+

Search Tips | Advanced Search

For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


Restrict access to the consoles running on containers

We can restrict access to the MobileFirst Operations Console and the MobileFirst Analytics Console in production environments by creating and deploying a Trust Association Interceptor (TAI) to intercept requests to the consoles running on IBM® Containers.

The TAI can implement user-specific filtering logic that decides if a request is forwarded to the console or if an approval is required. This method of filtering provides the flexibility for you to add your own authentication mechanism if needed.

See also: Develop a custom TAI for the Liberty profile


Procedure

  1. Create a custom TAI that implements your security mechanism to control access to the MobileFirst Operations Console. The following example of a custom TAI uses the IP Address of the incoming request to validate whether to provide access to the MobileFirst Operations Console or not.

      package com.ibm.mfpconsole.interceptor;
      import java.util.Properties;
      
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      
      import com.ibm.websphere.security.WebTrustAssociationException;
      import com.ibm.websphere.security.WebTrustAssociationFailedException;
      import com.ibm.wsspi.security.tai.TAIResult;
      import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
      
      public class MFPConsoleTAI implements TrustAssociationInterceptor {
      	
         String allowedIP =null; 
         
         public MFPConsoleTAI() {
            super();
         }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#isTargetInterceptor
       * (javax.servlet.http.HttpServletRequest)
       */
         public boolean isTargetInterceptor(HttpServletRequest req)
                        throws WebTrustAssociationException {
            //Add logic to determine whether to intercept this request
      	   
      	   boolean interceptMFPConsoleRequest = false;
      	   String requestURI = req.getRequestURI();
      	   
      	   if(requestURI.contains("worklightConsole")) {
      		   interceptMFPConsoleRequest = true;
      	   }
      		   
      	   return interceptMFPConsoleRequest;
         }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#negotiateValidateandEstablishTrust
       * (javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
       */
         public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest request,
                          HttpServletResponse resp) throws WebTrustAssociationFailedException {
              // Add logic to authenticate a request and return a TAI result.
              String tai_user = "MFPConsoleCheck";
              
              if(allowedIP != null) {
              	
              	String ipAddress = request.getHeader("X-FORWARDED-FOR");  
              	if (ipAddress == null) { 
              	  ipAddress = request.getRemoteAddr();  
              	}
              	
              	if(checkIPMatch(ipAddress, allowedIP)) {
              		TAIResult.create(HttpServletResponse.SC_OK, tai_user);
              	}
              	else {
              		TAIResult.create(HttpServletResponse.SC_FORBIDDEN, tai_user);
              	}
              		
              }
              return TAIResult.create(HttpServletResponse.SC_OK, tai_user);
          }
         
         private static boolean checkIPMatch(String ipAddress, String pattern) {
      	   
      	   if (pattern.equals("*.*.*.*") || pattern.equals("*"))
      		      return true;
      
      	   String[] mask = pattern.split("\\.");
      	   String[] ip_address = ipAddress.split("\\.");
      	   
      	   for (int i = 0; i < mask.length; i++)
      	   {
      		   if (mask[i].equals("*") || mask[i].equals(ip_address[i]))
      		      continue;
      		   else
      		      return false;
      		}
      		return true;
         }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#initialize(java.util.Properties)
       */
          public int initialize(Properties properties)
                          throws WebTrustAssociationFailedException {
          	
          	if(properties != null) {
          		if(properties.containsKey("allowedIPs")) {
          			allowedIP = properties.getProperty("allowedIPs");
          		}
          	}
              return 0;
          }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getVersion()
       */
          public String getVersion() {
              return "1.0";
          }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#getType()
       */
          public String getType() {
              return this.getClass().getName();
          }
      
      /*
       * @see com.ibm.wsspi.security.tai.TrustAssociationInterceptor#cleanup()
       */
          public void cleanup()
      
          {}
      }

  2. Export the custom TAI Implementation into a .jar file and place it in the applicable env folder (mfpf-server/usr/env or mfpf-analytics/usr/env).
  3. Create an XML configuration file that contains the details of the TAI interceptor (see the TAI configuration example code provided in step 1) and then add your .xml file to the applicable folder (mfpf-server/usr/config or mfpf-analytics/usr/config). Your .xml file should resemble the following example.

    Tip: Be sure to update the class name and properties to reflect your implementation.

      <?xml version="1.0" encoding="UTF-8"?>
      <server description="new server">
      <featureManager> 
          <feature>appSecurity-2.0</feature> 
      </featureManager> 
      
      <trustAssociation id="MFPConsoleTAI" invokeForUnprotectedURI="true" 
                        failOverToAppAuthType="false">
          <interceptors id="MFPConsoleTAI" enabled="true"  
                        className="com.ibm.mfpconsole.interceptor.MFPConsoleTAI" 
                        invokeBeforeSSO="true" invokeAfterSSO="false" libraryRef="MFPConsoleTAI"> 
              <properties allowedIPs="9.182.149.*"/>
          </interceptors> 
      </trustAssociation> 
      
      <library id="MFPConsoleTAI"> 
          <fileset dir="${server.config.dir}" includes="MFPConsoleTAI.jar"/> 
      </library> 
      
      </server>

  4. Build the image and run the container as described in Build and running the MobileFirst Server container or Build and running the MobileFirst Analytics container. The MobileFirst Operations Console and the Analytics Console are now accessible only when the configured TAI security mechanism is satisfied.

Parent topic: Security configuration for IBM MobileFirst Platform Foundation on IBM Containers