Integration and authentication with a reverse proxy
General architecture
Reverse proxies typically front MobileFirst runtimes as part of the deployment, following the gateway pattern.
The gateway icon (GW) represents a reverse proxy such as WebSphere DataPower or Security Access Manager. The GW protects MobileFirst resources from the Internet, the reverse proxy provides termination of SSL connections and authentication. The reverse proxy can also act as a policy enforcement point (PEP).
When a gateway is used, app (A) on device (D) uses the public URI advertised by the gateway instead of the internal MobileFirst URI.
The public URI can be exposed as a setting within the app or can be built in during promotion of the app to production before the app is published to public or private app stores.
Authentication at the gateway
If authentication ends at the gateway, MPF can be informed of the authenticated user using either a custom HTTP header or cookie. Figure 2 shows a typical authentication flow.
This configuration was tested with DataPower and Security Access Manager for header-based authentication and LTPA-based authentication.
- Header-based authentication
-
- On successful authentication, the gateway forwards a custom HTTP header with the user name or ID IBM MPF.
- IBM MobileFirst Platform Foundation is configured to use HeaderAuthenticator and HeaderLoginModule on either Tomcat or WAS.
- LTPA-based authentication
-
- On successful authentication, the gateway forwards an LTPA token (in the form of an HTTP cookie) to MPF
- MPF on WAS is configured to use WebSphereFormBasedAuthenticator and WebSphereLoginModule.
Parent topic: Integrate with other IBM products