The Mobile Backend Starter has two forms of access control:
- Client ID and Google Account authentication
- Access control for Cloud Entities
Client ID and Google Account Authentication
As described in Running the Android Sample and Running the iOS Sample , you can set Authentication/Authorization settings to one of the three modes:
- Locked Down - All requests will be rejected
- Open - All unauthenticated requests will be allowed
- Secured by Client IDs - Only authenticated calls with Client ID and Google Account are allowed
Open mode should be used only for development purposes as it allows unauthenticated calls. The Project ID is the only information required to make a call on the backend in this mode.
For production usage, we recommend Secured by Client IDs . It only allows authenticated calls associated with both of the following:
- A registered Client ID - to ensure that only the mobile apps built by your development team can access the backend
- A Google Account - to ensure Google has authenticated the requesting user
Any calls that originate from a client without a correct Client ID or Google Account will raise an
UnauthorizedException
on the client app. By default, calls to the backend are not associated with a user's Google account.
To enable authentication on the client, add the
CloudBackendFragment
class to your Activity, and implement the standard Listener pattern:
public class GuestbookActivity extends Activity implements OnListener {
/* ... */
@Override
public void onCreateFinished() {
/* ... */
}
}
To enable (or disable) the security features, you need to turn authenticaion on or off in the
Consts
class.
public static final boolean IS_AUTH_ENABLED = true;
Use the
getCloudBackend()
method on the Fragment to get a
CloudBackendMessaging
instance. Use this instance to call the asynchronous API implemented by
CloudBackendAsync
. Provide these methods with your own
CloudCallbackHandler
:
getCloudBackend().listByKind("Guestbook", CloudEntity.PROP_CREATED_AT,
Order.DESC, 50, Scope.FUTURE_AND_PAST, handler);
If you want to pass the user’s Google Account info to the backend on each call, use the
CloudBackend#setCredential()
method (also available on the subclasses,
CloudBackendAsync
and CloudBackendMessaging) to set a
GoogleAccountCredential
object before calling any Mobile Backend methods.
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(this, "<Web Client ID>");
credential.setSelectedAccountName("<Google Account Name>");
cloudBackend.setCredential(credential);
Setting credientials enables the client to operate when the backend is in “Secured by Client ID” mode and also sets createdBy/updatedBy/owner properties of CloudEntity automatically.
The Guestbook example demonstrates how this class is used in the sample code.
Access Control for Cloud Entities
The Cloud Backend API provides an access control feature on
CloudEntities
. You can specify access control by adding one of the following prefix on kind name of the entities:
Kind Name Prefix | get/query | update/delete | insert |
---|---|---|---|
[private]
|
entity owner | entity owner | anyone |
(no prefix) | anyone | entity owner | anyone |
[public]
|
anyone | anyone | anyone |
For example, a kind name
Contact
allows anyone to insert entities and get/query existing
Contact
entities. But only the entity owners can update or delete each entity. If any user tries to update someone else’s entity, the backend raises an
UnauthorizedException
. If you do not want to make the
Contact
entities readable by everyone name the kind
[private]Contact
. A query on the kind to get a list of all entities only gets the entities owned by the querying user. The entities in
[private]
kinds are stored with a different namespace for each Google Account, thus isolation between users is assured.
If you create a kind named [public]Contact , all the entities readable and writable by anyone. Also, any entities without a valid UserID assigned to its owner property will be readable and writable by anyone too.