3

Suppose I have an image at a certain URL (http://www.example.com/specialimages/cutepuppy.png). This image happens to be part of an app that's paid and I don't want people to go to this URL to right click and save. So, I add htaccess password protection. Perfect! It works...the URL is protected and only I can access it with valid credentials. (Really, anyone with the username and password can.)

Next up, in Android, I'm using the Universal-Image-Loader library to load my images into my app. The loader code looks like this:

ImageLoader imageLoader = ImageLoader.getInstance(); 
imageLoader.displayImage(
    "http://Validuser:Validuserpassword@www.example.com/specialimages/cutepuppy.png",
    gridViewImageHolder.imageView,
    ImageLoaderUtil.options);

The Validuser:Validuserpassword is this little trick to visit a URL that's htaccess protected. Everything seems logical except that the image loader throws a FileNoteFoundException because the URL is invalid:

09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader: http://Validuser:Validuserpassword@www.example.com/specialimages/cutepuppy.png.jpg
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader: java.io.FileNotFoundException: http://Validuser:Validuserpassword@www.example.com/specialimages/cutepuppy.png.jpg
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:238)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.download.BaseImageDownloader.getStreamFromNetwork(BaseImageDownloader.java:124)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.download.BaseImageDownloader.getStream(BaseImageDownloader.java:88)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.LoadAndDisplayImageTask.downloadImage(LoadAndDisplayImageTask.java:291)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.LoadAndDisplayImageTask.tryCacheImageOnDisk(LoadAndDisplayImageTask.java:274)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.LoadAndDisplayImageTask.tryLoadBitmap(LoadAndDisplayImageTask.java:230)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at com.nostra13.universalimageloader.core.LoadAndDisplayImageTask.run(LoadAndDisplayImageTask.java:136)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
09-22 16:47:30.554 19323-19365/com.example.images E/ImageLoader:     at java.lang.Thread.run(Thread.java:818)

So...what's my question? What I want to know is if there's another way to do something like this: protect a web directory from visitors through a browser but somehow pass valid credentials in Android code (Java) so that the app, and only the app, can go grab the images.

Edit

If I visit my URL (not this one of course) with the Validuser:Validuserpassword before it in my browser on my laptop or phone, the image loads fine...my server is configured properly to handle htaccess.

Community
  • 1
  • 1
Andrew Quebe
  • 2,263
  • 5
  • 25
  • 53
  • If you load the valid URL via curl or your web browser do you see the image? Just to 100% verify that the URL is properly handled by your server / Apache, etc? – Cody Caughlan Sep 22 '15 at 23:56
  • Yes. It loads perfectly in Chrome on web and on my phone. Will add this to the question. – Andrew Quebe Sep 22 '15 at 23:57

1 Answers1

4

From what I can understand, when you load a URL like this:

http://Validuser:Validuserpassword@www.example.com/specialimages/cutepuppy.png.jpg

In your web browser, the browser transparently converts the user / password components to a HTTP Authorization request header.

Thus, it appears that OkHttp is not doing this, the way your browser does.

Does Universal-Image-Loader allow you to manipulate the request headers so you can provide this header yourself?

If you can do so, then you'll need to generate it accordingly. See the format here:

https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side

Looks like this other StackOverflow question has a working implementation:

Accessing protected images in universal image loader

Community
  • 1
  • 1
Cody Caughlan
  • 32,456
  • 5
  • 63
  • 68