But in your solution anyone in the middle can get that token also,so he can intercept and change the request no?
On Monday, November 5, 2012 11:52:17 PM UTC+5:30, Jeffrey Walton wrote: > > On Fri, Nov 2, 2012 at 12:06 AM, Rajiv Yadav > <[email protected]<javascript:>> > wrote: > > Hi i am developing an application which uses restful services. (near > about > > 30 restful methods some are using "get" and some of are "post") > > It is working fine but in each call throughout the application i need to > > send some secure data (like username, password in some encrypted form). > > > > my question is is there any secure way for this? please suggest > Yes. You login into the application once with a {username, password} > pair. You never use the {username, password} again in a request (until > the server expires the session). If the server expires the session, > then you have to log in again. In return for a successful log in, you > get a token to use on future requests. This is coarse grained > entitlements (can you use the application?). > > When a request arrives at the server for services, the request > includes the token. The server provides the mapping between > token->user. This is fine grained entitlements (can the user access > the resource?). > > If I see a web app cross my desk that uses {username, password} in > each request, then I boot the application immediately. Just giving you > fair warning here since I'm not the only guy who will deny such an > application. > > Jeff > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/__APlZ-Be9kJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
