+

Search Tips | Advanced Search

For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


The security-check contract

Learn about the MobileFirst security-check contract, which is defined by the SecurityCheck and SecurityCheckConfiguration interfaces.

Every security check must implement the com.ibm.mfp.server.security.external.SecurityCheck interface (the security-check interface). This interface constitutes the basic contract between the security check and the MobileFirst security framework. Custom security checks are implemented as a Java™ security-check class within a MobileFirst adapter (see Security-checks implementation). The security-check implementation must fulfill the following requirements:

For a complete reference of the security-check interface, see SecurityCheck. In addition, review the implementation and documentation of the provided abstract security-check base classes. These classes implement some of the requirements of the security-check contract, such as state management, and demonstrates how to implement other custom functions. See The security-check base and sample classes.


Security-check functions

A security check provides two main functions to the security framework:

Note:


Security-check state management

Security checks are stateful, meaning that the security check is responsible for tracking and retaining its interaction state. On each authorization or introspection request, the security framework retrieves the states of relevant security checks from external storage (usually, distributed cache). At the end of request processing, the framework stores the security-check states back in external storage.

The security check contract requires that a security check


Security-check configuration

A security check can expose configuration properties, whose values can be customized both at the adapter and at the application level. The security-check definition of a specific class determines which of the supported configuration properties of this class to expose, and can customize the default values set in the class definition. See Defining security checks. The property values can be further customized, dynamically, both for the adapter that defines the security checks, and for each application that uses the check. See Security-checks configuration. A security-check class exposes its supported properties by implementing a createConfiguration method, which creates an instance of a security-check configuration class that implements the com.ibm.mfp.server.security.external.SecurityCheckConfiguration interface (the security-check configuration interface). This interface complements the SecurityCheck interface, and is also part of the security-check contract. The security check can create a configuration object that does not expose any properties, but the createConfiguration method must return a valid configuration object and cannot return null. For a complete reference of the security-check configuration interface, see SecurityCheckConfiguration. In addition, review the implementation and documentation of the provided abstract security-check base class and the sample configuration-class implementations. See The security-check base and sample classes.

The security framework calls the security-check's createConfiguration method during deployment, which occurs for any adapter or application configuration change. The method's properties parameter contains the properties that are defined in the adapter's security-check definition, and their current customized values (or the default value if there was no customization). The implementation of the security-check configuration should validate the values of the received properties, and provide methods for returning the validation results. The security-check configuration must implement getErrors, getWarnings, and getInfo methods. The abstract security-check configuration base class, SecurityCheckConfigurationBase also defines and implements custom getStringProperty, getIntProperty, and addMessage methods. See the code documentation of this class for details.

Note: The names and values of the configuration properties in the security-check definition and in any adapter or application customization, must match the supported properties and allowed values, as defined in the configuration class.

Parent topic: Security-checks implementation