Authenticating Users with an Amazon SimpleDB Service

Restricting users' access to their own domain data

PDF for offline use
Sample Code:
Related Articles:
Related SDKs:

Let us know how you feel about this

Translation Quality


0/250

last updated: 2016-09

Amazon SimpleDB does not offer its own resource-based permissions system. Instead, authentication against an identity provider can be used to ensure that users only have access to their own data in the SimpleDB domain. This article explains how to restrict users' access to their own SimpleDB data.

Xamarin.Auth is used in the sample application to manage the user authentication process and securely store users' account details on the device. For more information see Authenticating Users with an Identity Provider.

Allowing an Authenticated User Access to SimpleDB Domain Data

The sample application uses the TodoItem class to model data. In order to store a TodoItem instance in a SimpleDB service it must first be converted into a List of ReplaceableAttribute objects. For more information see Creating SimpleDB objects.

In iOS 9 and greater, App Transport Security (ATS) enforces secure connections between internet resources (such as the app's back-end server) and the app, thereby preventing accidental disclosure of sensitive information. Since ATS is enabled by default in apps built for iOS 9, all connections will be subject to ATS security requirements. If connections do not meet these requirements, they will fail with an exception.

ATS can be opted out of if it is not possible to use the HTTPS protocol and secure communication for internet resources. This can be achieved by updating the app's Info.plist file. For more information see App Transport Security.

To ensure that users have access to only their own data in the SimpleDB domain, the ToSimpleDBReplaceableAttributes method stores an additional attribute for a TodoItem instance, as shown in the following code example:

List<ReplaceableAttribute> ToSimpleDBReplaceableAttributes (TodoItem item)
{
  return new List<ReplaceableAttribute> () {
    ...
    new ReplaceableAttribute () {
      Name = "User",
      Value = App.User.Email,
      Replace = true
    },
  };
}

This attribute ensures that each item stored in the SimpleDB domain has an associated email address for a user, which is used to uniquely identify the user the data belongs to. When the contents of a domain are retrieved by calling the AmazonSimpleDBClient.SelectAsync method, the query expression ensures that only items for the authenticated user are retrieved, as shown in the following code example:

public async Task<List<TodoItem>> RefreshDataAsync ()
{
  ...
  var request = new SelectRequest () {
    SelectExpression = string.Format ("SELECT * from {0} WHERE User = '{1}'", tableName, App.User.Email)
  };
  var response = await client.SelectAsync (request);
  ...
}

The SelectAsync method returns a response containing a collection of items and associated attributes that match the query expression. The query expression ensures that only items that match the user's email address will be retrieved. For more information about query expressions, see Using Select to Create Amazon SimpleDB Queries on Amazon's website.

Be careful to follow the quoting rules when constructing the query expression. For more information, see Select Quoting Rules on Amazon's website.

Summary

This article explained how to restrict users' access to their own SimpleDB data. Amazon SimpleDB does not offer its own resource-based permissions system. Instead, authentication against an identity provider can be used to ensure that users have access to only their own data in the SimpleDB domain.

Xamarin Workbook

If it's not already installed, install the Xamarin Workbooks app first. The workbook file should download automatically, but if it doesn't, just click to start the workbook download manually.