4

Is there a way to pass secure data(user data) between two or more security check in Java adapter of IBM MobileFirst Platform 8.0

Basically, I need my adapter resource to be called and produce response either user is logged in or not. If user is logged in I need to get user specific data, other wise need to fetch general information from back-end. For example contact information will be generic when user is not logged in but specific to user location if he/she is logged in(location of user will be fetched from back-end based on authentication data). So if I keep my adapter secure then the adapter will throw a 401 error if not logged in and if I keep my adapter unsecured then i am not able to get user specific information when the user is logged in.

S.A.Norton Stanley
  • 1,833
  • 3
  • 23
  • 37
Harsh
  • 282
  • 1
  • 3
  • 11

2 Answers2

1

You can't expect two different adapter responses for authenticated and unauthenticated users in protected adapter method. As the method can be accessed only if client answers the security check challenges.

However you can achieve it in unprotected adapter method using getAuthenticatedUser API where you can differentiate authenticated and unauthenticated users & send back response based on type of user.

and use UserLogin Security check to authenticate users.

Vittal Pai
  • 3,317
  • 25
  • 36
  • I tried that and my findings are 1) Security context is not null. 2) getAuthenticatedUser is always null as adapter a unsecure, so I am not abl3 to access secure data when adapter is not secured even if user is not logged in – Harsh Mar 22 '17 at 13:10
  • 1
    @Harsh You need to use `UserLogin` Security check adapter for this where client should login using `Login` API and after that whenever the client makes a call to the unsecured method, `getAuthenticatedUser` will returns the logged in client details and will not return null. – Vittal Pai Mar 23 '17 at 06:46
  • Vittal, is UserLogin is out of the box security test available for MFP 8.0? I already have a custom security, when I am validating user information with "validateCredentials" method of UserAuthenticatedSecurityCheck" class. I tried after login with my custom security check, but still I am able to get getAuthenticatedUser() as null only – Harsh Mar 23 '17 at 09:35
  • @Harsh Ok, Can you tell me by which scope your unprotected method is having ? Is it default or with some scope name. It should work if your unprotected method's scope is default. – Vittal Pai Mar 24 '17 at 10:42
  • @Harsh If its still not working, Please share the unprotected method snippet where `getAuthenticatedUser()` API returning NULL always. – Vittal Pai Mar 31 '17 at 06:28
  • if my method is un-secure/not secure then I can't access getAuthenticatedUser(), it always return null, as defined in https://www.ibm.com/support/knowledgecenter/en/SSHSCD_8.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html – Harsh Apr 16 '17 at 13:51
0

OAuth bases security based model of MobileFirst doesn't offer 1. Accessing Secure or User session based information, from un-secured or not protected resource 2. Making a resource secure and un-secure on run-time

So there are two options to achieve requirement 1. Easy and simple way is to make two adapter(s) or two methods in same adapter one with OAuth Enable and one with OAuth Disable, and let the Mobile app decide which one to call 2. If we want to use only one Adapter or method only then, i) Adapter or more specifically, method has to be Un-protected or protected with Default_Scope of MobileFirst only, as Security check for Default_Scope of MFP is passed when Mobile application is launched ii) Fetch user specific information, if user is logged in from back-end system, similar to one used in security test iii) Use user specific informtion to get user specific data

By following above steps, User specific information can be available to Adapter or particular API, even if its not secured. As you are not going to use the out-of-box security model of MFP, so security needs to be handled explicitly and all security measure has to be followed so as to make user information secure.

Harsh
  • 282
  • 1
  • 3
  • 11