The WebView browser component is commonly used to render web
content within a native application layout. When the content is secured, it is required for the app to authenticate with the Web server
first. When using the WebView component,
we can leverage the component events (HTTP pipeline) to detect a challenge-response
authentication event from the server and automatically login our app.
Challenge Response Security
The challenge-response interaction is a security protocol (HTTP 401) event in which a server
challenges the identity of a client, and the browser responds with the security
credentials required to access the content. If the required credentials are not
validated, the content is forbidden to the app. We can leverage this interaction to send
the impersonating identity to the server by extending the WebViewClient class
and overriding the authentication event. Let’s take a look.
Extending the
WebViewClient Class
In order to write a handler for the challenge-response
event, we need to extend the WebViewClient class. We start by implementing a constructor
that can take the credential information. This enables the activity that instantiates our class to manage the credential
information and just pass it to our class during the class instantiation.
internal class AuthWebViewClient : WebViewClient
{
public string Username { get; }
public string Password { get; }
private int LoginCount = 0;
/// <summary>
/// gets the user credentials for the
impersonation process
/// </summary>
/// <param
name="username"></param>
/// <param
name="password"></param>
public AuthWebViewClient(string username, string password)
{
Username =
username;
Password =
password;
}
/// <summary>
/// handles the authentication with
the website.
/// </summary>
/// <param
name="view"></param>
/// <param
name="handler"></param>
/// <param
name="host"></param>
/// <param
name="realm"></param>
/// <remarks>
/// </remarks>
public override void
OnReceivedHttpAuthRequest(WebView view, HttpAuthHandler handler, string host, string realm)
{
try
{
if (LoginCount < 3)
{
LoginCount++;
handler.Proceed(Username, Password);
}
else
{
LoginCount
= 0;
handler.Cancel();
}
}
catch (Exception ex)
{
Toast.MakeText(Application.Context, ex.Message,
ToastLength.Long).Show();
}
}
}
|
Handling the Authentication
When we extend the WebViewClient class, we can override some
of the class events. For the authentication pipeline, we override the OnReceivedHttpAuthRequest
event which provides a reference to the HttpAuthHandler object. This object
provides the Proceed method which we use to send the login credentials to the
server.
One important area to note here is that if there is a problem
with the credentials that we send to the server, the HTTP 401 event will
continue to be sent back from the server. This can create a loop between the
browser and server. To prevent this, we track the number of attempts, and
cancel the authentication when the limit is met. This is done by using the
Cancel method on the HttpAuthHandler object.
Please note that this simple approach to pass the username and
password information from the browser to the server. There are still other
securities areas to be concerned with like encrypting the communication channel
to protect the security credentials from unwanted traces.
Thanks for reading.
