Learn how to implement security checks that provide custom
authorization logic.
Overview
The
development of a security check involves the following server-side
steps:
- Create a security-check class that implements the security-check
interface (SecurityCheck). For more information about
the requirements of this class, see The security-check contract. You can start your development by extending
one of the provided security-check base classes. See The security-check base and sample classes.
- Optionally create a security-check configuration class that implements
the security-check configuration interface (SecurityCheckConfiguration). You can start
with the abstract implementation of this interface, the SecurityCheckConfigurationBase class, or
with one of the provided sample implementations that extend this class.
For more information, see The security-check contract and The security-check base and sample classes.
- Define one or more security checks of a custom security-check
class type. See Defining security checks.
Note: - The MobileFirst security
framework requires that you implement a custom security check as part
of an adapter that is deployed to MobileFirst Server.
You implement the security-check class by using the MobileFirst security
server-side Java™ API, and you
define an instance of this class in the adapter-descriptor file (adapter.xml).
You can implement and define security checks either in the same adapter
that defines your resources, or in a separate dedicated adapter, as
you prefer.
- The outlined steps do not need to be executed in the specified
order, and they can be done in stages. For example, you can define
an empty security-check definition, and add configuration properties
when the related security-check configuration is ready. But be aware
of the following considerations:
- To deploy an adapter that defines a security check, the security
check's class must be available in the same adapter, either as part
of the adapter source code or as via an external library.
- To correctly define the configuration properties in the security-check
definition, you need to know which properties are supported for the
referenced class and what are their value restrictions.
After you define a security-check class and deploy
it to MobileFirst Server,
you can customize the value of its properties both for the specific
server instance and for a specific application version. See Configuring runtime adapter security-check properties and Configuring application security-check properties. The administrator can edit these configurations
before going to production, and after the application is already in
production.
The security-check
base and sample classes
To facilitate and accelerate your
development process, IBM MobileFirst™ Platform Foundation provides
base abstract implementations of the SecurityCheck interface.
In addition, a base abstract implementation of the SecurityCheckConfiguration interface
is provided (SecurityCheckConfigurationBase), as well
as complementary sample security-check configuration classes for each
of the provided base security-check classes. Start out with the base
security-check implementation (and related sample configuration) that
best fits your development needs, and extend and modify the implementation
as needed.
- ExternalizableSecurityCheck
- This class implements the required externalization of the security
check as a JSON object, and also implements a security-check state
mechanism. See the full API reference of this class: ExternalizableSecurityCheck.
ExternalizableSecurityCheck creates
a security-check configuration of the sample ExternalizableSecurityCheckConfig class.
- CredentialsValidationSecurityCheck
- This class extends the ExternalizableSecurityCheck class
and adds an implementation that validates user credentials as a condition
for accessing a protected resource. The implementation allows a limited
number of login attempts during a certain interval, after which the
security check is blocked for a configured period. In the case of
a successful login, the state of the security check remains successful
for a configured period, during which the user can access the requested
resource.
CredentialsValidationSecurityCheck creates
a security-check configuration of the sample CredentialsValidationSecurityCheckConfig class,
which extends ExternalizableSecurityCheckConfig and
defines the configurable properties of the security check and their
default values.
For guidelines on how to implement and configure
the CredentialsValidationSecurityCheck security
check, and how to implement complementary client-side challenge handlers,
see the CredentialsValidationSecurityCheck tutorials.
- UserAuthenticationSecurityCheck
- This class extends the CredentialsValidationSecurityCheck class
and adds to it an implementation that creates a user identity that
can be used to identify the current user. The class also implements
a sample "remember me" function, which uses a user identify that is
stored in the registration service as the active user.
UserAuthenticationSecurityCheck creates
a security-check configuration of the sample UserAuthenticationSecurityCheckConfig class,
which extends CredentialsValidationSecurityCheckConfig.
For
guidelines on how to implement and configure the UserAuthenticationSecurityCheck security
check, and how to implement complementary client-side challenge handlers,
see the UserAuthenticationSecurityCheck tutorials.
The ExternalizableSecurityCheck and ExternalizableSecurityCheckConfig classes
are included in the com.ibm.mfp.server.security.external.checks.impl
package of the core MobileFirst server-side Java API.
The CredentialsValidationSecurityCheck, CredentialsValidationSecurityCheckConfig, UserAuthenticationSecurityCheck,
and UserAuthenticationSecurityCheckConfig classes
are available as part of the MobileFirst com.ibm.mfp.security.checks.base Java Maven library, which you can
download from the Maven repository or from the IBM MobileFirst Platform Operations
Console:
from the console Dashboard, select Download
Center, select the Tools tab, and
choose the Download option in the Security
Checks section.