Reputation: 183
How to secure a MobileFirst adapter for backend process?
We have MobileFirst adapter with a wl_unprotected security test to use it from backend process.
We applied following solution to protect it calling through normal URL
- Security Team Restricted URL to be invoked from Outside client application.
Is there any better solution which could be applied to secure this adapter?
Upvotes: 0
Views: 297
Answers (1)
Reputation: 2118
There is a very good article in the IBM MobileFirst Platform Developers Center Blog about how to do just that. Protecting adapter procedures for backend access https://developer.ibm.com/mobilefirstplatform/2015/02/04/protect-adapter-backend/
Please go to the article for more details, but here is a summary of the article.
You could use Basic HTTP Authentication to protect that adapter. Update your authenticationConfig.xml file with the securityTest, realm and loginModule as shown below:
authenticationConfig.xml
<securityTests>
<!-- your other security tests -->
<customSecurityTest name="BackendAccessSecurity">
<test realm="BackendAccessRealm" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
<realms>
<!-- your other realms -->
<realm name="BackendAccessRealm" loginModule="BackendAccessLogin">
<className>com.worklight.core.auth.ext.BasicAuthenticator</className>
<parameter name="basic-realm-name" value="Private"/>
</realm>
</realms>
<loginModules>
<!-- your other login modules -->
<loginModule name="BackendAccessLogin">
<className>com.sample.auth.ConfiguredIdentityLoginModule</className>
<parameter name="username-property" value="backend.username"/>
<parameter name="password-property" value="backend.password"/>
</loginModule>
</loginModules>
worklight.properties
##
# Backend access credentials
##
backend.username=user
backend.password=password
ConfiguredIdentityLoginModule.java
@Override
public void init(Map<String, String> options) throws MissingConfigurationOptionException {
String usernameProperty = options.remove(USERNAME_PROPERTY_CONF);
if (usernameProperty == null) throw new MissingConfigurationOptionException(USERNAME_PROPERTY_CONF);
String passwordProperty = options.remove(PASSWORD_PROPERTY_CONF);
if (passwordProperty == null) throw new MissingConfigurationOptionException(PASSWORD_PROPERTY_CONF);
super.init(options);
WorklightConfiguration conf = WorklightConfiguration.getInstance();
configuredUsername = conf.getStringProperty(usernameProperty);
configuredPassword = conf.getStringProperty(passwordProperty);
if (configuredUsername == null || configuredUsername.length() == 0) {
throw new IllegalStateException("ConfiguredIdentityLoginModule cannot resolve property " + usernameProperty + ". Please check project configuration properties.");
}
if (configuredPassword == null || configuredPassword.length() == 0) {
throw new IllegalStateException("ConfiguredIdentityLoginModule cannot resolve property " + usernameProperty + ". Please check project configuration properties.");
}
}
@Override
public boolean login(Map<String, Object> authenticationData) {
populateCache(authenticationData);
return configuredUsername.equals(username) && configuredPassword.equals(password);
}
Finally, protect your adapter with the BackendAccessSecurity.
Upvotes: 2
Related Questions
- Adapter Security in MFP 8 with Default Scope
- MobileFirst User authentication security check with database
- Interceptor behaviour for mobile first platform
- Can the Confidential Client facility be used to expose an adapter externally in MobileFirst 8?
- Mobilefirst 7.0 protecting a Java Adapter fails with Custom Authenticator
- Protecting Java Adapter
- How to consume secured API from IBM MobileFirst using http adapters
- Authentication with Mobilefirst Java Adapter
- Protecting IBM MobileFirst adapter procedures to be accessible only from another adapters
- Security in HTTP Adapters