Security tests

A security test defines a security configuration for a protected resource. Predefined tests are supplied for standard web and mobile security requirements. You can write your own custom security tests and define the sequence in which they are implemented. In web and mobile security tests, you cannot define the sequence in which realms are processed. If you want to define the sequence, you must write your own custom security test and use the step property.

A security test specifies one or more authentication realms and an authentication realm can be used by any number of security tests. A protectable resource can be protected by any number of realms.

A protected resource is protected by a security test. When a client attempts to access a protected resource, IBM MobileFirst™ Platform Foundation checks whether the client is already authenticated according to all realms of the security test. If the client is not yet authenticated, IBM MobileFirst Platform Foundation triggers the process of authentication for all unauthenticated realms.

Before you define security tests, define the authentication realms that the tests use.

Define a security test for each environment in the application-descriptor.xml file, by using the property securityTest="test_name". If no security test is defined for a specific environment, only a minimal set of default platform tests is run.

Note: To replace an existing security test, you should add the new security test and deploy it, after this new security test is successfully deployed you can delete the old security test that you intended to replace.

You can define three types of security test:

webSecurityTest
A test that is predefined to contain realms that are related to web security.

Use a webSecurityTest to protect web applications.

A webSecurityTest must contain one testUser element with a realm definition for user authentication. The identity that is obtained from this realm is considered to be a user identity.

By default, a webSecurityTest includes protection against cross-site request forgery (XSRF) attacks.

mobileSecurityTest
A test that is predefined to contain realms that are related to mobile security.

Use a mobileSecurityTest to protect mobile applications.

A mobileSecurityTest must contain one testUser element with a realm definition for user authentication. The identity that is obtained from this realm is considered to be a user identity.

A mobileSecurityTest must contain one testDevice element with a realm definition for device authentication. The identity that is obtained from this realm is considered to be a device identity.

By default, a mobileSecurityTest includes protection against XSRF attacks, automatic checking for Direct Updates every session, and the ability to remotely disable, from the MobileFirst Operations Console, the ability for the app to connect to MobileFirst Server.

customSecurityTest
A custom security test. No predefined realms are added. Only tests that are included are tested.

Use a customSecurityTest to define your own security requirements and the sequence and grouping in which they occur.

You can define any number of tests within a customSecurityTest. Each test specifies one realm. To define a realm as a user identity realm, add the property isInternalUserId="true" to the test. The isInternalUserID attribute means that this realm is used for user identification for reporting and push subscriptions. There must be exactly one such realm for every security configuration that is applied to a mobile or web resource.

For a device auto provisioning realm, the isInternalDeviceID attribute means that this realm is used for device identification for reporting, push subscriptions, and device SSO features. There must be exactly one such realm for every security configuration that is applied to a mobile resource.

Important: When you use device auto provisioning in customSecurityTests, an authenticity realm must also be present within the tests, otherwise provisioning cannot succeed.

To specify the order in which a client must authenticate in the different realms, add the property step="n" to each test, where n indicates the sequence. If a sequence is not specified, then all tests are done in a single step.

Note: Application authenticity and Device provisioning are not supported in Java™ Platform, Micro Edition (Java ME).

Sample security tests

This section describes what a webSecurityTest and a mobileSecurityTest contain.

The webSecurityTest contains:
  • The following realms, enabled by default: wl_anonymousUserRealm and wl_antiXSRFRealm.
  • The user realm that you must specify.
The mobileSecurityTest contains:
  • The following realms, enabled by default: wl_anonymousUserRealm, wl_antiXSRFRealm, wl_directUpdateRealm, wl_remoteDisableRealm and wl_deviceNoProvisioningRealm.
  • The user and device realms that you must specify.

A customSecurityTest has no realms that are enabled by default. You must define all realms that you want your customSecurityTest to contain.

For a webSecurityTest:
<webSecurityTest name="webTest">
  <testUser realm="wl_anonymousUserRealm"/>
</webSecurityTest>
The equivalent as a customSecurityTest:
<customSecurityTest name="webTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_anonymousUserRealm" isInternalUserId="true" />
</customSecurityTest>
For a mobileSecurityTest:
<mobileSecurityTest name="mobileTest">
  <testUser realm="wl_anonymousUserRealm"/>
  <testDeviceId provisioningType="none" />
</mobileSecurityTest>
The equivalent as a customSecurityTest:
<customSecurityTest name="mobileTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_remoteDisableRealm" />
  <test realm="wl_anonymousUserRealm" isInternalUserID="true" />
  <test realm="wl_deviceNoProvisioningRealm" isInternalUserID="true" />
</customSecurityTest>

Usually, you add your own realm to your configuration to authenticate users. The following example shows a configuration where the realm named MyUserAuthRealm is the realm that the developer added.

Example with your own realm name as a realm definition for testUser:

For a webSecurityTest:
<webSecurityTest name="webTest">
  <testUser realm="MyUserAuthRealm"/>
</webSecurityTest>
The equivalent as a customSecurityTest
<customSecurityTest name="webTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="MyUserAuthRealm" isInternalUserId="true" />
</customSecurityTest>
For a mobileSecurityTest:
<mobileSecurityTest name="mobileTest">
  <testUser realm="MyUserAuthRealm"/>
  <testDeviceId provisioningType="none" />
</mobileSecurityTest>
The equivalent as a customSecurityTest:
<customSecurityTest name="mobileTest">
  <test realm="wl_antiXSRFRealm" />
  <test realm="wl_remoteDisableRealm" />
  <test realm="MyUserAuthRealm" isInternalUserID="true" />
  <test realm="wl_deviceNoProvisioningRealm" isInternalUserID="true" />
</customSecurityTest>
Parent topic: Classic security model