I am a complete newbie in this topic so please excuse me for my ignorance. Our company has a PHP based REST service created for consumption by an iPhone app. We make several POST calls to the REST API: www.mywebsite.com/api/rest and we send the method name and the parameters to the service. The service in turn returns a XML response which is GZip encoded. This is working fine.
I am assigned with a task to secure these call so that data that is getting passed to the service is not in plain text/is not visible using tools like Charles Proxy and other sniffing tools. In the past I have used some iPhone apps which also makes REST calls but they don't show up in such tools. I would like to know how to implement such a thing in a normal PHP based REST service so the data getting transmitted is not visible/ can be made secure.
I thought about using HTTPS but if we use HTTPS, I hear from others that the service/server will become slow and I am not too sure if the iPhone client will accept HTTPS calls.
Please advice.
Thanks in advance,
Senthil
It sounds like you're trying to secure the transport layer, and assuming that's the case then SSL/TLS is surely the way to go. Yes, chances are there will be some performance impact, but the security is probably worth it.
Related
I'm having troubles to figure out how web services handle requests and send responses, and how my site/module will handle it. So these are my questions and bellow a little about why i am asking this:
What is the right way to send a request to web service?
How a web-service will usually answer a site requesting?
How a PHP site can send a request to a web-service? Is cURL the right way?
I'm a student who are learning PHP and a lot of other things, and my job now is create a Joomla Module to show information from a web service (probably created in java or something, probably created by me, when i learn java...).
I know i will use http requests to talk with the web service, but i worry im using it wrong (making a request to the url, like the browser).
So, i did a little example site and a example API. The api uses Slim microframework to create routes, access my database and return the content in json (what means: if i access 'api.com/api/something' in my browser i see a plain white page with a lot of json). I pretend this is my web service.
The example site send a request to the API with cURL, reads the content and decode the json and do things. It seems forced to me.
I have not much support to understand web services and if i am in the right way (or far from this).
I would appreciate your help.
You are on the right track. A web service is simply a processing or storage facility intended to be accessed by some other program just like a database or fileserver service.
What is the right way to send a request to a web service
It depends. The most common implementations use SOAP or REST which define additional semantics on top of the HTTP protocol. SOAP uses a single URL as a gateway to the service and more specific selection of the functionality and the relevant data is embedded within an XML payload presented via POST. HTTP is merely a bearer for the message exchange. In REST, the HTTP part is integrated into the semantics of the transaction.
The URL identifies the location of the data (or processing function)
The payload contains only data, usually presented as POSTed JSON or XML,
further REST uses the HTTP verb (GET, POST, PUT, DELETE) to indicate the requested action
the HTTP headers are used to convey transaction meta-data.
How a web service will usually answer a request
I'm not sure what you are asking here. It should report back on the state of the request, any relevant error messages and possibly some data.
The speciifics would be unique to the API and documented.
Is cURL the right way?
While it is possible to do a lot with the HTTP wrappers functionality in PHP, libcurl offers an lot more flexibility. So, yes this it would be hard to implement a REST client without using cURL, OTOH a SOAP client is (usually) less complex at the HTTP tier but life is a lot simpler if you use a SOAP library/framework to abstract the more complex protocol.
For future questions please have one question per entry.
What is the right way to send a request to web service?
That really depends on the web service, what they require. It can be as simple as a short text string, to sending a XML formatted or JSON formatted array. You need to research the relevant web service.
How a web-service will usually answer a site requesting?
Again it depends on the web service. They are not the same. A web service will have documentation on what it expects and how it will respond.
How a PHP site can send a request to a web-service? Is cURL the right way?
Curl is a good method and is usually the method used from within PHP.
I recently started to do development in the Haxe language with OpenFL (AS3 background).
But I have never worked on an app that communicates with a server - or never done any programming for servers for that matter!
I have to make a mobile app (for which I intend to use Haxe) where the new user creates an account on the server, and thus also interact withe other user accounts in a desired way.
So could someone guide me in the right direction to approach this situation? I'm guessing I will need to use PHP or ruby etc.
or can I use Haxe to program on the server? are there any good libraries that also provide security while making facility for user accounts? Is AWS or Google app engine something I can use?
check this simple but complete tutorial by filtreck
http://mromecki.fr/blog/post/haxite-writing-entire-website-using-haxe
You will want to create normal web pages that you can host on the server which will retrieve the needed information.
After having uploaded these, use a type of webview in the application to load the pages and retrieve this information.
You can write your server in Haxe if you want, and if you use a platform that supports it you could use TCP and haxe.remoting to pass data between the client and the server.
haxe.remoting is intended to make calling haxe function in a server from a client easier so that may be what you want.
If you don't feel confortable with using TCP you could do as Max wrote, just make some HTTP API (you can do this too in haxe) and do normal HTTP request from the client.
So, i've been reading a lot on SOA's lately and been trying to implement something useful. I have started with a simple blog, creating the RESTful API. So far, so good. It works perfectly. However, i'm starting to pull my hair off when writing the web interface that will consume the RESTful API. I don't know if i'm doing the right thing.
For example, the web interface has an admin panel. That admin panel makes HTTP requests to the API, through file_get_contents and stream options. Right now, the API is localhost, as well the web interface, but the whole process is a little slower. Is this right? Is this the proper way of implementing a SOA? Also, i'm dealing with little bits of duplicated code for validation. Where should i validate data? In the API or the web interface? What is the best approach?
Tips, tutorials and, specially, books are welcome. This is being implemented using Silex, built on top of Symfony components.
That's exactly how i do it. Although the connection with localhost might seem an overhead at first, it is a feature, since you're ready to deploy your web interface application anywhere and still consume your API, that might be anywhere. Of course, you would put some SSL over this.
As for Validation, you should validate on the API and return HTTP status codes for those situations (for example, "400 Bad Request" for invalid parameters). This way, any other client can interpret the response from the API and treat that to display how they want. In the case of your web interface, nice little error messages based on the HTTP status code.
What other problems are you facing? Also, as far as general SOA architecture is concerned, this book is very good.
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you
I have an existing PHP/MySQL website that relies hugely on form POSTs for things like signing up, logging in, searching etc. I now need to create a native iPhone app for it. The business requires a native app for marketing reasons, I can't get away with a mobile optimized website.
I'm looking for suggestions from someone who has already done this - how did you rewire your website to POST/GET data from the iPhone app? I'm guessing I'll have to send/receive data as XML, which is then parsed by the server and client. Is there anything simpler or any framework that can make this easier?
Thanks!
If you don't have some sort of webservices or API to connect through for the website I would make that my first priority. While you can scrape HTML and send POST requests, it can get quite messy FAST. I've created iPhone apps which talk with webservices through SOAP requests, and have built an iPhone interface to a site, which wasn't pretty. It is very doable, but it is also very frustrating if anything changes on the webpage.
If you are looking for a decent library to help you get started with POSTing against forms check out the ASIHTTPRequest library at http://allseeing-i.com/ASIHTTPRequest/. If you look at the site there is a 'How to Use It' page with 'Sending Data with POST or PUT Requests'. Otherwise you could just use NSURLRequest and NSURLConnection and handle everything yourself.
It depends a lot on what you are presenting. You may be able to put a lot of your php heavy interfaces into web pages. The web pages and all related resources would be local to, and formatted for the iPhone. You can look at PhoneGap for examples of how to host local web pages and communicate with the host application.
I have been writing an eBook reader. About half of the user interface is done through local html files. In my case there is no network access, but WebKit is the easiest way to style text.
As long as your application does not look like a web page, it is fine if it is a web page. That may simplify big chunks of server interaction, especially things like login that only happen once or rarely.
Jonathan,
I would recommend taking a look at the Apple provided SeismicXML sample app. It uses the NSXMLParser to parse XML in a asynchronous fashion which will be huge for your app. It also shows how to use a NSURLConnection to make the request off of the web. You can use the NSURLConnection (which is also asynchronous) for POST/GET requests.
As mentioned in another answer, the ASIHTTPRequest library from allseeing-i.com is an excellent library but all of the features you want can be done using the built in Apple APIs if needed for your business requirements.
Hope this helps!