Configuring login modules
Login modules are defined in <loginModule> elements in the authenticationConfig.xml file.
The <loginModules> element contains a separate <loginModule> subelement for each login module.
The <loginModule> element has the
following attributes:
Attribute | Description |
---|---|
expirationInSeconds | Optional. Defines the expiration period of realms
that use this login module. If not set, the server will use a default
expiration period of 3600 seconds (one hour). Note that if the server is not running in session-independent mode, authentication to a login module is only valid within the same client session. In session-dependent mode only, you can use the special value "-1" that indicates that there is no set expiration period and the login remains valid until the end of the client session. For more information about session-independent mode, see Session-independent mode. |
name | Mandatory. The unique name by which realms reference the login module. |
audit | Optional. Defines whether login attempts that
use the login module are logged in the audit log. The log file is Worklight
Project Name/server/log/audit/audit.log. Valid
values are:
|
The MobileFirst security framework provides several built-in realms (for example,
directUpdate and remoteDisable). In order
to modify the default expiration period of these realms, open the
worklight.properties file, uncomment the line corresponding
to the realm, and change the expiration value. The following shows the relevant
sections in
worklight.properties:
#######################################################################################################################
# Expiration time for built-in realms
#######################################################################################################################
# Use these properties to configure the expiration time (in seconds) for MobileFirst's built-in realms.
# When mfp.session.independent is false, a value of -1 means that a realm will remain authenticated
# until the session times out
wl.realm.expiration.directUpdate=3600
wl.realm.expiration.remoteDisable=300
wl.realm.expiration.deviceAutoProvisioning=3600
wl.realm.expiration.deviceNoProvisioning=3600
wl.realm.expiration.antiXSRF=3600
wl.realm.expiration.authenticity=3600
wl.realm.expiration.anonymousUser=3600
Note: To
avoid application-authenticity validation failures, use the same expiration
periods for the application-authenticity and device-provisioning realms. The
default expiration periods are identical, but if you customize the default
period of the authenticity,
deviceAutoProvisioning, or
deviceNoProvisioning realms, set the same period also for the
other two realms.
The <loginModule> element
has the following subelements:
Element | Description |
---|---|
<className> | Mandatory. The class name of the login module. For details of the supported login modules, see the following topics. |
<parameter> | Optional. An initialization property of the
login module. The supported properties and their semantics depend
on the login module class. This element can occur multiple times. |
Important: Changes to realm
configuration and login module configuration (excluding changes to
the expiration period) are not applied immediately to clients that
authenticated within the realm before the change. The changes will
be applied only when the realm expires or when the client has logged
out of the realm explicitly. Consider this behavior if you plan to
use a long expiration period: in addition to the security implications,
a long expiration period also limits the flexibility of making changes
to the realm configuration.