I am wondering why you are making a call to a rest service and trying to keep state? Rest calls typically are stateless. You should pass the credentials each time and the rest service should validate those credentials each time. By storing a cookie you end up having to keep track of timeouts.. what happens in your android app when the cookie expires and you make a request again and it fails due to the cookie being bad? Are you going to ask the user to enter their credentials again? You might be better off storing the entered credentials and sending them on every request. Also, did you write the service? If so, why are you issuing a cookie? Why not just have the service check for credentials every time?
On Thu, Aug 4, 2011 at 5:45 AM, Daniel Drozdzewski < [email protected]> wrote: > On 4 August 2011 13:27, Asuka <[email protected]> wrote: > > Hi Android Developers, > > > > I try to connect to a webapplication via my android client. In the > > webapplication we use spring security 3 to login. The relevant part of > > the login configuration looks like this: > > > > <security:http auto-config='true' access-denied-page="/ > > accessDenied.html"> > > <security:intercept-url pattern="/**" > access="ROLE_STANDARD" /> > > <security:form-login login-page="/login.html" > > authentication-failure-url="/login_error.html" > default-target-url="/ > > pages/start/start.html" > > always-use-default-target="true" /> > > <security:remember-me key="xxx" > token-validity-seconds="30000" data- > > source-ref="dataSource"/> > > > > <security:logout logout-success-url="/login.html" > > invalidate-session="false" /> > > <security:session-management> > > <security:concurrency-control max-sessions="1" /> > > </security:session-management> > > </security:http> > > > > So that means, the webapp is able to remember the user. From the > > android client I call a webservice: > > > > public void onLogin(final View v) { > > > > EditText username = (EditText) > > findViewById(R.id.editusername); > > EditText password = (EditText) > findViewById(R.id.editpassword); > > client = new DefaultHttpClient(); > > String getToken = ""; > > > > // Call Webservice > > HttpPost loginRequest = new > HttpPost(PathContainer.baseWebservice > > +"login?"); > > ResponseHandler<String> respstring = new > BasicResponseHandler(); > > > > try { > > JSONObject credentials = new JSONObject(); > > try { > > > credentials.put("name",username.getEditableText().toString()); > > > > credentials.put("password",password.getEditableText().toString()); > > } catch (JSONException e1) { > > e1.printStackTrace(); > > } > > StringEntity seUser = new > StringEntity(credentials.toString(), > > "UTF-8"); > > loginRequest.setEntity(seUser); > > getToken = client.execute(loginRequest, > respstring); > > if (getToken != null) { > > if (getToken.startsWith("token")) { > > String[]t= getToken.split(":"); > > securtiytoken=t[1]; > > Cursor token= > getContentResolver().query(URI, null, null, null, > > null); > > if(token.getCount()==0){ > > insertTokenIntoDB(this, > > securtiytoken,username.getEditableText().toString()); > > }else{ > > updateToken(this, > > securtiytoken,username.getEditableText().toString()); > > } > > token.close(); > > this.startMain(); > > }else{ > > Toast.makeText(this,"Anmeldung > fehlgeschlagen ... > > ",Toast.LENGTH_LONG).show(); > > this.loginAgain(); > > } > > } > > } catch (ClientProtocolException e1) { > > e1.printStackTrace(); > > } catch (IOException e1) { > > e1.printStackTrace(); > > } > > } > > > > The webservice looks like this > > > > @POST > > @Produces(MediaType.TEXT_PLAIN) > > @Path("/login") > > public String login(String credentials) { > > JSONObject jo = null; > > String name = ""; > > String password = ""; > > try { > > jo = new JSONObject(credentials); > > name = jo.getString("name"); > > password = jo.getString("password"); > > } catch (JSONException e) { > > e.printStackTrace(); > > } > > HttpResponse r = springSecurityCheck(name, password); > > for (Header h : r.getAllHeaders()) { > > System.out.println(h.getName() + " " + " " + h.getValue() + > > ""); > > } > > > > String s = r.getFirstHeader("Location").toString(); > > boolean isError = s.contains("login_error"); > > > > if (!isError) { > > Header[] cookies = r.getHeaders("Set-Cookie"); > > for (int i = 0; i < cookies.length; i++) { > > if (cookies[i].toString().contains( > > "SPRING_SECURITY_REMEMBER_ME_COOKIE")) { > > String[] cookie = cookies[i].toString().split("="); > > String token = cookie[1].substring(0, > > cookie[1].indexOf(";")); > > if (token != null) { > > return "token:" + token; > > } > > } > > } > > } > > System.out.println(" ----- Login from" + name > > + " failed----- "); > > return "newLogin"; > > > > } > > > > After the login, a SPRING_SECURITY_REMEMBER_ME_COOKIE is generated and > > sended back to client. But how can I use this cookie in the client for > > further requests to other webservice methods? While useing the > > webapplication everything works fine. But in the client I havenĀ“t got > > a browser, I have just the DefaultHttpClient. So how can use the > > DefaultHttpClient like a browser from my android client? > > > > Greetings > > As long as you are using the same instance of DefaultHttpClient in > subsequent requests and all those requests will be to the same host, > cookies will get attached to requests. > > You can verify your cookies like so: > > List<Cookie> cookies = httpClient.getCookieStore().getCookies(); > > > Daniel > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group at > > http://groups.google.com/group/android-developers?hl=en > > > > -- > Daniel Drozdzewski > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
