For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Security checks

Learn how to create custom security checks, use the predefined MobileFirst security checks, and configure the behavior of your security checks at the adapter and application levels.

Security checks

Security checks constitute the basic server-side building block of the MobileFirst security framework. A security check is a server-side entity that implements a specific authorization logic. You protect a resource by assigning it a scope that maps to zero or more security checks. The security framework ensures that only a client that passes all of the security checks of the protecting scope is granted access to the resource. See Overview of the MobileFirst security framework. We can use security checks to authorize access both to resources hosted on MobileFirst Server and to resources on an external resource server. See OAuth resource protection.

A security check can be used to validate data from different sources, including

• Client data, such as login credentials (for example, user name and password, or a pin code), or application-authenticity data.
• Server-side state

Custom security checks are implemented and defined within MobileFirst adapters: the developer implements a security-check class in Java™ code, and configures it in the adapter descriptor. See Security-checks implementation.

The architecture of the security framework is modular and flexible. The implementation of the security check is not inherently dependent of any specific resource or application. We can reuse the same security check to protect different resources, and use different security-check combinations for various authorization flows. For enhanced flexibility, a security-check class exposes configuration properties that can be customized at the adapter level both in the security-check definition and during run time. We can also customize the configuration logic at the application level. See Security-checks configuration.

We can create custom security checks, and use any of the predefined MobileFirst security checks. See Security-checks implementation and Predefined MobileFirst security checks..

• Predefined MobileFirst security checks
  Learn about the predefined MobileFirst security checks.
• Security-checks implementation
  Learn how to implement security checks that provide custom authorization logic.
• Security-checks configuration
  Learn about the security-check configuration hierarchy, and how to configure security-check properties at the adapter and at the application levels.

Parent topic: MobileFirst security framework