For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Security-checks implementation

Learn how to implement security checks that provide custom authorization logic.


The development of a security check involves the following server-side steps:

  1. Create a security-check class that implements the security-check interface (SecurityCheck). For more information about the requirements of this class, see The security-check contract. We can start your development by extending one of the provided security-check base classes. See The security-check base and sample classes.
  2. Optionally create a security-check configuration class that implements the security-check configuration interface (SecurityCheckConfiguration). We can start with the abstract implementation of this interface, the SecurityCheckConfigurationBase class, or with one of the provided sample implementations that extend this class. For more information, see The security-check contract and The security-check base and sample classes.
  3. Define one or more security checks of a custom security-check class type. See Defining security checks.


After you define a security-check class and deploy it to MobileFirst Server, we can customize the value of its properties both for the specific server instance and for a specific application version. See Configuring runtime adapter security-check properties and Configuring application security-check properties. The administrator can edit these configurations before going to production, and after the application is already in production.

The security-check base and sample classes

To facilitate and accelerate your development process, IBM MobileFirstâ„¢ Platform Foundation provides base abstract implementations of the SecurityCheck interface. In addition, a base abstract implementation of the SecurityCheckConfiguration interface is provided (SecurityCheckConfigurationBase), as well as complementary sample security-check configuration classes for each of the provided base security-check classes. Start out with the base security-check implementation (and related sample configuration) that best fits your development needs, and extend and modify the implementation as needed.

This class implements the required externalization of the security check as a JSON object, and also implements a security-check state mechanism. See the full API reference of this class: ExternalizableSecurityCheck.

ExternalizableSecurityCheck creates a security-check configuration of the sample ExternalizableSecurityCheckConfig class.

This class extends the ExternalizableSecurityCheck class and adds an implementation that validates user credentials as a condition for accessing a protected resource. The implementation allows a limited number of login attempts during a certain interval, after which the security check is blocked for a configured period. In the case of a successful login, the state of the security check remains successful for a configured period, during which the user can access the requested resource.

CredentialsValidationSecurityCheck creates a security-check configuration of the sample CredentialsValidationSecurityCheckConfig class, which extends ExternalizableSecurityCheckConfig and defines the configurable properties of the security check and their default values.

For guidelines on how to implement and configure the CredentialsValidationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the CredentialsValidationSecurityCheck tutorials.

This class extends the CredentialsValidationSecurityCheck class and adds to it an implementation that creates a user identity that can be used to identify the current user. The class also implements a sample "remember me" function, which uses a user identify that is stored in the registration service as the active user.

UserAuthenticationSecurityCheck creates a security-check configuration of the sample UserAuthenticationSecurityCheckConfig class, which extends CredentialsValidationSecurityCheckConfig.

For guidelines on how to implement and configure the UserAuthenticationSecurityCheck security check, and how to implement complementary client-side challenge handlers, see the UserAuthenticationSecurityCheck tutorials.

The ExternalizableSecurityCheck and ExternalizableSecurityCheckConfig classes are included in the package of the core MobileFirst server-side Java API.
The CredentialsValidationSecurityCheck, CredentialsValidationSecurityCheckConfig, UserAuthenticationSecurityCheck, and UserAuthenticationSecurityCheckConfig classes are available as part of the MobileFirst Java Maven library, which we can download from the Maven repository or from the IBM MobileFirst Platform Operations Console: from the console Dashboard, select Download Center, select the Tools tab, and choose the Download option in the Security Checks section.

Parent topic: Security checks