[aerogear-dev] iOS Basic/Digest Thoughts
Matthias Wessendorf
matzew at apache.org
Wed May 29 05:09:16 EDT 2013
Hello,
On Wed, May 29, 2013 at 10:57 AM, Corinne Krych <corinnekrych at gmail.com>wrote:
> Hi Christos,
>
> Looking at the integration test code for the second approach (the one not
> using the Auth Module), you just set the credentials and you don't have to
> explicitly call login/logout?
>
for BASIC/DIGEST, there is no _real_ login/logout. Every request just
contains the credentials, in order to access the protected URL(s).
So, there is NO explicit login against some "/login" endpoint on the server
(which _could_ setup some infrastructure)
similar to logout: no explicit call against an /logout endpoint (which
_could_ do some clean-ups etc).
On the AuthModule branch: Login "just" applies the given credentials;
Logout "just" clears them out.
> Sure it looks like magic.
> You don't have the nested callback structure. But where do you put the
> failure block code then, in case of wrong credentials?
>
wrong credentials mean: the "failure" callback of the pipe methods (e.g.
read) are invoked, presenting you a 401 response
-Matthias
>
> ++
> Corinne
>
>
> On 29 May 2013 10:20, Christos Vasilakis <cvasilak at gmail.com> wrote:
>
>> Hi,
>>
>> iOS platform provides built-in implementations for authenticating against
>> HTTP endpoints that support Basic / Digest authentication (among others).
>> The workflow when iOS tries to authenticate against those endpoints is
>> basically:
>>
>> a) A credential storage singleton object<https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSURLCredentialStorage_Class/Reference/Reference.html> provided
>> by the system is consulted for authentication credentials. If credentials
>> are found, the system proceeds with authentication. Understandably for this
>> to work, the developer has to initially push the credentials to the system
>> object (and remove when done).
>>
>> b) If credentials are NOT found, the system tries to call the delegate
>> method e.g. 'connection:didReceiveAuthenticationChallenge<http://developer.apple.com/library/mac/documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html#//apple_ref/occ/intfm/NSURLConnectionDelegate/connection:didReceiveAuthenticationChallenge:>',
>> giving a chance for the user to provide the credentials, by calling the
>> appropriate methods on the authentication challenge object passed in.
>>
>> AeroGear library, currently has a notion of pluggable authentication
>> modules providing an interface for clients to implement 'login', and
>> 'logout' methods, depending on the authentication scenarios that they try
>> to support. This fits nicely with singleton credential storage approach, in
>> the sense when doing 'login' and 'logout', we simply edit the credential
>> storage adding or removing credentials appropriately. A branch for this
>> work can be found here<https://github.com/cvasilak/aerogear-ios/tree/basic.digest.auth>.
>> For usage, have a look at our integration test<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.auth/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m>
>>
>> For testing purposes, another branch<https://github.com/cvasilak/aerogear-ios/tree/basic.digest.nsurlcredential> was
>> created, this time letting the user to directly pass<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m#L50>
>> an NSURLCredential<http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html> object
>> initialised with the username/password combination during the Pipe
>> configuration. Those credentials are internally stored and given back to
>> the system by implementing the necessary callback <https://github.com/cvasilak/aerogear-ios/blob/basic.digest.nsurlcredential/AeroGear-iOS/AeroGear-iOS/core/AGHttpClient.m#L240>.
>> A usage example can be found in our integration test<https://github.com/cvasilak/aerogear-ios-integration/blob/basic.digest.nsurlcredential/AeroGear-iOS-Integration/AeroGear-iOS-IntegrationTests/AGHttpBasicAuthenticationTests.m>
>>
>> advantages of using the singleton approach:
>> - fits nicely with the authentication mechanism we have in place (as an
>> extension HTTPBasicDigestAuthenticationModule<https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m>)
>> so user familiarity when looking to add basic/digest support to the Pipe.
>> - we control the credential type e.g.
>> 'NSURLCredentialPersistenceForSession'. This eliminates errors of using
>> 'NSURLCredentialPersistencePermanent' and having the user to explicitly
>> clear the keychain when trying to login with a different combination. For
>> my search, many errors occurs because of this.
>>
>> disadvantages of using the singleton approach:
>> - not sure if many iOS dev will like the fact of creating an
>> Authenticator object instead of using directly an NSURLCredential object
>> that are used to.
>>
>> ---
>> advantages of using the 'nsurlcredential' directly:
>> - users familiarity with the object.
>> - not explicit login logout request.
>>
>> disadvantages of using the 'nsurlcredential' directly:
>> - error credential type can lead to errors.
>>
>> With discussions with Matthias, we are more keen in following the
>> HTTPBasicDigestAuthenticationModule<https://github.com/cvasilak/aerogear-ios/blob/basic.digest.auth/AeroGear-iOS/AeroGear-iOS/security/AGHttpBasicDigestAuthentication.m> approach
>> instead of providing the NSURLCredential<http://developer.apple.com/library/ios/#Documentation/Cocoa/Reference/Foundation/Classes/NSURLCredential_Class/Reference/Reference.html> configuration
>> option on the Pipe. Surely enough, in the documentation we will explicitly
>> state that "login"/ "logout" methods, serve as a mean to setup internally
>> the iOS authentication system so users don't have too (instead of calling
>> remote endpoints)
>>
>> Wdyt?
>>
>> Thanks,
>> Christos
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130529/fd614ff5/attachment-0001.html
More information about the aerogear-dev
mailing list