In my app I make HTTP calls to a web service over HTTPS. My desire is to design my client in such a way that it only asks the user for their username and password when there is an authentication challenge. I want to be reactive, not preemptive. Due to the nature of my app, there are certain cases where it would not need to authenticate.
In iOS, this process is made very easy via the NSURLConnectionDelegateProtocol, which is implemented in the iOS version of my app. A connection is made using this class, and only when a challenge is presented does the class asks its delegate for authentication credentials.
How can this be done in Android? Using the AuthenticationHandler? Or perhaps the Authenticator? If so, could can example or tutorial be provided?
Edit 1:
Using the Authenticator class (see my answer below) I am now able to respond to authentication challenges, but currently only with hard-coded credentials. I want to prompt the user for a username and password. According to the Android documentation, within the getPasswordAuthentication method you “usually prompt the user for required input”.
How is this possible? Without blocking the UI thread, which I know cannot/should-not be done, how can you display a dialog, wait for user input, then retrieve the entered credentials and return them, all within that method?
Edit 2:
While there are little or no examples on the use of the Authenticator class, what I have been able to find suggests that prompting the user for input is impossible from within a single method, like getPasswordAuthentication. Might have to revert to the Apache Http client…
Final Edit:
I am still using HttpURLConnection, but doing something along the lines of what Edward suggested below. There doesn’t seem to be any configurable class for handling authentication challenges and prompting the user for input, so I am doing this manually.
Send your request without authentication headers. If authentication is required, the connection will fail with a 401 error. Let that failure bubble back up to whatever code made the initial request. That code should then show an authentication dialog to the user. Remember the username/password that the user provides, and retry the failed request with the necessary authentication header added to the request.
Remember the username/password for the rest of the session so you don’t have to keep asking the user.
I’m sorry that I don’t have any sample code; I’ve implemented this in java.net, but that won’t do you any good if you’re using apache.
This thread may help you: Http Basic Authentication in Java using HttpClient?
Edit:
I have implemented this in java.net, but it was work I did for hire and I don’t have access to the source code. One problem is that java.net doesn’t let you set authentication on a per-connection basis, but instead has you implement a single global authenticator. Since my app only communicated with one specific web site, that wasn’t an issue.
What I did was create a subclass of Authenticator that caches the username/password data from the user. The initial value of the cache was empty. There is also an “attempt counter”. When the authenticator is called and there is no cached user/password info, the user is prompted via a dialog. If the cached values are present, they are returned without bothering the user.
If there are subsequent calls to the authenticator, it’s assumed that the user/password info was incorrect, and the user is prompted again. If the counter reaches ten, then the authenticator returns null (failure).
The counter is reset prior to each new internet connection.
A smarter authenticator would pay attention to the host and/or realm (prompt string) and cache user/password accordingly.
I’m not sure any of this will be useful to you in an Android environment, since popping up a dialog might not be an available option to your authenticator. But I could be wrong about that; it depends on your application.
In an Android environment, you’ll want to do your http requests from a thread and then signal the activity when the data has arrived. If your thread detects a 401 error, it would signal the activity to that effect, and then the activity could pop up a dialog and re-launch the thread. The thread would then register a trivial authenticator that simply returned the user/password information. Alternatively, the thread could manually build an Authorization header, although that’s more work.