json - How can I securely (indirectly) query a postgresql database within android? -


the current solution have adopt uses jdbc , stores user/password of database inside android app. that's far i'm concerned not solution. implement mapping layer on webserver in middle.

is there best practice or recommended strategy this? should use soap or json or different (because they're implemented and/or easy use in java)? there mapping tools postgresql <-> soap/json/whatever in php or need write these scripts myself?

any pointers appreciated.

quick version:

use web service midlayer running on public host control (possibly not database host). expose public web service methods limited work want permit , nothing else.

related questions:

implementation options

personally i'd use java application server apache tomcat or jboss 7 , i'd write web service methods using jax-rs produce nice rest-style api app use. that's i'm familiar , works well, have lots of options including implementations of:

  • rest-like apis (java's jax-rs impls jersey , resteasy, various other langs tools) use http requests , produce json or xml replies.

  • soap wsdl, classic "web service" layer. in java done jax-ws among other options. languages have tools soap+wsdl it's kind of crappy work on intermittently connected devices mobiles.

  • xml-rpc if pain

there jax-rs quickstarts on jboss 7 quickstarts list; search "jax-rs". "kitchen sink" quickstart useful, though perhaps not ideal if you're not familiar basics of jboss 7 , jave ee 6. fort jax-rs specifics you're better off jersey or resteasy tutorial this or this.

important considerations

use https if possible, , if access isn't public use suitable http authentication scheme http basic auth on https. decent web services implementation offer authentication options or support of platform on runs. avoid temptation implement own authentication , user management @ web services layer, will screw up; use auth @ http layer that's written , tested. may require use of apache's mod_auth_pgsql, jboss 7's jdbc security realms, etc. case i'd consider not doing proper per-user http auth don't need separate users security reasons, care it's app accessing server, ie if security requirements quite weak. in case i'd use fixed username/password whole app , possibly x.509 client certificate if android supports them.

remember no matter how secure things, credentials either known user or can extracted trivially .apk still have assume access web service methods, not app. write them accordingly.

do not send sql app on web service call server , return results json. horrifyingly insecure, ugly , clunky. write web service method each individual task want app able perform , keep sql in server. remember use parameterised queries , careful of other sql injection risks. these web service methods may use 1 or more queries produce single reply - example, might collect "customer" record , associated "address" , "contact" records return result in nice json object android device can consume, saving numerous slow , unreliable network round trips.

no matter use, make sure web service calls in background worker thread , not block user interface. prepared timeouts , errors, , need retries. test app simulating intermittent connection loss, high latency, , high rates of packet loss , make sure remains usable.


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more