (EditText) findViewById(R.id.editpassword); client = new DefaultHttpClient(); String getToken = ; // Call Webservice HttpPost loginRequest = new HttpPost(PathContainer.baseWebservice +login?); ResponseHandlerString respstring = new BasicResponseHandler(); try { JSONObject credentials = new JSONObject(); try { credentials.put(name,username.getEditableText().toString()); credentials.put(password,password.getEditableText().toString()); } catch (JSONException e1) { e1.printStackTrace(); } StringEntity seUser = new StringEntity(credentials.toString(), UTF-8); loginRequest.setEntity(seUser); getToken = client.execute(loginRequest, respstring); if (getToken != null) { if (getToken.startsWith(token)) { String[]t= getToken.split(:); securtiytoken=t[1]; Cursor token= getContentResolver().query(URI, null, null, null, null); if(token.getCount()==0){ insertTokenIntoDB(this, securtiytoken,username.getEditableText().toString()); }else{ updateToken(this, securtiytoken,username.getEditableText().toString()); } token.close(); this.startMain(); }else{ Toast.makeText(this,Anmeldung fehlgeschlagen ... ,Toast.LENGTH_LONG).show(); this.loginAgain(); } } } catch (ClientProtocolException e1) { e1.printStackTrace(); } catch (IOException e1) { e1.printStackTrace(); } } The webservice looks like this @POST @Produces(MediaType.TEXT_PLAIN) @Path(/login) public String login(String credentials) { JSONObject jo = null; String name = ; String password = ; try { jo = new JSONObject(credentials); name = jo.getString(name); password = jo.getString(password); } catch (JSONException e) { e.printStackTrace(); } HttpResponse r = springSecurityCheck(name, password); for (Header h : r.getAllHeaders()) { System.out.println(h.getName() + + + h.getValue() + ); } String s = r.getFirstHeader(Location).toString(); boolean isError = s.contains(login_error); if (!isError) { Header[] cookies = r.getHeaders(Set-Cookie); for (int i = 0; i cookies.length; i++) { if (cookies[i].toString().contains( SPRING_SECURITY_REMEMBER_ME_COOKIE)) { String[] cookie = cookies[i].toString().split(=); String token = cookie[1].substring(0, cookie[1].indexOf(;)); if (token != null) { return token: + token; } } } } System.out.println( - Login from + name
Re: [android-developers] Android Client Authentication with Spring Security 3
I am wondering why you are making a call to a rest service and trying to keep state? Rest calls typically are stateless. You should pass the credentials each time and the rest service should validate those credentials each time. By storing a cookie you end up having to keep track of timeouts.. what happens in your android app when the cookie expires and you make a request again and it fails due to the cookie being bad? Are you going to ask the user to enter their credentials again? You might be better off storing the entered credentials and sending them on every request. Also, did you write the service? If so, why are you issuing a cookie? Why not just have the service check for credentials every time? On Thu, Aug 4, 2011 at 5:45 AM, Daniel Drozdzewski daniel.drozdzew...@gmail.com wrote: On 4 August 2011 13:27, Asuka c.bau...@gmx.de wrote: Hi Android Developers, I try to connect to a webapplication via my android client. In the webapplication we use spring security 3 to login. The relevant part of the login configuration looks like this: security:http auto-config='true' access-denied-page=/ accessDenied.html security:intercept-url pattern=/** access=ROLE_STANDARD / security:form-login login-page=/login.html authentication-failure-url=/login_error.html default-target-url=/ pages/start/start.html always-use-default-target=true / security:remember-me key=xxx token-validity-seconds=3 data- source-ref=dataSource/ security:logout logout-success-url=/login.html invalidate-session=false / security:session-management security:concurrency-control max-sessions=1 / /security:session-management /security:http So that means, the webapp is able to remember the user. From the android client I call a webservice: public void onLogin(final View v) { EditText username = (EditText) findViewById(R.id.editusername); EditText password = (EditText) findViewById(R.id.editpassword); client = new DefaultHttpClient(); String getToken = ; // Call Webservice HttpPost loginRequest = new HttpPost(PathContainer.baseWebservice +login?); ResponseHandlerString respstring = new BasicResponseHandler(); try { JSONObject credentials = new JSONObject(); try { credentials.put(name,username.getEditableText().toString()); credentials.put(password,password.getEditableText().toString()); } catch (JSONException e1) { e1.printStackTrace(); } StringEntity seUser = new StringEntity(credentials.toString(), UTF-8); loginRequest.setEntity(seUser); getToken = client.execute(loginRequest, respstring); if (getToken != null) { if (getToken.startsWith(token)) { String[]t= getToken.split(:); securtiytoken=t[1]; Cursor token= getContentResolver().query(URI, null, null, null, null); if(token.getCount()==0){ insertTokenIntoDB(this, securtiytoken,username.getEditableText().toString()); }else{ updateToken(this, securtiytoken,username.getEditableText().toString()); } token.close(); this.startMain(); }else{ Toast.makeText(this,Anmeldung fehlgeschlagen ... ,Toast.LENGTH_LONG).show(); this.loginAgain(); } } } catch (ClientProtocolException e1) { e1.printStackTrace(); } catch (IOException e1) { e1.printStackTrace(); } } The webservice looks like this @POST @Produces(MediaType.TEXT_PLAIN) @Path(/login) public String login(String credentials) { JSONObject jo = null; String name = ; String password = ; try { jo = new JSONObject(credentials); name = jo.getString(name); password = jo.getString(password); } catch (JSONException e) { e.printStackTrace(); }