Security configurations of protected resources

Protected resource types

Application environment

With IBM MobileFirst™ Platform Foundation, you can define a separate security test for each application environment. This capability is very useful, as different environments support different sets of security features. For example, BlackBerry and WindowsPhone environments do not support application authenticity test. In case no security test is explicitly defined, each application environment is protected by a relevant default type of security test. Mobile hybrid and native environments are protected by a default mobileSecurityTest and web environments are protected by a default webSecurityTest. If you want to protect application environments with a security test other than the default one, you must explicitly specify it in the application-descriptor.xml file. For example:

<android version="1.0" securityTest="mobileTests">
    <worklightSettings include="false"/>
    <security>
        <encryptWebResources enabled="false"/>
        <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
        <publicSigningKey/>
        <packageName/>
    </security>
</android>
<mobileWebApp cacheManifest="no-use" securityTest="webTests"/>

Adapter procedure

With IBM MobileFirst Platform Foundation, you can protect any adapter procedure by using a security test. Doing so will ensure that the information that is provided by adapters is exposed to the client side only after successful completion of all the relevant authentication steps. Because an adapter procedure is a service that is provided by MobileFirst Server, it is protected with a default webSecurityTest security test. To protect adapter procedures with a security test that is different from the default one, you need to set the securityTest attribute of the relevant <procedure> element in the adapter-descriptor XML file. See Structure of the adapter XML file. The following example protects the myAccounts procedure with an adapterProcedureSecurityTest security test:

<procedure name="myAccounts" securityTest="adapterProcedureSecurityTest"/>

Note: This protection method of the classic security model is applicable to JavaScript adapter procedures. Java™ JAX-RS adapter procedures are protected by using the @OAuthSecurity annotation, which is part of the Java server-side com.worklight.core.auth package. See the annotation's API reference, as well as Security configuration of a JAX-RS resource.

EventSource

Using an event source, you can subscribe to server-generated events, for example, push notifications or SMS notifications. Subscription is based on user identity and device identity, because notifications are usually sent to either a specific device or to a specific user. So, it is important to specify security test in your event source declaration. The user and device identities that are retrieved as specified in a security test are used to subscribe to events. To define a security test for event source, add a securityTest property to event source declaration code.

WL.Server.createEventSource({
    name: 'PushEventSource',
    onDeviceSubscribe: 'deviceSubscribeFunc',
    onDeviceUnsubscribe: 'deviceUnsubscribeFunc',
    securityTest: 'eventSourceSecurityTest'
});

Static resource

A static resource is a URL that can be accessed on MobileFirst Server. In most cases, the URL is of the MobileFirst Console. Static resources protection can be defined in the <staticResources> section of the authenticationConfig.xml file. There is no default security test for static resources, so MobileFirst Console is not protected, by default. The developer must explicitly specify the static resource to protect in the authenticationConfig.xml file and set the desired securityTest.

<staticResources>
    <resource id="worklightConsole" securityTest="worklightConsole">
        <urlPatterns>/console*</urlPatterns>
    </resource
</staticResources>