1

I am writing an Android 2.2 app for my company. The app simply sends http get/put/post requests to perform certain operations. There is no real login procedure as the username and password have to be included in each http request.

I could see that there is AccountManager in Android. But since the username and password (instead of some auth token) are needed for each http request, how can it fit in? Obviously, I want to make it similar to other Android apps so that the user only needs to login once for the very first time and it won't prompt for username/password again when the app is re-launched.

Any suggestion is appreciated. Thanks!

radium22
  • 155
  • 1
  • 9
  • 1
    You can easily let the user store username and password in `SharedPreferences` from an ordinary activity with a couple of `EditTexts`, and then read them from there for each call to the webservice. Is there any specific requirement to use AccountManager? – uvesten Apr 27 '11 at 19:12
  • 1
    There is no need to use AccountManager. I just want to see if this is a requirement/preferred method to make it Android-like. Thanks. – radium22 Apr 27 '11 at 19:53

1 Answers1

5

I have developed an application like that, so here is how I solved it, in psuedocode.

But since the username and password (instead of some auth token) are needed for each http request, how can it fit in?

1#: Make a first page, a login page. Let this View include two EditTexts (username and password) and one Button (login button).

2#: Make a login request on the Button click to see if you're getting a correct Cookie with HTTP header names that is corresponding with the values you are getting when you're logged in. Locate valid information via a network tool, like WireShark. For more information about the login procedure, check out my other answer here.

3#: If the username and password resulted in correct Cookie information, save the username and password in a SharedPreferences and make their values available through your application by assigning it into an Application class, read this for more info regarding global variables. If the values were incorrect and you did not get a valid Cookie, show it to the user via a message (Toast?).

4#: When you are trying to reach the authorized information, make a request by using the saved information in the Application class.

5#: Next time you're starting your application, make a check in onCreate() where you are checking if SharedPreferences contains user information, if so: see step 6#, otherwise wait for the user to start entering information.

6#: If the login page has determined user information, assign the SharedPreferences to the global Application state, finish the login Activity and start the authorized Activity instead. This will happen very fast, so the user wouldn't notice that the "login page" was displayed.

7# (extra step): In the authorized Activity, make sure to grab the user information from the Application instance. When doing the first request towards authorized content, validate the task as you did in step #3 in order to control if the user has changed the password on the website. If the user hasn't changed any information, start grabbing the response and you are free to do whatever you want.

Community
  • 1
  • 1
Wroclai
  • 26,835
  • 7
  • 76
  • 67
  • 1
    That was an incredibly complicated answer. Use wireshark just to read a cookie? – uvesten Apr 27 '11 at 19:00
  • Also, the question is about using AccountManager, if I'm not mistaken. – uvesten Apr 27 '11 at 19:00
  • By the way, why would a cookie even be set? The question states that the program needs to authenticate for each call. This answer is more confusing than helpful. – uvesten Apr 27 '11 at 19:03
  • @uvesten: So, what is complicated? Is it complicated to use WireShark, really? The questioner should extra check that information from the `Cookie` by determining the same values in WireShark. – Wroclai Apr 27 '11 at 19:03
  • Let the cookie go :) (your program might use one, the question says nothing about a cookie.) – uvesten Apr 27 '11 at 19:05
  • @uvesten: You has misunderstood the question. Please read it again before down voting. – Wroclai Apr 27 '11 at 19:05
  • @uvesten: The question doesn't say anything about `Cookie`s. But, in order to get a response from a authorized webpage you need to have a `Cookie` before making a HTTP request. – Wroclai Apr 27 '11 at 19:10
  • Yes, but the question says nothing about an "authorized web page". There are lots of ways to do authentication for webservices... Probably best to ask the asker what authentication method his service uses. – uvesten Apr 27 '11 at 19:16
  • 1
    dear uvesten, he writes "...But since the username and password (instead of some auth token) ...". How should HE FIT IT IN? Well, not by using AccountManager, instead, he should use what @Viktor wrote in his answer. – Curtain Apr 27 '11 at 19:18
  • Thanks, Viktor for your detailed answer. I got a few questions, however: 1. There is no URL to explicitly login. Each http request is independent and requires username/password. From wireshark, I could see a 401 response first, then app requests again, and then a 200 OK for success. But from the httpclient API used in the app, the 401 response is hidden - all it returns is 200 OK for success. With this in mind, how would the cookie manager fit it here? 2. Also, do you have suggestions on how to save the valid username/password to the device so that no login is needed on relaunch? – radium22 Apr 27 '11 at 19:50
  • @user7277011: 1: Well, if there is no specific login page, just test against *some* page that requires username and password. Secondly, I would recommend my second alternative in my link above for this purpose so there is no need for a `CookieManager` in this case. :-) 2: Save to a `SharedPreferences` and if `SharedPreferences` contains text when you are relaunching your application, then finish your login `Activity` and start the authorized `Activity`. – Wroclai Apr 27 '11 at 19:55