Android Authentication with Spring Security 3
I have a webapplication and an android client. I would like to implement a secure login method. From the client I send a request to a webservice method:
@POST
@Produces(MediaType.TEXT_PLAIN)
@Path("/login")
public String login(String credentials) {
JSONObject jo = null;
String name = "";
String password = "";
try {
jo = new JSONObject(credentials);
name = jo.getString("name");
password = jo.getString("password");
} catch (JSONException e) {
e.printStackTrace();
}
HttpResponse r = springSecurityCheck(name, password);
for (Header h : r.getAllHeaders()) {
System.out.println(h.getName() + " " + " " + h.getValue() + "");
}
String s = r.getFirstHeader("Location").toString();
boolean isError = s.contains("login_error");
if (!isError) {
Header[] cookies = r.getHeaders("Set-Cookie");
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].toString().contains(
"SPRING_SECURITY_REMEMBER_ME_COOKIE")) {
String[] cookie = cookies[i].toString().split("=");
String token = cookie[1].substring(0,
cookie[1].indexOf(";"));
if (token != null) {
return "token:" + token;
}
}
}
}
System.out.println(" ----- Login from" + name
+ " failed----- ");
return "newLogin";
}
The springsecuritycheck does the following:
public HttpResponse springSecurityCheck(String name, String password) {
DefaultHttpClient client = new DefaultHttpClient();
HttpPost requestLogin = new HttpPost(
"http://mywebapp.com/j_spring_security_check?");
HttpResponse response = null;
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("j_username", name));
params.add(new BasicNameValuePair("j_password", password));
params.add(new BasicNameValuePair("_spring_security_remember_me","true"));
try {
requestLogin
.setEntity(new UrlEncodedFormEntity(params, HTTP.UTF_8));
response = client.execute(requestLogin);
return response;
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return null;
}
So everything works fine. The token is stored in the persitent_logins table of the serverdata base and the loginmethod gives the token back to the client. But how do I use token for further requests to other webservice methods?
For example, the springsecurity login url is j_spring_security_check?j_username="abc"&j_password="xyz". Are there any urls lik开发者_如何转开发e j_token="1d3ds"?
Thanks for your help greetings
I thought that the username and password in the URL aren't even used in locating the resource, rather just for validation. For example, www.hello.com/index.html?user="bob" won't take you to index.html?user="bob", rather it will just direct you to index.html. The server at hello.com uses the user="bob" as mere validation.
I am very newbie but it just seems like whatever machine receives the HTTP request with those credentials in the GET request will just parse it out.
Let me try to explain to you what's happening here:
When you do the request, the cookies that stores the token and such are stored in a cookiestore (in memory) inside your http client. As you are not using the same httpclient on later calls those cookies are being lost and whenever you create a new httpclient it comes with an empty cookiestore.
YOu have several options here:
- Reusing the already authenticated httpclient
- Saving the cookies for later use using any method of persistence in your application
- Saving the cookiestore itself with all it's containing cookie, so anytime you create a new httpclient you set the saved cookiestore to it.
加载中,请稍侯......
精彩评论