轨道设计HTTP验证移动 [英] rails Devise http authenticating mobile
问题描述
我想在Android客户端应用程序身份验证on Rails应用程序我的服务器红宝石它使用设计的宝石。但我已经试过HTTP认证,和POST请求进行身份验证,服务器响应只是200对于任何给定的用户名/密码。
我已经设置了config.http_authenticatable = true,并且:database_authenticable在用户模型......
我会后我的身份验证方法,以便能跟大家可以有它的样子...
公共静态布尔身份验证(用户用户,字符串动词)抛出IOException异常,JSONException
{ DefaultHttpClient的HttpClient =新DefaultHttpClient();
HttpPost httpPost =新HttpPost(动词); CredentialsProvider credProvider =新BasicCredentialsProvider();
credProvider.setCredentials(新AuthScope(AuthScope.ANY_HOST,AuthScope.ANY_PORT)
新UsernamePasswordCredentials(user.getMail(),user.getPassword())); httpClient.setCredentialsProvider(credProvider); 清单<&的NameValuePair GT; namevaluepairs中=新的ArrayList<&的NameValuePair GT;();
nameValuePairs.add(新BasicNameValuePair(电子邮件,user.getMail()));
nameValuePairs.add(新BasicNameValuePair(密码,user.getPassword()));
httpPost.setEntity(新UrlEn codedFormEntity(namevaluepairs中)); HTT presponse HTT presponse = httpClient.execute(httpPost);
INT状态code = HTT presponse.getStatusLine()的getStatus code()。
// JSONObject的RESP = NULL; 如果(状态$ C $℃下200 ||状态code基= 300){
抛出新IOException异常(错误);
}
返回true;
}
如果服务器响应200,听起来真是服务器端的配置,所以你应该仔细检查你的URL实际上是安全的,使用桌面Web浏览器和像Fiddler工具,所以你可以看到一切。要特别注意验证头和状态codeS;在至少你应该会看到一个401从服务器开始做事了。
您也可以打开诊断为Apache HTTP您的设备上,它也将转储标题和内容的logcat,这样可以确保一切都在继续。
检查WWW-Autnenticate头的内容,它将指定方案被接受。该客户端会重新请求的URL,但它会把Authorization头放入其请求。
总之,要确保你的服务器端工作的应用程序之外,在比较容易解决的环境。
客户端,它看起来像你只激活基本身份验证(每个人都停止使用!),你的终点可能只想DIGEST或NTLM或Kerberos或 BASIC比其他任何身份验证方案的。因为它看起来像你没有准备好进行SSL,肯定至少DIGEST使用或者你有明文问题!
使用表单变量(认证)只能在应用层面,而不是HTTP协议层,它使用HTTP标头(WWW-Autnenticate,授权)和状态codeS(401,403)的认证过程。再次,如果你没有配置您的服务器(和客户端)的SSL-只,将有明文的问题。
I'm trying to authenticate an android client app to my server ruby on rails app which uses Devise gem. But I've tried http authentication, and post requests to authenticate, and the server just responds 200 for any given username/password.
I've already set up the config.http_authenticatable = true and the :database_authenticable at the user model...
I'll post my authenticate method so u guys can have a look on it...
public static boolean authenticate(User user, String verb) throws IOException, JSONException
{
DefaultHttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(verb);
CredentialsProvider credProvider = new BasicCredentialsProvider();
credProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT),
new UsernamePasswordCredentials(user.getMail(), user.getPassword()));
httpClient.setCredentialsProvider(credProvider);
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
nameValuePairs.add(new BasicNameValuePair("email", user.getMail()));
nameValuePairs.add(new BasicNameValuePair("password", user.getPassword()));
httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
HttpResponse httpResponse = httpClient.execute(httpPost);
int statusCode = httpResponse.getStatusLine().getStatusCode();
//JSONObject resp = null;
if (statusCode < 200 || statusCode >= 300){
throw new IOException("Error");
}
return true;
}
If server is responding 200, it really sounds like server side configuration, so you should double-check your URLs are actually secured, using a desktop web browser and a tool like Fiddler so you can see everything. Pay particular attention to the Authentication headers, and the Status codes; at the least you should see a 401 from the server to start things off.
You can also turn on diagnostics for Apache HTTP on your device, and it will also dump headers and content to LOGCAT, so you can make sure everything is proceeding.
Check the WWW-Autnenticate header's contents, it will specify which schemes are accepted. The client side will re-request the URL, but it will put the Authorization header into its request.
In short, make sure your server side works outside of your application, in an environment that's easier to troubleshoot.
Client side, it looks like you are only activating BASIC authentication (everyone stop using it!), and your endpoint may only want DIGEST or NTLM or KERBEROS or any other authentication scheme than BASIC. Since it looks like you didn't set up for SSL, certainly use at least DIGEST or you have clear text issues!
Using form variables (for authentication) only works at the application level, and not the HTTP protocol level, which uses HTTP Headers (WWW-Autnenticate, Authorization) and Status codes (401, 403) for the authentication process. And again, if you aren't configuring your server (and client) for SSL-only, there will be clear text problems.
这篇关于轨道设计HTTP验证移动的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
