For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.
Security-checks implementation
Learn how to implement security checks that provide custom authorization logic.
The development of a security check involves the following server-side steps:
- Create a security-check class that implements the security-check interface (SecurityCheck). For more information about the requirements of this class, see The security-check contract. We can start your development by extending one of the provided security-check base classes. See The security-check base and sample classes.
- Optionally create a security-check configuration class that implements the security-check configuration interface (SecurityCheckConfiguration). We can start with the abstract implementation of this interface, the SecurityCheckConfigurationBase class, or with one of the provided sample implementations that extend this class. For more information, see The security-check contract and The security-check base and sample classes.
- Define one or more security checks of a custom security-check class type. See Defining security checks.
Note:
- The MobileFirst security framework requires that you implement a custom security check as part of an adapter that is deployed to MobileFirst Server. You implement the security-check class by using the MobileFirst security server-side Javaâ„¢ API, and you define an instance of this class in the adapter-descriptor file (adapter.xml). We can implement and define security checks either in the same adapter that defines your resources, or in a separate dedicated adapter, as you prefer.
- The outlined steps do not need to be executed in the specified order, and they can be done in stages. For example, we can define an empty security-check definition, and add configuration properties when the related security-check configuration is ready. But be aware of the following considerations:
- To deploy an adapter that defines a security check, the security check's class must be available in the same adapter, either as part of the adapter source code or as via an external library.
- To correctly define the configuration properties in the security-check definition, you need to know which properties are supported for the referenced class and what are their value restrictions.
After you define a security-check class and deploy it to MobileFirst Server, we can customize the value of its properties both for the specific server instance and for a specific application version. See Configure runtime adapter security-check properties and Configure application security-check properties. The administrator can edit these configurations before going to production, and after the application is already in production.
The security-check base and sample classes
To facilitate and accelerate your development process, IBM MobileFirstâ„¢ Platform Foundation provides base abstract implementations of the SecurityCheck interface. In addition, a base abstract implementation of the SecurityCheckConfiguration interface is provided (SecurityCheckConfigurationBase), as well as complementary sample security-check configuration classes for each of the provided base security-check classes. Start out with the base security-check implementation (and related sample configuration) that best fits your development needs, and extend and modify the implementation as needed.
- ExternalizableSecurityCheck
- This class implements the required externalization of the security check as a JSON object, and also implements a security-check state mechanism. See the full API reference of this class: ExternalizableSecurityCheck.
ExternalizableSecurityCheck creates a security-check configuration of the sample ExternalizableSecurityCheckConfig class.
- CredentialsValidationSecurityCheck
- This class extends the ExternalizableSecurityCheck class and adds an implementation that validates user credentials as a condition for accessing a protected resource. The implementation allows a limited number of login attempts during a certain interval, after which the security check is blocked for a configured period. In the case of a successful login, the state of the security check remains successful for a configured period, during which the user can access the requested resource.
CredentialsValidationSecurityCheck creates a security-check configuration of the sample CredentialsValidationSecurityCheckConfig class, which extends ExternalizableSecurityCheckConfig and defines the configurable properties of the security check and their default values.
For guidelines on how to implement and configure the CredentialsValidationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the CredentialsValidationSecurityCheck tutorials.
- UserAuthenticationSecurityCheck
- This class extends the CredentialsValidationSecurityCheck class and adds to it an implementation that creates a user identity that can be used to identify the current user. The class also implements a sample "remember me" function, which uses a user identify that is stored in the registration service as the active user.
UserAuthenticationSecurityCheck creates a security-check configuration of the sample UserAuthenticationSecurityCheckConfig class, which extends CredentialsValidationSecurityCheckConfig.
For guidelines on how to implement and configure the UserAuthenticationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the UserAuthenticationSecurityCheck tutorials.
The ExternalizableSecurityCheck and ExternalizableSecurityCheckConfig classes are included in the com.ibm.mfp.server.security.external.checks.impl package of the core MobileFirst server-side Java API.
The CredentialsValidationSecurityCheck, CredentialsValidationSecurityCheckConfig, UserAuthenticationSecurityCheck, and UserAuthenticationSecurityCheckConfig classes are available as part of the MobileFirst com.ibm.mfp.security.checks.base Java Maven library, which we can download from the Maven repository or from the IBM MobileFirst Platform Operations Console: from the console Dashboard, select Download Center, select the Tools tab, and choose the Download option in the Security Checks section.
- The security-check contract
Learn about the MobileFirst security-check contract, which is defined by the SecurityCheck and SecurityCheckConfiguration interfaces.- Defining security checks
Learn how to define custom security checks.
Parent topic: Security checks