Android Client Authentication with Spring Security 3

[Asuka]

Hi Spring Community,

I have a webapplication and an android client. I would like to implement a secure login method. From the client I send a request to a webservice method:

Code:

@POST
@Produces(MediaType.TEXT_PLAIN)
@Path("/login")
public String login(String credentials) {
    JSONObject jo = null;
    String name = "";
    String password = "";
    try {
        jo = new JSONObject(credentials);
        name = jo.getString("name");
        password = jo.getString("password");
    } catch (JSONException e) {
        e.printStackTrace();
    }
    HttpResponse r = springSecurityCheck(name, password);
    for (Header h : r.getAllHeaders()) {
        System.out.println(h.getName() + " " + " " + h.getValue() + "");
    }

    String s = r.getFirstHeader("Location").toString();
    boolean isError = s.contains("login_error");

    if (!isError) {
        Header[] cookies = r.getHeaders("Set-Cookie");
        for (int i = 0; i < cookies.length; i++) {
            if (cookies[i].toString().contains(
                    "SPRING_SECURITY_REMEMBER_ME_COOKIE")) {
                String[] cookie = cookies[i].toString().split("=");
                String token = cookie[1].substring(0,
                        cookie[1].indexOf(";"));
                if (token != null) {
                    return "token:" + token;
                }
            }
        }
    }
    System.out.println(" ----- Login from" + name
            + " failed----- ");
    return "newLogin";

}

The springsecuritycheck does the following:

Code:

  public HttpResponse springSecurityCheck(String name, String password) {

    DefaultHttpClient client = new DefaultHttpClient();
    HttpPost requestLogin = new HttpPost(
            "http://mywebapp.com/j_spring_security_check?");
    HttpResponse response = null;
    List<NameValuePair> params = new ArrayList<NameValuePair>();
    params.add(new BasicNameValuePair("j_username", name));
    params.add(new BasicNameValuePair("j_password", password));
    params.add(new BasicNameValuePair("_spring_security_remember_me","true"));
    try {
        requestLogin
                .setEntity(new UrlEncodedFormEntity(params, HTTP.UTF_8));
        response = client.execute(requestLogin);
        return response;
    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    } catch (ClientProtocolException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }
    return null;
}

So everything works fine. The token is stored in the persitent_logins table of the serverdata base and the loginmethod gives the token back to the client. But how do I use token for further requests to other webservice methods?

For example, the springsecurity login url is j_spring_security_check?j_username="abc"&j_passwor d="xyz". Are there any urls like j_token="1d3ds"?

Thanks for your help

Greetings

[Rob Winch]

A web browser will typically keep track of the JSESSIONID cookie, so one option would be to keep track of this cookie in your client and populate it in the request to the application.

Another option would be to use basic authentication and have your client include this in every request. This would likely not perform as well since you need to authenticate every time.

You could also investigate some of the current methods for dealing with these types of scenarios like looking into using OAuth. If you are using spring/spring security and want to use OAuth a few good places to start are the Spring Security OAuth Extension and the Spring Social projects. Of particular interest would probably be the Green House project which demo's the Spring Social code leveraging OAuth very nicely. Note that these are web applications using OAuth, but similar concepts would apply to an android application.

For example, the springsecurity login url is j_spring_security_check?j_username="abc"&j_passwor d="xyz". Are there any urls like j_token="1d3ds"?

PS: Just to make sure...you should not include private information like credentials (especially long lived credentials) in URLs. You should use POST when submitting sensitive information.

Cheers,

[Roy Clarkson]

We are using Spring Security OAuth in Greenhouse as the OAuth provider for connecting the Greenhouse Android client. We are using Spring Social on the Android client as the OAuth consumer. Spring Android Auth and Spring Social on the Android client will handle storing the access token in a local SQLite database on the device. To @rwinch's point, it is very important to not send user credentials in requests, and a protocol like OAuth helps to avoid that.

[Asuka]

thank you so much

after the first look on the greenhouse project I would say it doesn´t seem to be so easy. Could you maybe explain in short words (if possible ) the generall steps I have to do, to use a webapp as oauth provider and an android client as a consumer.