[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inject Authorization Header into WebView on Mobile

Oh, I realize there are a few errors in the code sample, I wrote it quickly and it's just a quick and dirty example of using HTTPService which makes setting request headers simple.

Obviously the result() function doesn't return a String. Just figure out how to use the result as input to your RichWebView instance.

So, no need folks to show me my coding errors. LOL. 



On Sep 24, 2018, at 9:02 AM, Erik Thomas <erikjthomas@xxxxxxxxxx> wrote:

Hey Bill:

I just verified on the <> documents for RichWebView that you can load an HTML String directly into the WebView instance: <>

Therefore you do not need to host a public web page at all. We can simplify this a lot. 

1. Create a PHP endpoint (I call these REST APIs) accessible through SSL (if you want to be more secure--but you can do that later) with a function that handles the incoming HTTP request. I don't use PHP so can't provide any samples, but you should be able to find lots of help on the web.

2. In your mobile app, use HTTPService to hit the PHP endpoint (sample below), passing an auth token you got back on initial login as a header, and pass a page id as a query param, a header, or path variable, your choice (I add it to a header in the example). This is just one approach, there are more.

3. In the PHP function handler, authenticate the HTTP request's auth token, and use the page id to return the appropriate web page. Remember, web servers in the classic sense simply return HTML as a stream of bytes. For example, you could just return this in the HTTP response payload: <p>Hello world</p> and you can simply assign that to the RichWebView's instance.

If you use SSL, and you authenticate a valid auth token, then you are pretty secure and at no time do you expose the page to the public. However, know that there are many sophisticated ways hackers can still get at your info, like setting up a proxy with root authority certificate (man-in-the-middle) on un-secure WiFi at Starbucks. But unless your web page is a high value target, it's unlikely. Just beware.

You can dynamically generate the HTML or read it from disk (non-public location) or process it as a template, and then return it in the HTTP response. Then assign the HTML content to your RichWebView instance.

Here is an HTTPService code sample:
import mx.rpc.http.HTTPService;

private var _httpService:HTTPService;
private var _authToken:String; // set after logging in with a different function

private function getMyPage(pageId:String):void {
   _httpService = new HTTPService();
   _httpService.url = "";;
   _httpService.headers = {
       "Accept": "text/html",
       "Authentication": _authToken,
       "pageId": pageId
   _httpService.resultFormat = "text";
   _httpService.addEventListener(FaultEvent.FAULT, fault);
   _httpService.addEventListener(ResultEvent.RESULT, result);

private function result(event:ResultEvent):String {
   if (event.statusCode == 200 && event.result is String) {
       // assign this String to your RichWebView instance
       return event.result as String;
   } else {
       // error

private function fault(event:FaultEvent):void {
   // error