<div dir="ltr"><div style>Hello,</div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 29, 2013 at 10:57 AM, Corinne Krych <span dir="ltr"><<a href="mailto:corinnekrych@gmail.com" target="_blank">corinnekrych@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Hi Christos,<div><br></div><div><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:11.818181991577148px;line-height:17.99715805053711px;white-space:pre-wrap">Looking at the integration test code for the second approach (the one not using the Auth Module), you just set the credentials and you don't have to </span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:17.984375px;white-space:pre-wrap">explicitly</span><span style="color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:11.818181991577148px;line-height:17.99715805053711px;white-space:pre-wrap"> call login/logout?</span></div>
</div></blockquote><div><br></div><div>for BASIC/DIGEST, there is no _real_ login/logout. Every request just contains the credentials, in order to access the protected URL(s).<div>So, there is NO explicit login against some "/login" endpoint on the server (which _could_ setup some infrastructure)</div>
<div>similar to logout: no explicit call against an /logout endpoint (which _could_ do some clean-ups etc).</div></div><div><br></div><div style>On the AuthModule branch: Login "just" applies the given credentials; Logout "just" clears them out.<br>
</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><font color="#333333" face="Consolas, Liberation Mono, Courier, monospace"><span style="font-size:12px;line-height:17.984375px;white-space:pre-wrap">Sure it looks like magic.</span></font></div>
<div><font color="#333333" face="Consolas, Liberation Mono, Courier, monospace"><span style="font-size:12px;line-height:17.984375px;white-space:pre-wrap">You don't have the nested callback structure. But w</span></font><span style="font-size:12px;line-height:17.984375px;white-space:pre-wrap;color:rgb(51,51,51);font-family:Consolas,'Liberation Mono',Courier,monospace">here do you put the failure block code then, in case of wrong credentials? </span></div>
</div></blockquote><div><br></div><div>wrong credentials mean: the "failure" callback of the pipe methods (e.g. read) are invoked, presenting you a 401 response<br></div><div><br></div><div><br></div><div><br></div>
<div style>-Matthias</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">
<div><br></div><div><font color="#333333" face="Consolas, Liberation Mono, Courier, monospace"><span style="font-size:11.818181991577148px;line-height:17.99715805053711px;white-space:pre-wrap">++</span></font></div>
<div><font color="#333333" face="Consolas, Liberation Mono, Courier, monospace"><span style="font-size:11.818181991577148px;line-height:17.99715805053711px;white-space:pre-wrap">Corinne</span></font></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote"><div><div class="h5">On 29 May 2013 10:20, Christos Vasilakis <span dir="ltr"><<a href="mailto:cvasilak@gmail.com" target="_blank">cvasilak@gmail.com</a>></span> wrote:<br></div></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5">
<div style="word-wrap:break-word"><div>Hi,</div><div><br></div><div>iOS platform provides built-in implementations for authenticating against HTTP endpoints that support Basic / Digest authentication (among others). The workflow when iOS tries to authenticate against those endpoints is basically:</div>
<div><br></div><div>a) A credential storage<a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSURLCredentialStorage_Class/Reference/Reference.html" target="_blank"> singleton object</a> provided by the system is consulted for authentication credentials. If credentials are found, the system proceeds with authentication. Understandably for this to work, the developer has to initially push the credentials to the system object (and remove when done).</div>
<div><br></div><div>b) If credentials are NOT found, the system tries to call the delegate method e.g. '<a href="http://developer.apple.com/library/mac/documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html#//apple_ref/occ/intfm/NSURLConnectionDelegate/connection:didReceiveAuthenticationChallenge:" target="_blank">connection:didReceiveAuthenticationChallenge</a>', giving a chance for the user to provide the credentials, by calling the appropriate methods on the authentication challenge object passed in.</div>
<div><br></div><div>AeroGear library, currently has a notion of pluggable authentication modules providing an interface for clients to implement 'login', and 'logout' methods, depending on the authentication scenarios that they try to support. This fits nicely with singleton credential storage approach, in the sense when doing 'login' and 'logout', we simply edit the credential storage adding or removing credentials appropriately. A branch for this work can be found <a href="https://github.com/cvasilak/aerogear-ios/tree/basic.digest.auth" target="_blank">here</a>. For usage, have a look at our <a href="https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.auth/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m" target="_blank">integration test</a></div>
<div><br></div><div>For testing purposes, <a href="https://github.com/cvasilak/aerogear-ios/tree/basic.digest.nsurlcredential" target="_blank">another branch</a> was created, this time letting the user to <a href="https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m#L50" target="_blank">directly pass</a> an <a href="http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html" target="_blank">NSURLCredential</a> object initialised with the username/password combination during the Pipe configuration. Those credentials are internally stored and given back to the system by implementing the <a href="https://github.com/cvasilak/aerogear-ios/blob/basic.digest.nsurlcredential/AeroGear-iOS/AeroGear-iOS/core/AGHttpClient.m#L240" target="_blank">necessary callback </a>. A usage example can be found in our <a href="https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m" target="_blank">integration test</a></div>
<div><br></div><div>advantages of using the singleton approach:</div><div>- fits nicely with the authentication mechanism we have in place (as an extension <a href="https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m" target="_blank">HTTPBasicDigestAuthenticationModule</a>) so user familiarity when looking to add basic/digest support to the Pipe.</div>
<div>- we control the credential type e.g. 'NSURLCredentialPersistenceForSession'. This eliminates errors of using 'NSURLCredentialPersistencePermanent' and having the user to explicitly clear the keychain when trying to login with a different combination. For my search, many errors occurs because of this.</div>
<div><br></div><div>disadvantages of using the singleton approach:</div><div>- not sure if many iOS dev will like the fact of creating an Authenticator object instead of using directly an NSURLCredential object that are used to.</div>
<div><br></div><div>---</div><div>advantages of using the 'nsurlcredential' directly:</div><div>- users familiarity with the object.</div><div>- not explicit login logout request.</div><div><br></div><div>disadvantages of using the 'nsurlcredential' directly:</div>
<div>- error credential type can lead to errors. </div><div><br></div><div>With discussions with Matthias, we are more keen in following the <a href="https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m" target="_blank">HTTPBasicDigestAuthenticationModule</a> approach instead of providing the <a href="http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html" target="_blank">NSURLCredential</a> configuration option on the Pipe. Surely enough, in the documentation we will explicitly state that "login"/ "logout" methods, serve as a mean to setup internally the iOS authentication system so users don't have too (instead of calling remote endpoints)</div>
<div><br></div><div>Wdyt?</div><div><br></div><div>Thanks,</div><div>Christos</div><div><br></div></div><br></div></div>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br></div>
<br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>