4.3.1.5 创建/使用临时内容供应器
临时内容供应器基本上是一个私有内容供应器,但它允许特定的应用访问特定的 URI。通过向目标应用发送一个指定了特殊标志的意图,即可为这些应用提供临时访问权限。内容供应器方的应用可以将访问权限主动授予其他应用,并且还可以将访问权限被动授予索要临时访问权限的应用。
下面展示了实现临时内容供应器的示例代码。
要点(创建内容供应器):
将导出属性显式设置为
false。使用
grant-uri-permission指定路径来临时授予访问权。即使数据来自临时访问应用,也应该消息并安全地处理收到的请求数据。
可以返回公开给临时访问应用的信息。
为意图指定 URI 来授予临时访问权。
为意图指定访问权限来授予临时访问权。
将显式意图发送给应用来授予临时访问权。
将意图返回给请求临时访问权的应用。
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="http://schemas.android.com/apk/res/android"package="org.jssec.android.provider.temporaryprovider"><applicationandroid:icon="@drawable/ic_launcher"android:label="@string/app_name" ><activityandroid:name=".TemporaryActiveGrantActivity"android:label="@string/app_name"android:exported="true" ><intent-filter><action android:name="android.intent.action.MAIN" /><category android:name="android.intent.category.LAUNCHER" /></intent-filter></activity><!-- Temporary Content Provider --><!-- *** POINT 1 *** Explicitly set the exported attribute to false. --><providerandroid:name=".TemporaryProvider"android:authorities="org.jssec.android.provider.temporaryprovider"android:exported="false" ><!-- *** POINT 2 *** Specify the path to grant access temporarily with the grant-uri-permission. --><grant-uri-permission android:path="/addresses" /></provider><activityandroid:name=".TemporaryPassiveGrantActivity"android:label="@string/app_name"android:exported="true" /></application></manifest>
TemporaryProvider.java
package org.jssec.android.provider.temporaryprovider;import android.content.ContentProvider;import android.content.ContentUris;import android.content.ContentValues;import android.content.UriMatcher;import android.database.Cursor;import android.database.MatrixCursor;import android.net.Uri;public class TemporaryProvider extends ContentProvider {public static final String AUTHORITIY = "org.jssec.android.provider.temporaryprovider";public static final String CONTENT_TYPE = "vnd.android.cursor.dir/vnd.org.jssec.contenttype";public static final String CONTENT_ITEM_TYPE = "vnd.android.cursor.item/vnd.org.jssec.contenttype";// Expose the interface that the Content Provider provides.public interface Download {public static final String PATH = "downloads";public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITIY + "/" + PATH);}public interface Address {public static final String PATH = "addresses";public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITIY + "/" + PATH);}// UriMatcherprivate static final int DOWNLOADS_CODE = 1;private static final int DOWNLOADS_ID_CODE = 2;private static final int ADDRESSES_CODE = 3;private static final int ADDRESSES_ID_CODE = 4;private static UriMatcher sUriMatcher;static {sUriMatcher = new UriMatcher(UriMatcher.NO_MATCH);sUriMatcher.addURI(AUTHORITIY, Download.PATH, DOWNLOADS_CODE);sUriMatcher.addURI(AUTHORITIY, Download.PATH + "/#", DOWNLOADS_ID_CODE);sUriMatcher.addURI(AUTHORITIY, Address.PATH, ADDRESSES_CODE);sUriMatcher.addURI(AUTHORITIY, Address.PATH + "/#", ADDRESSES_ID_CODE);}// Since this is a sample program,// query method returns the following fixed result always without using database.private static MatrixCursor sAddressCursor = new MatrixCursor(new String[] { "_id", "city" });static {sAddressCursor.addRow(new String[] { "1", "New York" });sAddressCursor.addRow(new String[] { "2", "London" });sAddressCursor.addRow(new String[] { "3", "Paris" });}private static MatrixCursor sDownloadCursor = new MatrixCursor(new String[] { "_id", "path" });static {sDownloadCursor.addRow(new String[] { "1", "/sdcard/downloads/sample.jpg" });sDownloadCursor.addRow(new String[] { "2", "/sdcard/downloads/sample.txt" });}@Overridepublic boolean onCreate() {return true;}@Overridepublic String getType(Uri uri) {switch (sUriMatcher.match(uri)) {case DOWNLOADS_CODE:case ADDRESSES_CODE:return CONTENT_TYPE;case DOWNLOADS_ID_CODE:case ADDRESSES_ID_CODE:return CONTENT_ITEM_TYPE;default:throw new IllegalArgumentException("Invalid URI:" + uri);}}@Overridepublic Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {// *** POINT 3 *** Handle the received request data carefully and securely,// even though the data comes from the application granted access temporarily.// Here, whether uri is within expectations or not, is verified by UriMatcher#match() and switch case.// Checking for other parameters are omitted here, due to sample.// Please refer to "3.2 Handle Input Data Carefully and Securely."// *** POINT 4 *** Information that is granted to disclose to the temporary access applications can be returned.// It depends on application whether the query result can be disclosed or not.switch (sUriMatcher.match(uri)) {case DOWNLOADS_CODE:case DOWNLOADS_ID_CODE:return sDownloadCursor;case ADDRESSES_CODE:case ADDRESSES_ID_CODE:return sAddressCursor;default:throw new IllegalArgumentException("Invalid URI:" + uri);}}@Overridepublic Uri insert(Uri uri, ContentValues values) {// *** POINT 3 *** Handle the received request data carefully and securely,// even though the data comes from the application granted access temporarily.// Here, whether uri is within expectations or not, is verified by UriMatcher#match() and switch case.// Checking for other parameters are omitted here, due to sample.// Please refer to "3.2 Handle Input Data Carefully and Securely."// *** POINT 4 *** Information that is granted to disclose to the temporary access applications can be returned.// It depends on application whether the issued ID has sensitive meaning or not.switch (sUriMatcher.match(uri)) {case DOWNLOADS_CODE:return ContentUris.withAppendedId(Download.CONTENT_URI, 3);case ADDRESSES_CODE:return ContentUris.withAppendedId(Address.CONTENT_URI, 4);default:throw new IllegalArgumentException("Invalid URI:" + uri);}}@Overridepublic int update(Uri uri, ContentValues values, String selection,String[] selectionArgs) {// *** POINT 3 *** Handle the received request data carefully and securely,// even though the data comes from the application granted access temporarily.// Here, whether uri is within expectations or not, is verified by UriMatcher#match() and switch case.// Checking for other parameters are omitted here, due to sample.// Please refer to "3.2 Handle Input Data Carefully and Securely."// *** POINT 4 *** Information that is granted to disclose to the temporary access applications can be returned.// It depends on application whether the number of updated records has sensitive meaning or not.switch (sUriMatcher.match(uri)) {case DOWNLOADS_CODE:return 5; // Return number of updated recordscase DOWNLOADS_ID_CODE:return 1;case ADDRESSES_CODE:return 15;case ADDRESSES_ID_CODE:return 1;default:throw new IllegalArgumentException("Invalid URI:" + uri);}}@Overridepublic int delete(Uri uri, String selection, String[] selectionArgs) {// *** POINT 3 *** Handle the received request data carefully and securely,// even though the data comes from the application granted access temporarily.// Here, whether uri is within expectations or not, is verified by UriMatcher#match() and switch case.// Checking for other parameters are omitted here, due to sample.// Please refer to "3.2 Handle Input Data Carefully and Securely."// *** POINT 4 *** Information that is granted to disclose to the temporary access applications can be returned.// It depends on application whether the number of deleted records has sensitive meaning or not.switch (sUriMatcher.match(uri)) {case DOWNLOADS_CODE:return 10; // Return number of deleted recordscase DOWNLOADS_ID_CODE:return 1;case ADDRESSES_CODE:return 20;case ADDRESSES_ID_CODE:return 1;default:throw new IllegalArgumentException("Invalid URI:" + uri);}}}
TemporaryActiveGrantActivity.java
package org.jssec.android.provider.temporaryprovider;import android.app.Activity;import android.content.ActivityNotFoundException;import android.content.Intent;import android.os.Bundle;import android.view.View;import android.widget.Toast;public class TemporaryActiveGrantActivity extends Activity {// User Activity Informationprivate static final String TARGET_PACKAGE = "org.jssec.android.provider.temporaryuser";private static final String TARGET_ACTIVITY = "org.jssec.android.provider.temporaryuser.TemporaryUserActivity";@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.active_grant);}// In the case that Content Provider application grants access permission to other application actively.public void onSendClick(View view) {try {Intent intent = new Intent();// *** POINT 5 *** Specify URI for the intent to grant temporary access.intent.setData(TemporaryProvider.Address.CONTENT_URI);// *** POINT 6 *** Specify access rights for the intent to grant temporary access.intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);// *** POINT 7 *** Send the explicit intent to an application to grant temporary access.intent.setClassName(TARGET_PACKAGE, TARGET_ACTIVITY);startActivity(intent);} catch (ActivityNotFoundException e) {Toast.makeText(this, "User Activity not found.", Toast.LENGTH_LONG).show();}}}
TemporaryPassiveGrantActivity.java
package org.jssec.android.provider.temporaryprovider;import android.app.Activity;import android.content.Intent;import android.os.Bundle;import android.view.View;public class TemporaryPassiveGrantActivity extends Activity {@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.passive_grant);}// In the case that Content Provider application passively grants access permission// to the application that requested Content Provider access.public void onGrantClick(View view) {Intent intent = new Intent();// *** POINT 5 *** Specify URI for the intent to grant temporary access.intent.setData(TemporaryProvider.Address.CONTENT_URI);// *** POINT 6 *** Specify access rights for the intent to grant temporary access.intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);// *** POINT 8 *** Return the intent to the application that requests temporary access.setResult(Activity.RESULT_OK, intent);finish();}public void onCloseClick(View view) {finish();}}
下面是临时内容供应器的示例。
要点(使用内容供应器):
不要发送敏感信息。
收到结果时,小心并安全地处理结果数据。
TemporaryUserActivity.java
package org.jssec.android.provider.temporaryuser;import android.app.Activity;import android.content.ActivityNotFoundException;import android.content.Intent;import android.content.pm.ProviderInfo;import android.database.Cursor;import android.net.Uri;import android.os.Bundle;import android.view.View;import android.widget.TextView;public class TemporaryUserActivity extends Activity {// Information of the Content Provider's Activity to request temporary content provider access.private static final String TARGET_PACKAGE = "org.jssec.android.provider.temporaryprovider";private static final String TARGET_ACTIVITY = "org.jssec.android.provider.temporaryprovider.TemporaryPassiveGrantActivity";// Target Content Provider Informationprivate static final String AUTHORITY = "org.jssec.android.provider.temporaryprovider";private interface Address {public static final String PATH = "addresses";public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/" + PATH);}private static final int REQUEST_CODE = 1;public void onQueryClick(View view) {logLine("[Query]");Cursor cursor = null;try {if (!providerExists(Address.CONTENT_URI)) {logLine(" Content Provider doesn't exist.");return;}// *** POINT 9 *** Do not send sensitive information.// If no problem when the information is taken by malware, it can be included in the request.cursor = getContentResolver().query(Address.CONTENT_URI, null, null, null, null);// *** POINT 10 *** When receiving a result, handle the result data carefully and securely.// Omitted, since this is a sample. Please refer to "3.2 Handling Input Data Carefully and Securely."if (cursor == null) {logLine(" null cursor");} else {boolean moved = cursor.moveToFirst();while (moved) {logLine(String.format(" %d, %s", cursor.getInt(0), cursor.getString(1)));moved = cursor.moveToNext();}}} catch (SecurityException ex) {logLine(" Exception:" + ex.getMessage());}finally {if (cursor != null) cursor.close();}}// In the case that this application requests temporary access to the Content Provider// and the Content Provider passively grants temporary access permission to this application.public void onGrantRequestClick(View view) {Intent intent = new Intent();intent.setClassName(TARGET_PACKAGE, TARGET_ACTIVITY);try {startActivityForResult(intent, REQUEST_CODE);} catch (ActivityNotFoundException e) {logLine("Content Provider's Activity not found.");}}private boolean providerExists(Uri uri) {ProviderInfo pi = getPackageManager().resolveContentProvider(uri.getAuthority(), 0);return (pi != null);}private TextView mLogView;// In the case that the Content Provider application grants temporary access// to this application actively.@Overridepublic void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.main);mLogView = (TextView)findViewById(R.id.logview);}private void logLine(String line) {mLogView.append(line);mLogView.append("¥n");}}
若有收获,就点个赞吧
0 人点赞
