Reputation: 11
Reading JsonStore token on server side
I went through mobilefirst documentation and learnt that JsonStore's key can be read on the client and server side: http://www-01.ibm.com/support/knowledgecenter/#!/SSHS8R_6.3.0/com.ibm.worklight.dev.doc/devref/c_jsonstore_security.html.
I am able to see the token on the client's side in the server's response. I use it on the client side to encrypt data. I am also passing the data back to the server for some computation. However, I cannot decrypt the data on the server side without the token.
Is there a way to read the token sent to the server side?
I would prefer a Java based API on the server side to do this, although a JavaScript api also helps.
Upvotes: 0
Views: 80
Answers (2)
Reputation: 5111
Is there a way to read the token sent to the server side?
No. The JSONStore API only obtains a random token from the server, it doesn't send any token to the server.
The first time that JSONStore opens a collection with a password, which means that the developer wants to encrypt data inside the store, JSONStore needs a random token. That random token can be obtained from the client or from the server.
That's from the documentation linked above. The random token is just a small part of the inputs required for the security algorithms JSONStore uses to protect data, it's not the key used to encrypt and decrypt data, and it's not useful by itself.
You can use the SecureRandom Java class to generate your own random numbers.
As an aside, here's an article that explains why secure systems require random numbers.
There's a security trade off between getting that random token from the client (no network call => faster, you're trusting the client more => arguably less secure, localKeyGen:true) and the server (network call => slower, you're trusting the server more => arguably more secure, localKeyGen:true).
Upvotes: 1
Reputation: 44516
AFAIK, the token (either locally generated or remotely generated) is used only for encryption and decryption of the data that is stored in the JSONStore collection, in the device. So my guess is that in order to be able to run some operation on the data, on the server-side, you'll need to first decrypt it in the device prior to sending it to your backend servlet.
Upvotes: 0
Related Questions
- IBM Mobile First - Json Store not working on Samsung Galaxy S6
- IBM Mobile first JSONstore is not working 7.1 version
- CRUD Operation in JSONStore using MobileFirst Platform 7.1
- Retrieve Encrypted data from the JSONStore in IBM MobileFirst
- JSONStore initialization fails
- MobileFirst Platform JSONStore An error occurred when reading from the database
- How to handle JSON Store if user's password has been used?
- How to query or access JSONStore data from native code in IBM Worklight?
- JSONStore code not working
- How to check the JSON Store data on the device