I am trying to make an application that will connect to a web service and call functions from it. I have worked on HTTP connections that will hit the server. This one will send me data. But can I hit a web service and call functions from it on Blackberry? I don't have such information yet haven't tried it.
So the question is, how to connect to a web service and call functions from it?
You won't be able to directly call functions on the server from the BB, so you'll have to define calls on the server where your app would provide the information needed for your server side script to perform the necessary operations.
As a simple example, maybe your app sends something to the server to a login URL with a payload that has the username and password. The server would then take over and perform all of the necessary validation and come back with a simple "authenticated" or "denied" response. Your app didn't actually do anything other than provide the information that would be needed for the server to do its magic.
Related
Say that I'm running an application on WebSphere Application Server and in some Java class, it makes a REST call by providing a client and client secret to receive a refresh token for OAuth2, and then later at some point, it also makes a REST call to by providing the refresh token to receive an access token.
The source code is obviously not going to be visible to debug through and inspect these values, but my question is that can the values being passed in these REST calls (namely the client secret and refresh token) and the response (access token) be viewed by someone who has access to the machine running the server?
The reason I ask is that I am thinking of storing these unchanging values (client id, client secret, refresh token) somewhere where they cannot be viewed by anyone other than through a JDBC connection in the Java code, and I plan to use these values for authentication purposes with some server somewhere. I do not want the person who this application is being used by to be able to view these values because if they can, they can do some damage by accessing other public APIs on the server.
I intend to only let the Java code (backend) interact with the server for authentication and grabbing some resource, but I do not want to allow the person who has access to this machine (but does not have access to where these values are stored) to view the details of the REST request and response.
Thank you.
It's unclear which server you're referring to in various places.
If you make an outbound HTTPS request from a WebSphere server to a 2nd server, you have to assume all details of the request and response are visible to the operators of the software on both sides.
Either side can trace all of its own input and output.
I'm new to java and I'm trying to understand the way we identify users who uses webservices.
The program will be downloaded from my website. It needs to make a connection to my server side web service program.
I think there are 2 options for identifying the user:
Register on website and download web service. A single user id key is then generated when downloading the program. I don't know if this is possible + verification of registration can only be done by email: not 100% sure of user identity.
Download web service and log in into it.
This seems a better way, but I'm not sure this is the way to do it...
Most services use HTTP authentication because the surrounding HTTP protocol already brings all the necessary features. Actually, your web service framework comes with all the plumbing necessary to easily set this up.
Another solution is to have a method which is called login() that takes a user name and a password. All other methods return errors until login() has been called successfully once.
Note that you must use HTTPS as protocol, otherwise passwords will be transmitted either as plain text or with a trivial encryption that is easy to break. Or to put it another way: Without HTTPS anyone willing to invest a couple of minutes of time will be able to use your service.
I have created Java Web Application by using Netbeans IDE. I have created entities with relationships. Webpages are simple dashboards where I can add new entities, change them and delete them.
I have added Restful web services to my entities. So web page will be available only for admin and I want to create client application that will have access only for his own data. That means client must login or register to my server.
When user logins/registers on website, server will create session for this user. I know that in RESTful service there is no sessions. My thought is to pass login and password every time when client wants to do some operation with server.
Question: is there any other method to create something like session between client and server? I hope it is not connected with encryption.
There are many options for authentication as well as authorization. If you want to use simple authentication then 'Basic Auth' of HTTP. Check out https://www.rfc-editor.org/rfc/rfc2617 for details. Remember that this is unsafe because the username/password flows on wire. Anyone can sniff username/password. This is updated by new RFC7235 - https://www.rfc-editor.org/rfc/rfc7235#section-4
Safer choice is oAuth. Explained in RFC6749 https://www.rfc-editor.org/rfc/rfc6749. In this case an access token goes with each request.
In both the cases the credential details travel with headers. No interference with parameters.
I have two different spring web applications with authentication,
My first application has to get some responses from second application in order to show the required details to the user. Now the problem is, Since the second app also secured I'm unable to get responses from it. Suggest me how can I authenticate second app from server code at first app.
Note: I tried to use CAS server, It returned me the login page's html text when I made a request.
Refer to this https://stackoverflow.com/a/24486898/3487801. Services could be secured using CAS. All you need to do is to add restlet module on your cas server and build a simple Java client to get the ticket and authenticate to your service.
Some says, there is no working Java client for headless CAS. But groovy example on the CAS restful API https://wiki.jasig.org/display/casum/restful+api is actually working. You need to get it modified just a little bit to get it work.
I'm working on a Java REST server serving an iPhone app. Now we have to integrate with third party service exposed by oauth2 protocol. This is new to me so I've been reading and writing some "proof of concept" code but I have a big problem or I fundamentally don't understand something...
I made a simple web page with "log in with XXX" button that the user sees in a web view. When he clicks it, login page of the third party service opens and he can approve my app, at what time they will redirect the user to an URL I've specified with the authorization code as a parameter. This URL points to a REST service on my server.
The problem is that this URL must be absolutely the same as the one I've set up when applying my app for their service. Since I'm running a REST server I have no way of knowing about which user are we talking about when the redirection to my server happens (there is no session). I wanted to do this identification with some query or path param but they are not allowing it.
Does any of this makes sense to you or am I implementing this in a wrong way? The only possible solution I can imagine now will be with the help of cookies but I'm not really fond of that...
Yes, that does make sense. You got a few different options, try one of these:
Store a cookie with some user id and read it out after redirection
Use the state parameter of the authorization request for transmitting some user id. The provider is required to return it back to you in his redirect.