2

I am building an application for Mobile using IBM MobileFirst 6.3. The app will work as follows:-

  1. User has to enter username and password to access the application features.

  2. JSON Store is being used to store the user data with encryption.

  3. At first use of the application JSON Store will be created and it is protected by the User's password[JSON STORE KEY] upon the successful login.

  4. Users are allowed to change the password in any environment[Mobile or Web].

  5. Lets take a scenario, if the user has changed password in Web and he tries to login in Mobile app. Login will be successful but JSON Store cannot be initialized since the user has changed the password.

Mobile and web application uses the same webservice and we are not allowed to modify the webservice for mobile application.

How can we handle this scenario?

Karikalan
  • 263
  • 2
  • 17
sasi
  • 512
  • 4
  • 27

2 Answers2

1

The answer to Worklight Online + Offline Authentication describes an approach that I think that could work in your scenario.

Community
  • 1
  • 1
xverges
  • 4,608
  • 1
  • 39
  • 60
0

Do you mean that you base the login to the mobile app on JSONStore? Meaning, that in order to login to the mobile app, you need to open your JSONStore?

I am not convinced at all that is the correct approach. You are storing the password on the device. Not particularly secure...

To complicate matters you also want to be able to change the password from both the web and mobile, and as you have found out - you cannot change it on the mobile before first logging in with the old password and then somehow programmatically trigger a password change based on the password the end-user entered in the web version.

As you can see, this creates a scenario of lack of synchronicity between the web and mobile apps.

Maybe you shouldn't do that if you plan on allowing changing the password.

My suggestion is to use a centralized location for the password, such as an LDAP or alike server connected to the Worklight Server. As well as not base your login on JSONStore in this fashion.

You could use JSONStore for offline authentication, but not for online authentication. See here: Offline authentication tutorial.

Idan Adar
  • 44,156
  • 13
  • 50
  • 89
  • I haven't mention that i am storing the username and password in json store. In second point i mentioned that we are storing some information from the user [ not username and password ] into the json store. Then, once the user got authenticated then only we are opening the json store for storing purpose. – sasi Feb 09 '15 at 10:33
  • So what is the relation between the web password and the JSONStore password? What do you use the web password for? login? – Idan Adar Feb 09 '15 at 10:57
  • Yes, web password is used for mobile app authentication and also we are using the same web password for protecting the json store. – sasi Feb 09 '15 at 11:35
  • Well, as a wrote, this is a problematic scenario that perhaps should not be done. It's like a second-tier, or level, of protection. You probably should not us the same password for both the login and the jsonstore. maybe generate a new one each time somehow. Or consider why do you need another password after you have already logged-in... – Idan Adar Feb 09 '15 at 11:40
  • I agree with you. As you told it is a problematic scenario, but we need to secure the json store somehow. How will you secure the json store by generating the password each time or how will directly ask the user about the password for json store? – sasi Feb 09 '15 at 11:53
  • Make it fully programatic, never ask for user interaction? – Idan Adar Feb 09 '15 at 11:54
  • Wont it be a security breach if we hard code things? – Kawinesh S K Feb 09 '15 at 11:56
  • Only if someone got the login credentials (which you use before you use the jsonstore inside the app). Or just don't make it be the same password - which is also a security breach in potential. – Idan Adar Feb 09 '15 at 11:57