How to do HTTP authentication in android?

I

6

73

I am checking out the class org.apache.http.auth. Any more reference or example if anyone has?

Incivility answered 28/12, 2009 at 7:39 Comment(2)

Is this a question about Android applications authentication or just about authentication for a general web app, which just might run on Android? – Hybridize 28/12, 2009 at 8:2

For web authentication(http authentication) for user credentials(username,password) – Incivility 28/12, 2009 at 8:18

A

80

I've not met that particular package before, but it says it's for client-side HTTP authentication, which I've been able to do on Android using the java.net APIs, like so:

Authenticator.setDefault(new Authenticator(){
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("myuser","mypass".toCharArray());
    }});
HttpURLConnection c = (HttpURLConnection) new URL(url).openConnection();
c.setUseCaches(false);
c.connect();

Obviously your getPasswordAuthentication() should probably do something more intelligent than returning a constant.

If you're trying to make a request with a body (e.g. POST) with authentication, beware of Android issue 4326. I've linked a suggested fix to the platform there, but there's a simple workaround if you only want Basic auth: don't bother with Authenticator, and instead do this:

c.setRequestProperty("Authorization", "basic " +
        Base64.encode("myuser:mypass".getBytes(), Base64.NO_WRAP));

Apocope answered 28/12, 2009 at 10:39 Comment(9)

Do u know any base64 encoding class present in android 2.0?? – Incivility 28/12, 2009 at 11:0

The platform has it in a few places, but oddly enough they don't expose it. They even left references to it in the docs of e.g. android.util. I was using ksoap2-android when I found this, and they have an implementation that depends only on java.io, so you could just grab that class (subject to its license of course) from: kobjects.cvs.sourceforge.net/kobjects/kobjects/src/org/kobjects/… – Apocope 28/12, 2009 at 11:51

How do you handle the event that the authentication fails, say because the supplied credentials are bad? – Pitiable 14/8, 2011 at 6:26

Base64 is not available in older versions of Android. Any suggestions there? – Formalize 22/11, 2012 at 19:14

i'm getting an error when trying to c.connect(); , it says IOException – Demonology 15/10, 2013 at 15:19

@Demonology IOException is probably not related to authentication; I would expect a 401 Unauthorized response if authentication was bad. – Apocope 17/10, 2013 at 11:3

The code with Authenticator is not working for me even for simple GET request. If after c.connect() i call c.getResponseCode(), this hangs indefinitely. My server is using digest authentication. I m using Android api level 15. Same works for non-android platforms. – Hassanhassell 13/12, 2014 at 8:32

Somehow this doesn't work for me. I am getting "Error response code: 301". Any idea why? – Fitzwater 30/7, 2017 at 17:37

You have to use Base64.encodeToString in your example with c.setRequestProperty otherwise you're concatenating a base64 array with a string. – Zygosis 17/11, 2018 at 3:29

C

120

For me, it worked,

final String basicAuth = "Basic " + Base64.encodeToString("user:password".getBytes(), Base64.NO_WRAP);

Apache HttpCLient:

request.setHeader("Authorization", basicAuth);

HttpUrlConnection:

connection.setRequestProperty ("Authorization", basicAuth);

Conventionalize answered 21/2, 2012 at 12:24 Comment(8)

The NO_WRAP flag! That was key. I was just using the default and wondering why I kept getting a 400. – Balls 23/2, 2012 at 4:42

Your answer saves me a lot of time. Thanx! My problem was really in wrong flag (DEFAULT). – Morice 28/1, 2013 at 11:1

Finally, after a long time... no_wrap FTW! – Dividers 10/6, 2013 at 3:25

wow - this NO_WRAP just ended my 5 hours problem solving against a server which had no logging... THANX! – Zoochore 19/12, 2013 at 11:57

Thanks for the nice concise answer! Android Community FTW. – Lachrymal 18/4, 2014 at 15:59

Base64.encodeToString() did the trick for me. Previously, I was using Base64.encode() which was resulting in a HTTP response code of 500. – Flinger 9/5, 2014 at 20:10

Use connection.setRequestProperty as described in other answers if you are using the HttpURLConnection class – Flogging 10/5, 2014 at 9:39

I use this: String basicAuth = Base64.encodeToString(String.format("%s:%s",user,passwd).getBytes(),Base64.DEFAULT); and with NO_WRAP and no way to add credentials... Only get "Basic MTIzNDU2NzhBOnR0YQ==\r\n"... WHY? – Pullulate 14/1, 2017 at 22:24

A

80

I've not met that particular package before, but it says it's for client-side HTTP authentication, which I've been able to do on Android using the java.net APIs, like so:

Authenticator.setDefault(new Authenticator(){
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("myuser","mypass".toCharArray());
    }});
HttpURLConnection c = (HttpURLConnection) new URL(url).openConnection();
c.setUseCaches(false);
c.connect();

Obviously your getPasswordAuthentication() should probably do something more intelligent than returning a constant.

If you're trying to make a request with a body (e.g. POST) with authentication, beware of Android issue 4326. I've linked a suggested fix to the platform there, but there's a simple workaround if you only want Basic auth: don't bother with Authenticator, and instead do this:

c.setRequestProperty("Authorization", "basic " +
        Base64.encode("myuser:mypass".getBytes(), Base64.NO_WRAP));