For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.
Configure adapter resource protection
Learn how to configure MobileFirst OAuth protection for our adapter resources.
Configure the authorization logic for protecting your adapter resources by assigning custom scopes to our resources, or by disabling the default protection of the MobileFirst security framework (see OAuth resource protection).
- Configure protection of Java™ API for RESTful Web Services (JAX-RS) resources
- Configure protection of JavaScript resources
Procedure
Configure the protection of your adapter resources by following the outlined procedure for our target development environment:
- Configure protection of Java API for RESTful Web Services (JAX-RS) resources
In Java, you configure resource protection by using the @OAuthSecurity annotation type, which is declared in the MobileFirst com.ibm.mfp.adapter.api package. For a complete reference, see Interface OAuthSecurity.
This annotation can be applied either to a specific resource method or to an entire resource class. Method-level annotations override class-level annotations.
The annotation can be used either to set the resource's protecting scope, or to disable resource protection and define an unprotected resource.Set the scope to a space-separated list of zero or more scope elements (see OAuth scopes). The default value of the annotation's scope element is an empty string.
When the enabled element of the @OAuthSecurity annotation is set to false, the scope element is ignored. See Disable resource protection.Note: A class scope applies to all of the resources in the class, except for resources that have their own @OAuthSecurity annotation.
Examples
- The following code protects an helloUser method with a scope that contains UserAuthentication and Pincode scope elements:
@GET @Path("/{username}") @OAuthSecurity(scope = "UserAuthentication Pincode") public String helloUser(@PathParam("username") String name){ ... }
- The following code protects a WebSphereResources class with the predefined LtpaBasedSSO security check:
@Path("/users") @OAuthSecurity(scope = "LtpaBasedSSO") public class WebSphereResources { ... }
Disable resource protection To entirely disable OAuth protection of your resource or resource class, add the @OAuthSecurity annotation to the resource or class declaration, and set the value of the enabled element to false: @OAuthSecurity(enabled = false)The default value of the annotation’s enabled element is true. When the enabled element is set to false, the scope element is ignored, and the resource or resource class is not protected. See Unprotected resources.
Note: When we assign a scope to a resource method that is contained in an unprotected class, the method is protected despite the class annotation, provided you do not also set the enabled element to false in the resource annotation.
Examples
- The following code disables resource protection for a helloUser method:
@GET @Path("/{username}") @OAuthSecurity(enabled = "false") public String helloUser(@PathParam("username") String name){ ... }
The following code disables resource protection for a MyUnprotectedResources class. @Path("/users") @OAuthSecurity(enabled = "false") public class MyUnprotectedResources { ... }
Configure protection of JavaScript resources In JavaScript, you configure resource protection as part of the definition of the adapter resource procedure, by setting the relevant attribute values of the <procedure> element in the adapter-descriptor (adapter.xml file). See the documentation of this element, and its subelements and attributes, in Structure of JavaScript adapters. We can configure the procedure either to set the resource's protecting scope, or to disable resource protection and define an unprotected resource.
- Configure a resource scope
- To assign a protecting scope to a JavaScript resource procedure, set the scope attribute of the <procedure> element to our preferred scope, as a space-separated list of zero or more scope elements (see OAuth scopes):
<procedure name="procedureName" scope="[scopeElement1 scopeElement2 ...]">When the secured attribute of the <procedure> element is set to false, the scope attribute is ignored. See Disable resource protection.
Example
The following code protects a userName procedure with a scope that contains UserAuthentication and Pincode scope elements:<procedure name="userName" scope="UserAuthentication Pincode">
Disable resource protection To entirely disable OAuth protection of your resource procedure, set the secured attribute of the <procedure> element to false: <procedure name="procedureName" secured="false">When the enabled attribute is set to false, the scope attribute is ignored, and the resource is not protected. See Unprotected resources
Example
The following code disables resource protection for a userName procedure:<procedure name="userName" secured="false">
What to do next
Rebuild your adapter and deploy it to an instance of MobileFirst Server to apply your configuration.
When working with IBM MobileFirst™ Platform Operations Console, remember to refresh the console browser page after you deploy the adapter.Before moving to production, make sure that the security checks that are contained in your configured scopes are implemented and available for our resources via an adapter that is deployed to the same MobileFirst Server instance as your resource adapter. See Security-checks implementation.
Parent topic: OAuth resource protection