How to use security (Authentication & Authorization) in ASP.NET Web Api

Question

I am developing an Android application which will use a SQL server(database) to store the application\'s data. In addition, the application will use the ASP web API to send

Answer 1

1. Login (Username, Password shored in BasicNameValuePair) from your Client (here Android) by access Web API controller (perhaps /Token if you use some samples from Asp.Net Web API website). If success, the access token will be responsed and you will save in your client (SharedPreference or database)
2. Then, just need to send the access token (no need username, password anymore) to request other API controllers.

Of course, https should be used here for better security.

Sample codes for getting the access token (login phase):

public static Object getAccessToken(String address, String grant_type, String username, String password) throws Exception {
    List params = new ArrayList<>();
    params.add(new BasicNameValuePair("grant_type", grant_type));
    params.add(new BasicNameValuePair("username", username));
    params.add(new BasicNameValuePair("password", password));

    // Making HTTP request
    httpResponse = makeHTTPRequest(address, params);
    if (httpResponse != null) {
        statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode != HttpStatus.SC_OK && statusCode != HttpStatus.SC_BAD_REQUEST) {
            return httpResponse.getStatusLine().toString();
        }

        // Get JSON String (jsonString) from Input Stream (is)
        getJSONFromInputStream();
        if (jsonString.isEmpty()) {
            return null;
        }
        // Parse the JSON String to a JSON Object
        jObj = new JSONObject(jsonString);
    }
    // Return JSON Object
    return jObj;
}

Inside makeHTTPRequest, for request access token:

httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new UrlEncodedFormEntity(parameters));