I have been working on a PHP project recently and I have created an API that will be consumed by mobile clients. I am using CodeIgniter as it provides a nice restful interface out of the box. I am unexperienced in PHP development and especially securing PHP web services. I was hoping to solicit some information about how I should go about implementing user authentication with my API. The information is not super sensitive but I do need clients to authenticate with the service.
Since my clients are mobile devices I'm uncertain how to go about implementing a membership provider model using CI since I won't have the luxury of a session (or do I?). Will my users merely send their credentials each time a request is made using SSL? Can someone provide me with some direction or documentation that might help?
Thanks!
Use Phil Sturgeon's Rest API. He's already built these things in.
http://philsturgeon.co.uk/blog/2009/06/REST-implementation-for-CodeIgniter
Related
Im developing a java web application which is deployed on a glassfish server. The web services are used to connect to user databases. Each user has a database. My question is, is there a way to keep track of the user? For example in servlets we use sessions in order to store some user specific data. Is there something similar to it in web services? It seems impractical to have to authenticate the username and password each time the user sends a request to a web service. Thanks.
Web services may also use sessions, however there are good reasons to keep them stateless:
it might be that the clients do not support sessions (cookies), e.g. if your clients are not browser based;
stateless services are easier to scale.
You do not have to use username+password for authentication. You may use JWT (or other kind of access tokens) to protect them.
Auth0 has got nice article on this topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
I need to create register/login functionality in CQ5. There are three ways
1 - The register/login functionality should be prepared as web service hosted on a Java Application Server and then we can consume data from web services.
2 - The functionality should be prepared as web service based on RESTFull that hosted on CQ itself since AEM is developed around the REST principal and REST web services is certainly one which will be supported. So I believe RESTfull web services can be hosted with CQ5.
3 - Why do we need web services? I do not think it requires web services since my application is not going to communicate with other application and it dont want to expose any services to outside world. Why don't we create register/login functionality as we do in normal web application. Can we create a OSGI bundle that invoke databases to store user details for register/login functionality?
I would go for 3rd option but my concern is AEM is not the place to build our business logic to carry out functions that are not related to content rendering.
which option would you choose and why? Kindly share your ideas and thoughts. I am just looking for best solution to develop register/login functionality in CQ.
Thanks
I think i am late to the party but it might help someone. Yes, you can very well create rest webservices in CQ and they work well. So, you can take that approach.
The way to go about implementing login/registration would be how it is done OOTB but OOTB is also bad in the way it implements it so you have to make modifications to overcome that.
1) You need to register and Authentication handler with CQ. If you are looking for a sample there is a form authentication handler source that you can look at.
2) We have integrated out Auth handler with Active Directory (AD). Since AD is supported by default, so it is easy to integrate with Auth Handlers.
3) Next you need to create a user login token for which you can look into TokenUtil class of CQ or if you are looking to develop SSO, you can look into SSO code that is packaged OOTB.
I am new to Web development. And hence, if the question is dumb, please be polite. For creating my application, I had to take a decision of whether writing a web service or a web application. After searching a few questions in stackoverflow, I came to know that, web service is something which doesn't involve human interaction. And web application is what human uses ( the UI/web page kind of stuffs ).
But lately, I saw gmail is a web service ( email service ). But I was confused from here on, because, gmail provides a UI, and human interactions do occur. And from there on, I got confused again.
So what I figured out from this is, gmail website is like a web application for users to use directly. The web application in turn uses the web service provided by Google for email. Is my understanding right? So can a web application be a client for web service?
If I am wrong somewhere, please do correct me. I hope to be clear after someone throws light on this with some good example. Thanks in advance.
You are quite right. Basically a Web Service has several endpoints over HTTP (normally) that provides data (generally in JSON or XML) and are meant to be consumed by Web Clients. Sometimes the are also called Web API's (Application Program Interface).
A Web Application is quite similar to a Web Service but it provides an interface where the user can interact with. Usually Web Applications are consumers of Web Services or Web APIs.
Following your example, Google email is could be considered as both, a Web Service and a Web Application. It is a Web Service because it provides a set of HTTP endpoints that works independently of its Web UI Application (GMail). In fact, you can find third party Web Apps that interact with the Google email Web API.
This concept is very important when designing Web Solutions. Ideally you want to design and implement a good Web API, usually a RESTful Service (in JSON/XML). Then you or others will be able to implement different types of applications (Web, Mobile, etc.) because of this API.
Now I am creating an iOS application. I also implemented some web services. My requirement is : "The user should be able to call a web service API by Sending a Text Message(SMS)". After a lot of research I found out that there a provider called Clickatell(http://www.clickatell.com/). But I don't know how can I configure it? Please help me in configuring this. Or Is there any other APIs or SMS gateways providing this service?
Disclaimer, I do developer evangelism part time at Nexmo.
Here are a few SMS APIs that I've used (I've not really used Clickatell, but I've gone through the signup process, and the following APIs seem a lot simpler to use):
Nexmo
Twilio
Tropo
All three APIs are straight forward REST/HTTP APIs.
You can call the API directly from your mobile application, however, you should consider if you really want to then compile your API credentials into your application. It may be better to host a kind pf proxy that your application uses - here's some example code used as a verification service, but it's essentially the same concept: https://github.com/Nexmo/Verify
I would suggest to take a look at Mogreet's new Developer Web Site
Very easy to use REST/HTTP APIs and very powerful. It supports sending SMS/MMS with awesome quality for all media types.
I've recently programmed a REST web service API that allows another website to sign-up for my website remotely.
I've programmed all the necessary validation and filtering in to the API.
My question is, should I now ensure that my own registration form uses the web service API when handling user registration?
The form itself already has the very same validation, but it would seem to be that it would be best if there is only one method that is ultimately responsible for validation/filtering.
That solution doesn't seem to be the best, either, though because I am now making a REST client to touch my own web services API from the exact same website.
The last solution that comes to mind is to put the validation on my user model, and throw an exception up the web services API when validation is triggered. Are there any downsides to this solution?
One of the major benefits of REST is to define a interface that a remote client can access easily with the minimum amount of coupling between client and server. This is very useful when you do not control the client. This allows you to evolve your server interface without breaking existing clients.
The REST interface should really just be a thin layer over your validation and registration logic. In theory it should be easy for you to re-use that logic in your own website without going through the REST api.
Your website is not on a remote machine and you have control over both the client and server portion so you are not gaining anything by going through the REST interface.