Reputation: 13
How to use security (Authentication & Authorization) in ASP.NET Web Api
I am developing an Android application which will use a SQL server(database) to store the application's data. In addition, the application will use the ASP web API to send and receive XML or JSON between the client and the server.
I am currently confused about how to make the application do the authentication securely and how to keep the user logged in without the need to keep sending the user's credentials in the http requests.
Therefore, I need your recommendation about how to secure my application and to provide me with a tutorial links if possible.
Upvotes: 1
Views: 3478
Answers (2)
Reputation: 24114
- Login (Username, Password shored in BasicNameValuePair) from your Client (here Android) by access Web API controller (perhaps /Token if you use some samples from Asp.Net Web API website). If success, the access token will be responsed and you will save in your client (SharedPreference or database)
- Then, just need to send the access token (no need username, password anymore) to request other API controllers.
Of course, https should be used here for better security.
Sample codes for getting the access token (login phase):
public static Object getAccessToken(String address, String grant_type, String username, String password) throws Exception {
List<NameValuePair> params = new ArrayList<>();
params.add(new BasicNameValuePair("grant_type", grant_type));
params.add(new BasicNameValuePair("username", username));
params.add(new BasicNameValuePair("password", password));
// Making HTTP request
httpResponse = makeHTTPRequest(address, params);
if (httpResponse != null) {
statusCode = httpResponse.getStatusLine().getStatusCode();
if (statusCode != HttpStatus.SC_OK && statusCode != HttpStatus.SC_BAD_REQUEST) {
return httpResponse.getStatusLine().toString();
}
// Get JSON String (jsonString) from Input Stream (is)
getJSONFromInputStream();
if (jsonString.isEmpty()) {
return null;
}
// Parse the JSON String to a JSON Object
jObj = new JSONObject(jsonString);
}
// Return JSON Object
return jObj;
}
Inside makeHTTPRequest, for request access token:
httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new UrlEncodedFormEntity(parameters));
Upvotes: 1
Reputation: 1474
Your clients can access from multiple devices with same account ?
---- First case(can access from multiple devices) :
1. If username or id exists in internal just send them to server.
2. If not ask username and password from client then send it to the server (or just phone number)
3. Check user informations on database on server
4. If authentication success save userid or username into the internal storage
5. If fails , ask it again .
---- Second case(can't access from multiple devices) :
You need to send user device id to server to detect which devices your user logged in. If device id matches then authentication success , otherwise fails and ask user to log in again. But in this case you need to be careful because if user login , after login from another device , first user must be disconnected.Therefore you should send userid and device id for every request or server sends client a disconnect query.
Upvotes: 0
Related Questions
- ASP.NET Web API Authentication
- Securing ASP .Net Web API for usage with mobile application
- How to Setup Authentication for Web API?
- How to secure Web API for android/ios apps with basic authentication
- Authenticate android app to call web api service
- ASP.NET Web API Authentication (Web + Mobile)
- How to implement authentication for Web API services that are used by an Android App?
- Asp.net Web Api authorization from Android client
- How to implement Authentication and Authorization for my Web API web service?
- Authentication and authorization using REST and ASP.NET Web Api from cross-platform mobile applications