Implementing form-based authenticators

We can authenticate users of mobile applications using a login form.

In form-based authentication, if an application tries to access a protected resource, the server returns the HTML code of a login form. Even though a form of this kind is most suited to desktop and web environments (where you display the returned login form), we can also use form-based authentication in mobile applications.

Fully qualified Java class name of the form-based authenticator is: com.worklight.core.auth.ext.FormBasedAuthenticator.

This authenticator type presents a login form to the user. The login form must contain j_username and j_password fields , the j_security_check submit action, and the POST submit method.

A login module validates the credentials provided. If the login fails, the user is redirected to an error page.


The form-based authenticator has the following parameters:

login-page Path to a user-defined login page template, relative to the web application context under the conf directory. A sample login.html template file is provided under this directory when you create a MobileFirst project.

The authenticator renders the login page template with the error messages. To display the error message, use the placeholder ${errorMessage} in the login page template.

auth-redirect Path to a user-defined login page (html/jsp) relative to the web application context. IBM MobileFirst Platform Foundation redirects to the page when the user credentials are needed.

Both the login-page and auth-redirect parameter are optional, but if you decide to use them, use either one or the other. We cannot use them together. We can also use neither. In this case, MPF uses its default login page template.


The following diagram illustrates the flow in the form-based authentication process:

Figure 1. Form-based authentication process

  1. Configure authenticationConfig.xml. See The authentication configuration file.

  2. Code the server side. To work, the form-based authenticator must be associated with a login module. MobileFirst Studio provides several predefined login modules. For an example, see Non-validating login module.

    If we want to protect an adapter procedure with form-based authentication, we must declare it in the adapter XML file. See the example in this page.

  3. Code the client side.

    We must declare a challenge handler in the application to handle challenges from the form-based configured realm. The following sample shows one way to implement a challenge handler class:

      var sampleAppRealmChallengeHandler = WL.Client.createChallengeHandler("SampleAppRealm");

    The challenge handler must implement the following functions:

    • isCustomResponse: this function is called each time that a response is received from the server. It is used to detect whether the response contains data that is related to this challenge handler. It must return either true or false. Here is a simple example:
      sampleAppRealmChallengeHandler.isCustomResponse = function(response) {
        return false;

    • handleChallenge: this function is used to perform required actions, such as hide application screen and show login screen. handleChallenge is called by the framework, if isCustomResponse returns true. Here is a simple implementation, as an example:
      sampleAppRealmChallengeHandler.handleChallenge = function(response) {

    The challenge handler can also optionally implement the following, additional functions:

    • submitLoginForm: this function sends the collected credentials to a specific URL. We can also specify request parameters, headers, and callback.

    • submitSuccess: this function notifies the MobileFirst framework that the authentication finished successfully. The MobileFirst framework then automatically issues the original request that triggered the authentication.

    • submitFailure: this function notifies the MobileFirst framework that the authentication process failed to finish. The MobileFirst framework then disposes of the original request that triggered the authentication.


The following example demonstrates how to implement a simple form-based authentication mechanism that is based on a user name and a password. In the example, an adapter procedure is protected by a form-based authenticator, and when the user attempts to call the procedure from the application, the login form is displayed and the authentication process starts.

Configuration of authenticationConfig.xml.

  <customSecurityTest name="DummyAdapter-securityTest">
    <test isInternalUserID="true" realm="SampleAppRealm"/>
  <realm name="SampleAppRealm" loginModule="StrongDummy">
      <parameter name="login-page" value="login.html"/>
  <loginModule name="StrongDummy">

Coding the server side

Perform the following steps:

  1. Create a MobileFirst adapter.

  2. Add a procedure and protect it with the custom security test created earlier. The implementation can return some hard-coded value, for example:

      <procedure name="getSecretData" securityTest="DummyAdapter-securityTest"/>

Coding the client side

Perform the following steps:

  1. Create a MobileFirst application.

  2. Create a challenge handler in the application, to handle challenges from the SampleAppRealm realm, for example:

      var sampleAppRealmChallengeHandler = WL.Client.createChallengeHandler("SampleAppRealm");

  3. Implement the mandatory isCustomResponse and handleChallenge functions (and other, optional functions) of the challenge handler, as described previously.

What to do next

For a more extensive example of implementing form-based authentication, see the tutorial on the Get Started page.

