Security

I am new to Aruba Airwave technology.  I am developing an android app that can leverage the VisualRF location services.  However, first I need to authenticate the user to gain access to the location services.  How should I log into the AMP system via my app? 

For security reasons, there's no ability to login to AMP using https post.  You'll want to use a script to perform the login action before calling the APIs.  Sounds like you may be trying to recreate what 'Aruba Utilities' android app is already doing.

Also, on the AMP's Home -> Documentation page is an example.  Look for 'Sample HTML Application utilizing the Location XML API'.

I expected that I was going to have to do some scripting.  I am trying to recreate a portion of what the Aruba Utilities does.  However, there is far more that I am planning to do.  But in order for me to do what I plan, I need to leverage the VisualRF location services.  Yes I have taken a look at the 'Sample HTML Application utilizing the Location XML API' already.  It shows me how to reference the VisualRF API.  

Let me look into it and see what I can find.  I'm an iphone user, but I'll see if anyone around can lend me their android phone to dig into it.

Seems the easiest way would be to use curl:

# curl --insecure -c /tmp/cookie.txt --data 'destination=%2F&credential_0=usernamei&credential_1=password' 'https://your.amp.ip/LOGIN'

I don't know anything about curl and dislike command prompt commands.  Is there a way to put that in a program?

Unfortunately apps aren't my specialty.  The suggestion of curl came from the developers, they also suggested wrat as an alternative option.  I suggest opening a support case to see if they can get you in contact with someone internally who knows more about accessing the APIs.

Authentication to the AirWave UI is done by submitting username and password via POST to /LOGIN.  If the creds are accepted, a session cookie is returned.  You send that cookie with all subsequent requests.  This is documented here:

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/AirWave-Authentication-in-7-3-and-its-impacts-on-APIs

Yes.  This is exactly what I have been searching for.  I have fortunately uncovered it already and am now trying to deal with the cookie. I need to pass it to my other activity which queries VisualRF for the location of a device on the network.  I have been working today on cookie handling and keep running into dead ends.  Anyhow, thanks! 

I have noticed that there are numberous ways to execute an httpPost (using different client types and such).  Is there a particular way that is more useful when accessing the Aruba network?

So this is what I have so far for logging into Airwave.  

public class CustomAsyncTask extends AsyncTask
{
	@Override
	protected Object doInBackground(Object... params)
	{
		HttpClient httpclient = this.sslClient(new DefaultHttpClient());
		HttpPost httppost = new HttpPost("https://<myAirwaveServer>.com/LOGIN");
		HttpResponse response;
		InputStreamReader isr;
		BufferedReader br;

		ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();

		try
		{	
			cookieStore = new BasicCookieStore();
			localContext = new BasicHttpContext();
				
			postParameters.add(new BasicNameValuePair("credential_0", username.getText().toString()));
			postParameters.add(new BasicNameValuePair("credential_1", password.getText().toString()));
			postParameters.add(new BasicNameValuePair("destination", "/"));
			httppost.setEntity(new UrlEncodedFormEntity(postParameters));

			response = httpclient.execute(httppost);
				
			isr = new InputStreamReader(response.getEntity().getContent());
			br = new BufferedReader(isr);

			String line = br.readLine();
			while (line != null)
			{
				returnedData_str += line + "
";
				line = br.readLine();
			}
			Log.e("MainActivity Returned Data", returnedData_str);

			loggedIn = true;

		}
		catch (Exception e)
		{
			Log.e("MainActivity", e.getMessage());
		}
		return null;
	}

	private HttpClient sslClient(HttpClient client)
	{
		try
		{
			X509TrustManager tm = new X509TrustManager()
			{
				public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException
				{
				}

				public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException
				{
				}

				public X509Certificate[] getAcceptedIssuers()
				{
					return null;
				}
			};
			SSLContext ctx = SSLContext.getInstance("TLS");
			ctx.init(null, new TrustManager[] { tm }, null);
			SSLSocketFactory ssf = new MySSLSocketFactory(ctx);
			ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
			ClientConnectionManager ccm = client.getConnectionManager();
			SchemeRegistry sr = ccm.getSchemeRegistry();
			sr.register(new Scheme("https", ssf, 443));
			return new DefaultHttpClient(ccm, client.getParams());
		}
		catch (Exception ex)
		{
			return null;
		}
	}

}

public class MySSLSocketFactory extends SSLSocketFactory
{
	SSLContext sslContext = SSLContext.getInstance("TLS");

	public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException,
			KeyStoreException, UnrecoverableKeyException
	{
		super(truststore);

		TrustManager tm = new X509TrustManager()
		{
			public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException
			{
			}

			public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException
			{
			}

			public X509Certificate[] getAcceptedIssuers()
			{
				return null;
			}
		};

		sslContext.init(null, new TrustManager[] { tm }, null);
	}

	public MySSLSocketFactory(SSLContext context) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException
	{
		super(null);
		sslContext = context;
	}

	@Override
	public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException,
UnknownHostException
	{
		return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
	}

	@Override
	public Socket createSocket() throws IOException
	{
		return sslContext.getSocketFactory().createSocket();
	}
}

I am pretty sure that I am successfully signing in.  Everywhere I look tells me to parse through the response and look for a header with "Set-Cookie" in it to get the cookie code.  However, the response I am getting does not contain such a header.  Here is a copy of the response I am getting.  I have even tried logging into my company's airwave server and viewed the source code and it is exactly the same as the resonse my app is is getting.  Anyhow, here is the response:

<!doctype html>
<html>
<!--
# Copyright (c) 2001-2012, Aruba Networks, Inc.
# This material contains trade secrets and confidential information of Aruba
# Networks, Inc.
# Any use, reproduction, disclosure or dissemination is strictly prohibited
# without the explicit written permission of Aruba Networks, Inc.
# All rights reserved.
-->
<head>
  <meta charset="utf-8"/>
  <!-- Disallow compatibility mode changing in IE (from user selection or autodetect) -->
  <meta http-equiv="X-UA-Compatible" content="IE=edge"/>

  <script>
    if (!(window.history && window.history.pushState)) {
      if (!window.location.hash) {
        var start_at = document.location.pathname + document.location.search + document.location.hash;
        window.location = '/#' + start_at;
      }
    }
  </script>

  <link rel="shortcut icon" href="/noauth/theme/airwave/favicon.ico" type="image/x-icon" />
  <link rel="stylesheet"
    href="/helpdesk/style/awms.1346084953.css"/>
  <link rel="stylesheet" href="/mercury.1346084948.css" />
  
  <script src="/mercury.1346084949.js"></script>
  
  <script src="/helpdesk/script/third_party/highcharts/highcharts.1346084953.js"></script>
  <script src="/helpdesk/script/third_party/datatables/jquery.dataTables.min.1346084953.js"></script>

  <script>
    var userPrefs;
    var mocha_lang = null;
    (function () {
      function getLanguageFromUrl() {
        var mocha_params = window.location.search.substr(1);
        mocha_params = mocha_params.split("&");
        for (var i = 0; i < mocha_params.length; i++) {
          var tmp = mocha_params[i].split("=");
          if (tmp[0].toLowerCase() == 'locale') return unescape(tmp[1]).substr(0, 2);
        }
      };

      function getUserPrefs() {
        var userPrefs;
        $.ajax({
          async: false,
          url: '/api/user_prefs.json',
          dataType: 'json',
          success: function(data, textStatus, jqXHR) {
            userPrefs = data;
          }
        } );

        return userPrefs;
      };

      function getLanguageFromUserPrefs(userPrefs) {
        return userPrefs['language'];
      };

      window['supported_languages'] = {
   "ptBR" : 0,
   "zht" : 1,
   "tr" : 1,
   "it" : 1,
   "zh" : 1,
   "es" : 1,
   "nl" : 0,
   "ko" : 1,
   "en" : 1,
   "fr" : 1,
   "de" : 1,
   "ja" : 1
}
;
      function getLanguageFromBrowser() {
        var browserLang = (navigator.language) ? navigator.language : navigator.userLanguage;
        if (browserLang && browserLang.length >= 2) {
          var short_lang = browserLang.substring(0, 2);
          if (window['supported_languages'][short_lang]) return short_lang;
        }
      };

      jQuery.ajaxSettings.traditional = true;

      // Always try to fetch user prefs because the Application also uses the result to
      // infer logged-in state.
      userPrefs = getUserPrefs();

      mocha_lang = getLanguageFromUrl();
      if (!mocha_lang && userPrefs) {
        mocha_lang = getLanguageFromUserPrefs(userPrefs);
      }
      if (!mocha_lang) mocha_lang = 'en';
      if (!mocha_lang) mocha_lang = getLanguageFromBrowser();
      if (!mocha_lang) mocha_lang = 'en';

      
        document.write('<script src="/helpdesk/script/module_mocha.' + mocha_lang + '.1346085244.js"><\/script>');
      
    })();
  </script>
  
</head>
<body>
  <div id="app-container" class="container">
    <!-- Pages render here -->
    <div id="app-page-container" class="page"></div>
  </div>
  <script>
    // start the application
    var mocha = awms.Application.getInstance();
    if (!window.location.hash) {
      mocha.setFancyHistory(true);
    }
    mocha.setBrandProperties(
      'airwave',
      'Aruba Networks',
      'AirWave Management Platform',
      'AMP'
    );
    mocha.start(userPrefs);
  </script>
</body>
</html>

What you've printed as the response is the html source for the login page. I think you're probably getting a cookie back but not looking in the right place. Make sure your code is capturing the cookies within the headers rather than the html.  

Adding to Dan's comment, it looks like HTTPClient stores the cookie automatically for you.  http://www.innovation.ch/java/HTTPClient/getting_started.html#cookies

Make sure to use the same httpclient instance when making future HTTP calls so it can reference the previously saved cookie.

Yes I have discovered that the HttpClient captures the cookie for me.  It took a little while to figure that out and how to get it from the client.  I have the cookie now.  My current problem I am working on is passing that cookie to the next activity.  I cannot pass the client otherwise I would be golden.  I am doing a is doing a Intent.putExtra("Cookie", cookie) where the cookie is the string form of the cookie header.  Anyhow, I am having a hard time using that cookie in the next activity when sending it with a HttpGet.  I wish it was as easy as creating a new Cookie from the string header I have and then add it to the CookieStore in my HttpClient.  Or even better, it would be great if I could pass the Cookie object to my next activity.  Then I wouldn't have any of the frustration I have right now.  I'll get it soon hopefully lol.  

When I did Android development, I would store global variables in a subclass of Application.  Any things you store there or keep a reference to there are available throughout the lifetime of the application and are accessible from all activities.  With this approach, you could declare the HttpClient in the Application context and then reference that same HttpClient in every activity.  Better yet, if you figure out how to attach the cookie to new HttpClient's, you could store only the cookie in the application context and attach it to any future HttpClient instances.  The second approach is better because it prevents multi-threaded issues if two HTTP calls happen simultaneously.

Info about subclassing Application can be found at http://stackoverflow.com/questions/708012/android-how-to-declare-global-variables

Alternatively, you can pass objects between activities but it becomes a bit of a pain if the activities aren't back to back.

http://stackoverflow.com/questions/2906925/android-how-do-i-pass-an-object-from-one-activity-to-another

Problem solved.  For some reason I completely forgot about making a variable a static object makes it accessable to the sub-activities.  Rmehra, you were right.  I ended up making a static HttpClient variable, in the activity that logs a user in, that I just reused in the next activity that queries the VisualRF location service for a location of a particular device.  Everything went smooth like butta after that!  Thanks for everyone who has been helpful in kicking me down the yellow brick road of progress on this portion of my project.

Where do you define the Servers address?