如何通过Android应用针对Spring Security进行身份验证?
[英]How to authenticate against Spring Security from Android app?
问题描述
I'm building a WebApp using Spring. 
我正在使用Spring构建WebApp。 It is secured by Spring Security and should be accessed from an Android app too. 它由Spring Security保护,也应该从Android应用程序访问。 In the web-version i'm using a basic login page. 在网络版本中,我使用的是基本登录页面。
To authenticate from Android i plan to just send an http request to the standard authentication url /j_spring_security_check with the credentials. 要从Android进行身份验证,我计划仅使用凭据将http请求发送到标准身份验证网址/ j_spring_security_check。 And then allways send the cookie with every new request to stay authenticated. 然后始终将cookie与每个新请求一起发送,以保持身份验证。
Because the whole WebApp should only be accessed by logged in users, it is necessary to login at every startup of a Session. 因为整个WebApp只应由登录的用户访问,所以有必要在每次Session启动时登录。 I tried to send the described Request via a simple html formular: 我试图通过一个简单的HTML公式发送描述的请求:
<html>
<head><title>Test</title></head>
<body>
<form action="http://localhost:8080/livefeedback/j_spring_security_check" method="post">
<input type="text", name="j_username" /><br />
<input type="password" name="jpassword" /><br />
<input type="submit" />
</form>
</body>
</html>
For the sake of clarity: I want to send a http request from the android app similar to the one generated by sending this html form. 为了清楚起见:我想从android应用程序发送一个http请求,类似于通过发送此html表单生成的请求。
But I am just redirected to my standard login page. 但是我只是重定向到我的标准登录页面。 I think it's because I have to receive a session id from spring before attempting to login. 我认为这是因为在尝试登录之前,我必须从spring那里收到一个会话ID。 And I'm not shure if there is a better way to login from the android app. 而且我不知道是否有更好的方法可以从android应用程序登录。
Here is my http configuration in spring-security.xml: 这是我在spring-security.xml中的http配置:
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/login"
access="permitAll"/>
<access-denied-handler />
<form-login login-page="/login" default-target-url="/"/>
<logout />
</http>
thanking you in anticipation for every hint! 感谢您的每一个提示!
2 个解决方案
解决方案1
1 2013-10-28 23:17:50
As far as I know, apps are usually built to consume REST APIs. 据我所知,应用程序通常是构建为使用REST API。 Because mobile apps don't run inside of web browsers, this should be the easiest and recommended approach. 由于移动应用程序不在网络浏览器中运行,因此这应该是最简单且建议的方法。 You can watch the lecture made by Virgil Dobjanschi that works at google. 您可以观看由Virgil Dobjanschi在Google上进行的演讲。 Virgil explains in the very beginning the advantages of using REST APIs. Virgil在一开始就解释了使用REST API的优势。 REST APIs can be secured very easily with HTTP Basic. 使用HTTP Basic可以非常轻松地保护REST API。 With just some few steps, Spring Security can be configured to secure REST APIs. 仅需几个步骤,即可配置Spring Security以保护REST API。
解决方案2
1 已采纳 2015-02-13 00:21:30
I have a (very) old web app, with Spring Security, that I log into from an Android app, both to do REST-ish calls and to scrape HTML. 我有一个(非常)老旧的Web应用程序,带有Spring Security,我从一个Android应用程序登录,既可以进行REST调用,也可以刮取HTML。
I'm not sure if what I do will work for your app, but I find that with mine, the trick is to first request the page that you actually want to access. 我不确定我所做的事情是否能为您的应用服务,但是我发现我的诀窍是首先请求您实际要访问的页面。
I observed that when you do this while unauthenticated, that original destination is saved in session, and you then get redirected to the login page. 我观察到,当您在未经身份验证的情况下执行此操作时,该原始目标将保存在会话中,然后将您重定向到登录页面。 In my case, it's actually a "login/prelogin" - this is almost certainly different for your app. 就我而言,它实际上是一个“登录/预登录”-几乎可以肯定,这与您的应用程序有所不同。
Once I have requested the page, and been redirected, I post the login parameters to the appropriate URL (you'll have to see where your login form posts to), and if the login is successful, I get a redirect for the original page that asked for. 请求页面并重定向后,我会将登录参数发布到适当的URL(您必须查看登录表单发布到的位置),如果登录成功,我将获得原始页面的重定向要求的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.