I have an existing Java Glassfish web application with user authentication and user role security where users can access and modify information from a database.
I'm writing an iOS application which integrates with that web app. The user needs to be able to authenticate on the iOS app using the same credentials as the web app. Certain parts of iOS app need to be able to open web pages in the web app with the user already logged in (as long as they have access to that particular page).
I'm looking for tips on how to share the authentication. It doesn't need to work in the opposite direction.
My plan is to do something like this:
1) Expose an authentication web service method on the web app which takes a username and hashed password and responds, if successful, with a unique token. I think a random token is best. Store this token next to user info in database.
2) Use this auth token to authenticate for any other web services required for the iOS app's functions.
3) Modify web app's user security code to automatically consider user logged in if an auth token is passed in with the page request.
4) Expire auth token when user logs out off iOS app
Is this a solid strategy for handling this problem? Any other suggestions or links to relevant information would be appreciated.
Should I be worried about sending around the auth token in plain text? If it's a random token, there's no chance of users guessing someone else's token. There is the possibility the token gets read in transit from one user and copied by another user, but I'm not sure there's a simple solution to avoid that. Client wants the iOS user session not to expire based on time, but maybe I can negotiate that.
Aucun commentaire:
Enregistrer un commentaire