Note: For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Security checks

Learn how to create custom security checks, use the predefined MobileFirst security checks, and configure the behavior of your security checks at the adapter and application levels.

Security checks

Security checks constitute the basic server-side building block of the MobileFirst security framework. A security check is a server-side entity that implements a specific authorization logic. You protect a resource by assigning it a scope that maps to zero or more security checks. The security framework ensures that only a client that passes all of the security checks of the protecting scope is granted access to the resource. See Overview of the MobileFirst security framework. You can use security checks to authorize access both to resources that are hosted on MobileFirst Server and to resources on an external resource server. See OAuth resource protection.

A security check can be used to validate data from different sources, including
  • Client data, such as login credentials (for example, user name and password, or a pin code), or application-authenticity data.
  • Server-side state

Custom security checks are implemented and defined within MobileFirst adapters: the developer implements a security-check class in Java™ code, and configures it in the adapter descriptor. See Security-checks implementation.

The architecture of the security framework is modular and flexible. The implementation of the security check is not inherently dependent of any specific resource or application. You can reuse the same security check to protect different resources, and use different security-check combinations for various authorization flows. For enhanced flexibility, a security-check class exposes configuration properties that can be customized at the adapter level both in the security-check definition and during run time. You can also customize the configuration logic at the application level. See Security-checks configuration.

You can create custom security checks, and use any of the predefined MobileFirst security checks. See Security-checks implementation and Predefined MobileFirst security checks..