Android-mORMot Authentication

warleyalex · 2013-09-11 14:53:16

Hi. I created an Android-mORMot auth scheme. User request is authenticated successfully in Android, but subsequently my session signature fails.

-->http://10.0.2.2:8080/root/auth?UserName=User
{"result":"9f076b7eb7fdc0311cd3208cdbbebbf8014dd3a05e35191c96947b358a362b40"}

-->http://10.0.2.2:8080/root/auth?UserName=User&Password=be871ee48a107329b1182d6bb81ace643d8d94d91e9ddc043683244542eb9710&ClientNonce=a90a49ace37d77de7bb14f68ad94a8a2b41c93219d586dc06e1ad36b6b6c8b4d376fe8cd70b02ab374e13d619aed52de1b99c82cb3cad5fde65042d7ad25c407610b631a9370858f525cdf3dd44eb8b054cba76e16e978af2df127af9677a682a45399c4798a3a902c98a47ed1a47024e8e3b9ed7e045f19b5087883b6737640
=====================================================================
{"result":"66+644652a707771dd92fe19a6640c70965dce2904a735aa9ba639a4af3e8bb5eae","logonname":"User"}
==> here we are connected!

----------------------------------------------

	public static String GetURISignature(String AURI) {
		long LMsecs, endTime;
		String LTimeStamp, LSign, LCrc, s;
		endTime = Math.abs(System.currentTimeMillis());
		LMsecs = (endTime - FZeroMS);
		LTimeStamp = preencheZero(Long.toHexString(LMsecs));
		LCrc = preencheZero(Long.toHexString(CRC32(FPrivateKey + LTimeStamp + AURI)));
		LSign = (preencheZero(Integer.toHexString(FSessionID)) + LTimeStamp + LCrc);
		s = AURI.indexOf("?") == -1 ? AURI + "?session_signature=" : AURI + "&session_signature=";
		return s + LSign;
	}

AURI: "root/SampleRecord/?select=*"
FPrivateKey: 66+644652a707771dd92fe19a6640c70965dce2904a735aa9ba639a4af3e8bb5eae
FSessionID: 66
LMsecs: 0000042e
LCrc: 33d70a79

-->http://10.0.2.2:8080/root/SampleRecord/?select=*&session_signature=000000420000042e33d70a79
{"ErrorCode":403,"ErrorText":"Forbidden"}
==> There has been an error at my session_signature!

Any idea?

ab · 2013-09-11 15:10:24

You can use the debugger on the server side and see in which part of the code the signature is recognized as invalid.

warleyalex · 2013-09-16 13:00:57

Hi,
I would like to implement project 14 - Interface-based services using Android Client. After authentication,
I'd like to call method Calculator.Add.

a) If I call the Calculator.Add method, should I also have to call method Free? Like this:

POST http://localhost:8080/root/Calculator.Add?session_signature=0000004C1C151ECB683261AB
[25,12]

POST http://localhost:8080/root/Calculator._free_/3?session_signature=0000004C1C151ECCD12895EF

b) What the easiest way to implement logout method and drop session. Should I send a dedicated http method to inform server side?

Regards,

ab · 2013-09-16 13:50:35

Yes, this is the mean of _free_ pseudo-method.

There is a time-out function for sessions, but the best way is to remove the session explicitly with _free.

warleyalex · 2013-09-18 22:53:48

Muchas gracias. I understand when logging out, don't just delete the session id on client side, the best approach is send a logout to the server as well explicitly as well.

I created an Android client using Delphi mORMot Authentication http://youtu.be/F4V5Mae9lRw.
Once I have authenticated, I set a variable connected=true, but when session expires, i would like to re-login.

Any idea how to implement re-login feature, to prompt to the user the re-login screen when session session expires.

ab · 2013-09-19 05:39:04

warleyalex wrote:

Any idea how to implement re-login feature, to prompt to the user the re-login screen when session session expires.

AFAIK there is already such code in TSQLRestClientURI.URI().

mORMot Open Source

#1 2013-09-11 14:53:16

Android-mORMot Authentication

#2 2013-09-11 15:10:24

Re: Android-mORMot Authentication

#3 2013-09-16 13:00:57

Re: Android-mORMot Authentication

#4 2013-09-16 13:50:35

Re: Android-mORMot Authentication

#5 2013-09-18 22:53:48

Re: Android-mORMot Authentication

#6 2013-09-19 05:39:04

Re: Android-mORMot Authentication

Board footer