+

Search Tips   |   Advanced Search

Security tests

A security test defines a security configuration for a protected resource. Predefined tests are supplied for standard web and mobile security requirements. We can write our own custom security tests and define the sequence in which they are implemented. In web and mobile security tests, we cannot define the sequence in which realms are processed. To define the sequence, we must write our own custom security test and use the step property.

A security test specifies one or more authentication realms and an authentication realm can be used by any number of security tests. A protectable resource can be protected by any number of realms.

A protected resource is protected by a security test. When a client attempts to access a protected resource, IBM MobileFirst Platform Foundation checks whether the client is already authenticated according to all realms of the security test. If the client is not yet authenticated, IBM MobileFirst Platform Foundation triggers the process of authentication for all unauthenticated realms.

Before you define security tests, define the authentication realms that the tests use.

Define a security test for each environment in application-descriptor.xml, using the property securityTest="test_name". If no security test is defined for a specific environment, only a minimal set of default platform tests is run.

We can define three types of security test:

webSecurityTest

A test that is predefined to contain realms related to web security.

Use a webSecurityTest to protect web applications.

A webSecurityTest must contain one testUser element with a realm definition for user authentication. The identity that is obtained from this realm is considered to be a user identity.

By default, a webSecurityTest includes protection against cross-site request forgery (XSRF) attacks.

mobileSecurityTest

A test that is predefined to contain realms related to mobile security.

Use a mobileSecurityTest to protect mobile applications.

A mobileSecurityTest must contain one testUser element with a realm definition for user authentication. The identity that is obtained from this realm is considered to be a user identity.

A mobileSecurityTest must contain one testDevice element with a realm definition for device authentication. The identity that is obtained from this realm is considered to be a device identity.

By default, a mobileSecurityTest includes protection against XSRF attacks, automatic checking for Direct Updates every session, and the ability to remotely disable, from the operations console, the ability for the app to connect to MobileFirst Server.

customSecurityTest

A custom security test. No predefined realms are added. Only tests that are included are tested.

Use a customSecurityTest to define our own security requirements and the sequence and grouping in which they occur.

We can define any number of tests within a customSecurityTest. Each test specifies one realm. To define a realm as a user identity realm, add the property isInternalUserId="true" to the test. The isInternalUserID attribute means that this realm is used for user identification for reporting and push subscriptions. There must be exactly one such realm for every security configuration that is applied to a mobile or web resource.

For a device auto provisioning realm, the isInternalDeviceID attribute means that this realm is used for device identification for reporting, push subscriptions, and device SSO features. There must be exactly one such realm for every security configuration that is applied to a mobile resource.

Important: When we use device auto provisioning in customSecurityTests, an authenticity realm must also be present within the tests, otherwise provisioning cannot succeed.

To specify the order in which a client must authenticate in the different realms, add the property step="n" to each test, where n indicates the sequence. If a sequence is not specified, then all tests are done in a single step.

Application authenticity and Device provisioning are not supported in Enterprise Edition (Java EE) , Micro Edition (Java ME).


Sample security tests

The following figure shows what a webSecurityTest and a mobileSecurityTest contain. The security tests on the right are detailed equivalent of the security tests on the left.

The webSecurityTest contains:

The mobileSecurityTest contains:

A customSecurityTest has no realms that are enabled by default. Define all realms you want the customSecurityTest to contain.

For a webSecurityTest: 

<webSecurityTest name="webTest">
  <testUser realm="wl_anonymousUserRealm"/>
</webSecurityTest>

The equivalent as a customSecurityTest: 

<customSecurityTest name="webTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_anonymousUserRealm" isInternalUserId="true" />
</customSecurityTest>

For a mobileSecurityTest: 

<mobileSecurityTest name="mobileTest">
  <testUser realm="wl_anonymousUserRealm"/>
  <testDeviceId provisioningType="none" />
</mobileSecurityTest>

The equivalent as a customSecurityTest: 

<customSecurityTest name="mobileTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_remoteDisableRealm" />
  <test realm="wl_anonymousUserRealm" isInternalUserID="true" />
  <test realm="wl_deviceNoProvisioningRealm" isInternalUserID="true" />
</customSecurityTest>

Usually, we add our own realm to the configuration to authenticate users. The following example shows a configuration where the realm named MyUserAuthRealm is the realm that the developer added.

Example with our own realm name as a realm definition for testUser:

For a webSecurityTest: 

<webSecurityTest name="webTest">
  <testUser realm="MyUserAuthRealm"/>
</webSecurityTest>

The equivalent as a customSecurityTest 

<customSecurityTest name="webTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="MyUserAuthRealm" isInternalUserId="true" />
</customSecurityTest>

For a mobileSecurityTest: 

<mobileSecurityTest name="mobileTest">
  <testUser realm="MyUserAuthRealm"/>
  <testDeviceId provisioningType="none" />
</mobileSecurityTest>

The equivalent as a customSecurityTest: 

<customSecurityTest name="mobileTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_remoteDisableRealm" />
  <test realm="MyUserAuthRealm" isInternalUserID="true" />
  <test realm="wl_deviceNoProvisioningRealm" isInternalUserID="true" />
</customSecurityTest>


Parent topic: MobileFirst security framework