Security-checks implementation
Learn how to implement security checks that provide custom authorization logic.
Overview
- The MobileFirst security framework requires that you implement a custom security check as part of an adapter that is deployed to MobileFirst Server. You implement the security-check class by using the MobileFirst security server-side Java™ API, and you define an instance of this class in the adapter-descriptor file (adapter.xml). You can implement and define security checks either in the same adapter that defines your resources, or in a separate dedicated adapter, as you prefer.
- The outlined steps do not need to be executed in the specified
order, and they can be done in stages. For example, you can define
an empty security-check definition, and add configuration properties
when the related security-check configuration is ready. But be aware
of the following considerations:
- To deploy an adapter that defines a security check, the security check's class must be available in the same adapter, either as part of the adapter source code or as via an external library.
- To correctly define the configuration properties in the security-check definition, you need to know which properties are supported for the referenced class and what are their value restrictions.
After you define a security-check class and deploy it to MobileFirst Server, you can customize the value of its properties both for the specific server instance and for a specific application version. See Configuring runtime adapter security-check properties and Configuring application security-check properties. The administrator can edit these configurations before going to production, and after the application is already in production.
The security-check base and sample classes
To facilitate and accelerate your development process, IBM MobileFirst™ Platform Foundation provides base abstract implementations of the SecurityCheck interface. In addition, a base abstract implementation of the SecurityCheckConfiguration interface is provided (SecurityCheckConfigurationBase), as well as complementary sample security-check configuration classes for each of the provided base security-check classes. Start out with the base security-check implementation (and related sample configuration) that best fits your development needs, and extend and modify the implementation as needed.
- ExternalizableSecurityCheck
- This class implements the required externalization of the security
check as a JSON object, and also implements a security-check state
mechanism. See the full API reference of this class: ExternalizableSecurityCheck.
ExternalizableSecurityCheck creates a security-check configuration of the sample ExternalizableSecurityCheckConfig class.
- CredentialsValidationSecurityCheck
- This class extends the ExternalizableSecurityCheck class
and adds an implementation that validates user credentials as a condition
for accessing a protected resource. The implementation allows a limited
number of login attempts during a certain interval, after which the
security check is blocked for a configured period. In the case of
a successful login, the state of the security check remains successful
for a configured period, during which the user can access the requested
resource.
CredentialsValidationSecurityCheck creates a security-check configuration of the sample CredentialsValidationSecurityCheckConfig class, which extends ExternalizableSecurityCheckConfig and defines the configurable properties of the security check and their default values.
For guidelines on how to implement and configure the CredentialsValidationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the CredentialsValidationSecurityCheck tutorials.
- UserAuthenticationSecurityCheck
- This class extends the CredentialsValidationSecurityCheck class
and adds to it an implementation that creates a user identity that
can be used to identify the current user. The class also implements
a sample "remember me" function, which uses a user identify that is
stored in the registration service as the active user.
UserAuthenticationSecurityCheck creates a security-check configuration of the sample UserAuthenticationSecurityCheckConfig class, which extends CredentialsValidationSecurityCheckConfig.
For guidelines on how to implement and configure the UserAuthenticationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the UserAuthenticationSecurityCheck tutorials.
The ExternalizableSecurityCheck and ExternalizableSecurityCheckConfig classes
are included in the com.ibm.mfp.server.security.external.checks.impl
package of the core MobileFirst server-side Java API.
The CredentialsValidationSecurityCheck, CredentialsValidationSecurityCheckConfig, UserAuthenticationSecurityCheck,
and UserAuthenticationSecurityCheckConfig classes
are available as part of the MobileFirst com.ibm.mfp.security.checks.base Java Maven library, which you can
download from the Maven repository or from the IBM MobileFirst Platform Operations
Console:
from the console Dashboard, select Download
Center, select the Tools tab, and
choose the Download option in the Security
Checks section.