Web应用程序和本机应用程序的身份验证
[英]Authentication for both web application and native app
问题描述
We have a web application which can be accessed through the browser, now we create an android app for the application, then they should share the same backend. 
我们有一个可以通过浏览器访问的Web应用程序,现在我们为该应用程序创建一个android应用程序,然后它们应该共享相同的后端。
For the authentication, generally the browser will(or may) save the user information in the cookie, and send the cookie to the server with each http(s) request to the server, then the server will put things in the page accordingly. 对于认证,一般的浏览器会(或可能)保存在cookie中的用户信息,并发送cookie到服务器与每个 HTTP(S)请求到服务器,然后服务器会相应地把东西在页面中。
Now for the app in the android, I am not sure how to make it. 现在,对于Android中的应用程序,我不确定如何制作。 I do not mean how to send the authentication request to the server, for this issue I can refer to this post . 我并不是说如何将身份验证请求发送到服务器,对于这个问题,我可以参考这篇文章 。
What I am confused is that once I send the user id and password to the server and get a successful response, how about the next request? 我感到困惑的是,一旦我将用户ID和密码发送到服务器并获得成功的响应,下一个请求又如何呢? Should I bind the authenticated user information to each request to the server like the browser does or I just save a flag like authenticated=true|false to the preference? 我应该像浏览器一样将经过身份验证的用户信息绑定到对服务器的每个请求,还是仅将诸如authenticated=true|false类的标志保存到首选项?
I hope someone can provide some suggestion. 我希望有人能提供一些建议。
Maybe I do not make myself clear enough. 也许我不够清楚。 I will take an example. 我将举一个例子。
Suppose I have a web application which have a page named "followers.jsp" which will show the followers for the current signed user. 假设我有一个Web应用程序,该应用程序具有一个名为“ followers.jsp”的页面,该页面将显示当前已签名用户的关注者。 Normally we will do the authentication get the followers from the database and then pop them to the page like this: 通常,我们将通过身份验证从数据库中获取关注者,然后将其弹出到页面中,如下所示:
followers.jsp: followers.jsp:
User u=Session.get("user");
if(u==null){
//no authenticated redirect to login page
}else{
List followersList=getFollowers(u);
requset.setAttribute("followers",followersList);
}
Then render the jsp page directly. 然后直接呈现jsp页面。
Now we create an android application for our product, then when user use our app, he will login and see his followers, at this time, we have to create a web service which will do the authentication and return the data, then the app will render them. 现在我们创建一个Android应用程序为我们的产品,那么当用户使用我们的应用程序,他会登录并看到他的追随者,在这个时候,我们必须创建一个Web服务,这将做认证 ,并返回数据,然后应用程序会渲染它们。 The web service may looks like this: Web服务可能看起来像这样:
api/getFollowers.xx api / getFollowers.xx
User u= // here we must get something to identify a user from the request information maybe a token or something else?
List followersList=getFollowers(u);
return toJson(followersList);
And now we find that both our "followers.jsp" page and our service will do the same job(authentication,read the db, return the data back),then why not both use the web service, since we can use ajax which will make a better user experience to get and render the data at the "followers.jsp"? 而现在我们发现了我们的“followers.jsp”页面,我们的服务将做同样的工作(认证,读取数据库,返回数据后),那么为什么不都使用Web服务,因为我们可以使用Ajax这将获得更好的用户体验,以便在“ followers.jsp”处获取和呈现数据?
If so, how to make an unified authentication mechanism for both pc and android client? 如果是这样,如何为PC和Android客户端建立统一的身份验证机制?
1 个解决方案
解决方案1
-1 2014-04-29 04:54:06
If the website requires authentication for each request, then you'll need to send authentication data. 如果网站要求对每个请求进行身份验证,则您需要发送身份验证数据。 If it doesn't, then I don't see the point of authenticating in the first place, from the web or android, since anyone can send a request and get a response without having any credentials. 如果没有,那么我首先看不到从Web或android进行身份验证的意义,因为任何人都可以在没有任何凭据的情况下发送请求并获得响应。 If you don't want to send the password every time, you could create and send a temporary authentication token, though that would require some changes to the web service. 如果您不想每次都发送密码,则可以创建并发送一个临时身份验证令牌,尽管这需要对Web服务进行一些更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.