Security configurations of protected resources
There is a default security configuration for every type of resource that can be protected by the MobileFirst authentication framework.
Protected resource types
The following types of resource can be protected by using the MobileFirst authentication framework:- Application environment
- With IBM MobileFirst™ Platform Foundation, you can define a separate security test for each application environment.
This capability is very useful, as different environments support different sets
of security features. For example, BlackBerry and WindowsPhone environments do
not support application authenticity test. In case no security test is
explicitly defined, each application environment is protected by a relevant
default type of security test. Mobile hybrid and native environments are
protected by a default mobileSecurityTest and web environments are protected by
a default webSecurityTest. If you want to protect application environments with
a security test other than the default one, you must explicitly specify it in
the application-descriptor.xml file. For
example:
<android version="1.0" securityTest="mobileTests"> <worklightSettings include="false"/> <security> <encryptWebResources enabled="false"/> <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/> <publicSigningKey/> <packageName/> </security> </android> <mobileWebApp cacheManifest="no-use" securityTest="webTests"/>
- Adapter procedure
- With IBM MobileFirst Platform Foundation, you can protect any adapter procedure by using a security test. Doing so
will ensure that the information that is provided by adapters is exposed to the
client side only after successful completion of all the relevant authentication
steps. Because an adapter procedure is a service that is provided by MobileFirst Server, it is protected with a default webSecurityTest security
test. To protect adapter procedures with a security test that is different from
the default one, you need to set the securityTest attribute
of the relevant <procedure> element in the adapter-descriptor XML file. See
Structure of the adapter XML file. The following example protects the myAccounts
procedure with an adapterProcedureSecurityTest security
test:
<procedure name="myAccounts" securityTest="adapterProcedureSecurityTest"/>
Note: This protection method of the classic security model is applicable to JavaScript adapter procedures. Java™ JAX-RS adapter procedures are protected by using the @OAuthSecurity annotation, which is part of the Java server-side com.worklight.core.auth package. See the annotation's API reference, as well as Security configuration of a JAX-RS resource.
- EventSource
- Using an event source, you can subscribe to server-generated events,
for example, push notifications or SMS notifications. Subscription
is based on user identity and device identity, because notifications
are usually sent to either a specific device or to a specific user.
So, it is important to specify security test in your event source
declaration. The user and device identities that are retrieved as
specified in a security test are used to subscribe to events. To define
a security test for event source, add a securityTest property to event
source declaration code.
WL.Server.createEventSource({ name: 'PushEventSource', onDeviceSubscribe: 'deviceSubscribeFunc', onDeviceUnsubscribe: 'deviceUnsubscribeFunc', securityTest: 'eventSourceSecurityTest' });
- Static resource
- A static resource is a URL that can be accessed on MobileFirst Server.
In most cases, the URL is of the MobileFirst Console. Static resources
protection can be defined in the <staticResources> section
of the authenticationConfig.xml file. There is
no default security test for static resources, so MobileFirst Console
is not protected, by default. The developer must explicitly specify
the static resource to protect in the authenticationConfig.xml file
and set the desired securityTest.
<staticResources> <resource id="worklightConsole" securityTest="worklightConsole"> <urlPatterns>/console*</urlPatterns> </resource </staticResources>