Announcement Announcement Module
No announcement yet.
is there a simple Authentication methods Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • is there a simple Authentication methods

    is there a mecanisme for authetification in spring for android wich alow the client side to get a session in the server side ?
    note: the server side contain all authentification informations .

  • #2
    i think that this architecture is the solution but not sure that Spring for android can communicate with it
    i will look into spring social who does it work may be it is the same for the client side ,
    so give me feedback if you find something


    • #3
      As the Spring Social project lead, I'd love it if you could use Spring Social for your app! But, before you do let me state a few things about Spring Social that might help you with your decision. Warning: This post will be rather lengthy...grab a coffee, soda, or other favorite beverage before you get started.

      Spring Social really does 2 things:
      - It provides a connection framework for handling the OAuth flow for your application
      - It provides API bindings (and a basis for building your own API bindings) for APIs such that you don't have to be troubled with making sure each request has the necessary Authorization header for OAuth.

      Under the heading of the connection framework, it does 3 things:
      - Handles the OAuth "dance" on behalf of your application, either 3-legged OAuth for OAuth 1 or Authorization Code Grant (ACG) or Implicit Grant (IG) for OAuth 2.
      - Persists connections (a relationship between your application's user and the access token received from the dance) for long-term use.
      - Creates instances of API bindings already populated with the connection info necessary for creating the Authorization header.

      It's great when you can use them all together because it provides a model where you don't need to handle any of the OAuth details yourself. Just provide your client's key/secret along with the Spring Social configuration and Spring Social handles the rest.

      But, in the case of a mobile app (especially a native app), I tend to prefer OAuth 2's Resource Owner Credentials Grant (ROCG) as opposed to ACG or IG. ROCG doesn't involve a browser redirect which would be awkward in a native app and because there's a higher trust level in an app running on a phone, it's not terrible to ask the user for their credentials in the app (but only use them to obtain an access token and then get rid of them).

      ROCG is really simple, involving only a single REST API call to the OAuth 2 authorization server. At this point, however, Spring Social doesn't have any direct support for ROCG, although this is something that I'm considering. It'd ultimately be only a pass-thru to Spring's RestTemplate to make that REST API call, but could be integrated with the rest of Spring Social's connection framework for purposes of managing connections and creating API binding instances. I'll be chatting with Roy Clarkson (Spring Android project lead) about this in the near future, but I'd be interested in your thoughts on it, too.

      One other consideration when choosing Spring Social is that Spring Social is using Spring's RestTemplate for REST API calls. There's no reason why you couldn't use it to obtain an access token and then use Jersey's client-side stuff for consuming the rest of the API. But if you provide a Spring Social-based API binding, you'd also be using RestTemplate. You could still use Jersey on the server-side, I suppose...but then again, I tend to prefer implementing my REST APIs using Spring MVC and using Spring Security for OAuth to provide the server-side OAuth implementation. Again, I'd be interested in hearing your thoughts on this and why you choose Jersey instead of Spring MVC/S2OAuth; and if you choose Jersey, how you'd implement the server-side OAuth?

      In short (too late), this is a good discussion and I'd be happy to continue it with you. I'm sure Roy would also be interested in working out the details of this, especially with regard to offering ROCG in Spring Social for the scenario you describe.


      • #4
        Thanks for the response, Craig! Indeed, we will continue to work on integrating Spring Social and Android to make these scenarios easier. Naturally, we appreciate the feedback from the community. It helps us prioritize which features on which to focus.


        • #5
          FYI: I thought that there was already an issue for supporting Resource Owner Credentials Grant in Spring Social, but I couldn't find I created a new one:


          • #6
            thanks a lot for the response but it is too late ,
            So i v used jersey and not spring because i am working on an Entreprise application project and i am not using spring on the server side , So with jersey i ve deployed my RESt WS , and after searching a lot i found this "JAAS" to secure my midelware , it woks correctly now by testing with the web client , it provide a single id for a session and manage authorization on method of my sessions with role from my data base
            for android client i am not sure that it will work correctly , now no one can access to my REST services without authentication from my container "jboss" , the android client have to authenticate on the container then he will have the access .
            be sure that i will try this spring social, i can't let it pass without geeking it