English 中文(简体)
在资源路径中编码认证数据是否正确
原标题:Is it right to encode authentication data in resource path
  • 时间:2012-05-25 14:53:56
  •  标签:
  • android
  • rest

我有一个RESTFulll 服务器和一个 Android 客户端。 服务器有一些方法可以将数据返回到客户端的 HTTP 电话。 客户代码中的方法之一是下面显示的验证客户身份的方法 。

        HttpClient httpclient = new DefaultHttpClient();
        HttpGet request = new HttpGet(
                "http://localhost:8080/myapp/customer/login/cUser/cpwd");

        request.addHeader("Accept", "text/plain");
        HttpResponse response = httpclient.execute(request);
        HttpEntity entity = response.getEntity();
        InputStream instream = entity.getContent();
        String msg = read(instream);


 if(msg.equals("success"){ // if customer logged in successfully
     //do something
 }

服务器侧端代码使用上述 uri 的部分用户名和密码, 并进行验证。 在我看来, 某人很容易获得这些数据, 并随心所欲地使用这些数据 。 是否有更好的方法可以这样做?

提前感谢

最佳回答

在 RESTfull 服务中,您必须使用 HTTP/1.1 auth 信头,例如:

request.addHeader("Authorization", "auth string");

认证字符串可以是基本的认证字符串: base64_encode(login+) :"+password) 或OAuth2 验证符等。

正如布莱恩·凯利所说,P. S. O.

时间:2012-05-25 15:08:23
问题回答

是的,攻击者很容易将用户名/密码从一个简单的 HTTP 请求中使用的 URL 中拉出。 您的计划很容易被利用和攻击 。

使用“http://en.wikipedia.org/wiki/HTTP_secury” rel=“nofollow”>>HTTPS 。这将迫使运输连接为SSL-encrepted,防止偷窥。您还应该从 URL 中删除证书,而是使用 http://en.wikipedia.org/wiki/birk/basure_access_authendication" rel=“nofolfol” > Basical Digiation

时间:2012-05-25 15:08:14


上一篇:
下一篇:


相关问题
Android - ListView fling gesture triggers context menu

I m relatively new to Android development. I m developing an app with a ListView. I ve followed the info in #1338475 and have my app recognizing the fling gesture, but after the gesture is complete, ...

时间:2009-11-16 02:05:24 回答:1 展示:1
AsyncTask and error handling on Android

I m converting my code from using Handler to AsyncTask. The latter is great at what it does - asynchronous updates and handling of results in the main UI thread. What s unclear to me is how to handle ...

时间:2009-11-16 00:45:34 回答:12 展示:1
Android intent filter for a particular file extension?

I want to be able to download a file with a particular extension from the net, and have it passed to my application to deal with it, but I haven t been able to figure out the intent filter. The ...

时间:2009-11-14 03:55:26 回答:15 展示:1
Android & Web: What is the equivalent style for the web?

I am quite impressed by the workflow I follow when developing Android applications: Define a layout in an xml file and then write all the code in a code-behind style. Is there an equivalent style for ...

时间:2009-11-14 02:37:32 回答:4 展示:1
TiledLayer equivalent in Android [duplicate]

To draw landscapes, backgrounds with patterns etc, we used TiledLayer in J2ME. Is there an android counterpart for that. Does android provide an option to set such tiled patterns in the layout XML?

时间:2009-11-13 11:29:57 回答:1 展示:1
Using Repo with Msysgit

When following the Android Open Source Project instructions on installing repo for use with Git, after running the repo init command, I run into this error: /c/Users/Andrew Rabon/bin/repo: line ...

时间:2009-11-11 09:12:56 回答:3 展示:1
Android "single top" launch mode and onNewIntent method

I read in the Android documentation that by setting my Activity s launchMode property to singleTop OR by adding the FLAG_ACTIVITY_SINGLE_TOP flag to my Intent, that calling startActivity(intent) would ...

时间:2009-11-10 22:45:16 回答:3 展示:1
From Web Development to Android Development

I have pretty good skills in PHP , Mysql and Javascript for a junior developer. If I wanted to try my hand as Android Development do you think I might find it tough ? Also what new languages would I ...

时间:2009-11-09 14:44:40 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全