How to do Android Sync Provider server side implimentation?

Question

I have a running J2EE based Web Application for Point of Sales hosted in cloud and database is using postgresql. Now I am building an android app for Point of Sales. For data sync I have read a lot how to create SyncAdapter etc but very few about server side developments. My first question:

1. How the authentication token will be created? Who will create this AuthToken? My server side RESTful webservice or Device SyncAdapter itself? Who should initiate expiry of AuthToken - the device or server webservice?

2. Currently my web application got many user level permission. When a data will come from device to sync I need to check the user permission before sync. Do I need to custom write these permission checking inside my server side webservices?

Answer 1

1. In short the server is responsible for creating an AuthToken.
   
   For a better understanding you should read the OAuth2 specification. Although you could write your own simpler solution, I recommend to you that you use OAuth2 to avoid some pitfalls. In your case authentication grant type "Resource Owner Password Credentials" seems most appropriate.
   
   Apache Oltu is a framework for implementing OAuth2 in Java, but you still have to handle some things like persistence of tokens on your own.

2. Yes, you have to the check the permissions on server side. Don't trust the client!
   
   Besides that you may restrict the apps more strictly by using different token types in Android. For example: When you're accessing the web service from within your server application and from Android apps, you could differentiate permissions based on the token type (Android vs. internal). Or maybe you provide your app's users an option to restrict the app's access only to read operations.