Reputation: 534
How to handle JSON Store if user's password has been used?
I am building an application for Mobile using IBM MobileFirst 6.3. The app will work as follows:-
User has to enter username and password to access the application features.
JSON Store is being used to store the user data with encryption.
At first use of the application JSON Store will be created and it is protected by the User's password[JSON STORE KEY] upon the successful login.
Users are allowed to change the password in any environment[Mobile or Web].
Lets take a scenario, if the user has changed password in Web and he tries to login in Mobile app. Login will be successful but JSON Store cannot be initialized since the user has changed the password.
Mobile and web application uses the same webservice and we are not allowed to modify the webservice for mobile application.
How can we handle this scenario?
Upvotes: 2
Views: 271
Answers (2)
Reputation: 4718
The answer to Worklight Online + Offline Authentication describes an approach that I think that could work in your scenario.
Upvotes: 1
Reputation: 44516
Do you mean that you base the login to the mobile app on JSONStore? Meaning, that in order to login to the mobile app, you need to open your JSONStore?
I am not convinced at all that is the correct approach. You are storing the password on the device. Not particularly secure...
To complicate matters you also want to be able to change the password from both the web and mobile, and as you have found out - you cannot change it on the mobile before first logging in with the old password and then somehow programmatically trigger a password change based on the password the end-user entered in the web version.
As you can see, this creates a scenario of lack of synchronicity between the web and mobile apps.
Maybe you shouldn't do that if you plan on allowing changing the password.
My suggestion is to use a centralized location for the password, such as an LDAP or alike server connected to the Worklight Server. As well as not base your login on JSONStore in this fashion.
You could use JSONStore for offline authentication, but not for online authentication. See here: Offline authentication tutorial.
Upvotes: 0
Related Questions
- How to store encryption key/password in JSONStore
- CRUD Operation in JSONStore using MobileFirst Platform 7.1
- How to destroy a JSONstore with userId
- Retrieve Encrypted data from the JSONStore in IBM MobileFirst
- Reading JsonStore token on server side
- How to implement password protect security in JsonStore Worklight 6.2?
- Worklight JSONStore rejecting some user passwords and not others
- IBM Worklight 5.0.6.1 - How to secure JSONStore data
- How to check the JSON Store data on the device
- Worklight JSONStore or SQLite to store password?