AuthComponent用于移动(iPhone)应用程序开发
[英]AuthComponent for mobile (iphone) app development
问题描述
We are building an iPhone App which will access our backend server using CakePHP 2.xx 
我们正在构建一个iPhone应用程序,它将使用CakePHP 2.xx访问后端服务器
Client is iPhone App using iOS SDK Server is using Cakephp2.0. 客户端是使用iOS SDK Server的iPhone App,使用的是Cakephp2.0。
We are able to create http POST for controller/action (users/login). 我们能够为控制器/操作(用户/登录)创建http POST。 This action is currently logging in using standard database query and matching the user/password combination. 该操作当前正在使用标准数据库查询登录并匹配用户/密码组合。 This doesn't really AuthComponent. 这不是真正的AuthComponent。 What we want is to enable Auth Component so that we can validate the session for each request. 我们想要的是启用身份验证组件,以便我们可以验证每个请求的会话。 How can we use Auth for this type mobile client applications. 我们如何将Auth用于此类移动客户端应用程序。
I have read through REST concepts etc., but still unclear how we can bring Auth into the scope of this mobile app communication. 我已阅读了REST概念等内容,但仍不清楚如何将Auth纳入此移动应用程序通信的范围。
Any references would be helpful. 任何参考将有所帮助。 I am fairly new to mobile arena but I do have good knowledge web development (browser based). 我对移动领域还很陌生,但是我确实有很好的Web开发知识(基于浏览器)。 In case of mobile, we are using native SDK for mobile platforms. 对于移动设备,我们正在将本机SDK用于移动平台。
-BC -公元前
1 个解决方案
解决方案1
1 2013-06-09 08:39:25
First of there is no difference in using the AuthComponent in a fully (desktop) web based solution or a mobile one - it just works as it would normally work. 首先,在完全(基于桌面)基于Web的解决方案或移动解决方案中使用AuthComponent并没有区别-它可以正常工作。 In your case you have the two application layers detached: 在您的情况下,您分离了两个应用程序层:
- Your server handles authentication, data retrieval, data customization and data transport. 您的服务器处理身份验证,数据检索,数据自定义和数据传输。
- Your client handles data representation 您的客户处理数据表示
Usually in Web Development there are two big concepts: 通常,在Web开发中,有两个大概念:
Authentication and Authorization . 认证和授权 。 Authentication is making sure the user is who he poses to be - ie logging them in after they supply the right password. 身份验证可确保用户是他的真实身份 -即在他们提供正确的密码后将其登录。 Authorization is making sure the logged in user has the right to access a given resource. 授权是确保登录用户有权访问给定资源。 The second thing can be achieved with different approaches and I am not going to stop on it. 第二件事可以通过不同的方法来实现,我将不止于此。
Out of the box Cake offers three different Authentication approaches: Cake提供了三种不同的身份验证方法:
- FormAuthenticate 表单验证
- BasicAuthenticate 基本认证
- DigestAuthenticate 摘要认证
It is very well explained what these are in the links I provided. 我提供的链接中很好地解释了这些内容。 Now in your case you may want to consider using DigestAuthenticate and definitely Digest over SSL please :). 现在,根据您的情况,您可能需要考虑使用DigestAuthenticate,并且绝对可以通过SSL进行Digest::)。 Of course you can for with FormAuthentication as well. 当然,您也可以使用FormAuthentication。 However also consider issuing tokens when login users in and then using those tokens for the API calls. 但是,还应考虑在登录用户时发行令牌,然后将这些令牌用于API调用。 These should have a relatively low lifetime. 这些应具有相对较低的寿命。 This lifetime is up to you but normally it is 10-15 mins. 此寿命取决于您,但通常为10-15分钟。 When a call is made and a token has expired just create a new one for the user. 拨打电话且令牌已过期时,只需为用户创建一个新令牌即可。 This tokem system can be somewhat detached from the authentication system - ie a user may still have a session but his current token may have expired - so issue e new one. 该令牌系统可以从身份验证系统中分离出来-即用户可能仍在进行会话,但他当前的令牌可能已过期-因此请发行新令牌。 Be sure to validate these tokens against the user that is trying to access a piece of information in a given application area - so validate that the token is still valid and is in fact issued to and used by the same user. 确保针对试图访问给定应用程序区域中的一条信息的用户来验证这些令牌-因此请验证该令牌仍然有效,并且实际上已发行给同一用户并由同一用户使用。
Hope this helped a bit. 希望这能有所帮助。 I think you made a good choice going with REST as it provides a nice verb-based API structure. 我认为您选择REST是一个不错的选择,因为它提供了一个不错的基于动词的API结构。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.