All geek questions in one place

How to use security (authentication and authorization) in ASP.NET Web Api

I am developing an Android application that will use an SQL server (database) to store application data. In addition, the application will use the ASP web API to send and receive XML or JSON between the client and server.

Currently, I am confused about how to make the application safe for authentication and how to keep the user logged in without having to continue sending user credentials in http requests.

Therefore, I need your recommendation on how to protect my application and provide me with links to training materials, if possible.

+1
source share
2 answers
  • Login (username, password stored in BasicNameValuePair) from your client (here Android) using the web API controller (possibly / Token if you use some samples from the Asp.Net web interface website). If successful, the access token will respond and you will save it to your client (SharedPreference or database).
  • Then you just need to send the access token (no username, password anymore) to request other API controllers.

Of course, https should be used here for better security.

Examples of codes for obtaining an access token (input phase):

public static Object getAccessToken(String address, String grant_type, String username, String password) throws Exception { List<NameValuePair> params = new ArrayList<>(); params.add(new BasicNameValuePair("grant_type", grant_type)); params.add(new BasicNameValuePair("username", username)); params.add(new BasicNameValuePair("password", password)); // Making HTTP request httpResponse = makeHTTPRequest(address, params); if (httpResponse != null) { statusCode = httpResponse.getStatusLine().getStatusCode(); if (statusCode != HttpStatus.SC_OK && statusCode != HttpStatus.SC_BAD_REQUEST) { return httpResponse.getStatusLine().toString(); } // Get JSON String (jsonString) from Input Stream (is) getJSONFromInputStream(); if (jsonString.isEmpty()) { return null; } // Parse the JSON String to a JSON Object jObj = new JSONObject(jsonString); } // Return JSON Object return jObj; }

Inside makeHTTPRequest, for an access token:

 httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded"); httpPost.setEntity(new UrlEncodedFormEntity(parameters));
+1
source

Can your customers access multiple devices with the same account?
---- The first case (you can access from multiple devices):
1. If the username or identifier exists in the internal, just send them to the server.
2. If you do not ask for the username and password from the client, send it to the server (or just a phone number)
3. Check the user information on the database on the server
4. If the authentication success saves the username or username in the internal storage 5. If it fails, ask him again.
---- The second case (it is impossible to access from multiple devices):
You need to send the device ID of the user to the server to determine which devices are logged into your user. If the device ID matches successful authentication, otherwise it does not work and asks the user to log in again. But in this case, you need to be careful, because if the user enters the login after entering from another device, the first user must be disconnected. Therefore, you should send a user ID and device identifier for each request or server that sends a disconnect request to the client.

0
source

Source: https://habr.com/ru/post/1238372/

More articles:


All Articles