0

我们正在构建一个 iPhone 应用程序,它将使用 CakePHP 2.xx 访问我们的后端服务器

客户端是使用 iOS SDK 的 iPhone App 服务器使用的是 Cakephp2.0。

我们能够为控制器/操作(用户/登录)创建 http POST。此操作当前使用标准数据库查询登录并匹配用户/密码组合。这并不是真正的 AuthComponent。我们想要的是启用 Auth 组件,以便我们可以验证每个请求的会话。我们如何将 Auth 用于这种类型的移动客户端应用程序。

我已经阅读了 REST 概念等,但仍不清楚我们如何将 Auth 纳入此移动应用程序通信的范围。

任何参考资料都会有所帮助。我对移动领域相当陌生,但我确实有很好的网络开发知识(基于浏览器)。对于移动设备,我们使用移动平台的原生 SDK。

-公元前

4

1 回答 1

1

First of there is no difference in using the AuthComponent in a fully (desktop) web based solution or a mobile one - it just works as it would normally work. In your case you have the two application layers detached:

  1. Your server handles authentication, data retrieval, data customization and data transport.
  2. Your client handles data representation

Usually in Web Development there are two big concepts:

Authentication and Authorization. Authentication is making sure the user is who he poses to be - i.e. logging them in after they supply the right password. Authorization is making sure the logged in user has the right to access a given resource. The second thing can be achieved with different approaches and I am not going to stop on it.

Out of the box Cake offers three different Authentication approaches:

  • FormAuthenticate
  • BasicAuthenticate
  • DigestAuthenticate

It is very well explained what these are in the links I provided. Now in your case you may want to consider using DigestAuthenticate and definitely Digest over SSL please :). Of course you can for with FormAuthentication as well. However also consider issuing tokens when login users in and then using those tokens for the API calls. These should have a relatively low lifetime. This lifetime is up to you but normally it is 10-15 mins. When a call is made and a token has expired just create a new one for the user. This tokem system can be somewhat detached from the authentication system - i.e. a user may still have a session but his current token may have expired - so issue e new one. Be sure to validate these tokens against the user that is trying to access a piece of information in a given application area - so validate that the token is still valid and is in fact issued to and used by the same user.

Hope this helped a bit. I think you made a good choice going with REST as it provides a nice verb-based API structure.

于 2013-06-09T08:39:25.963 回答