I have two questions here which will be dependent on each other.
what happens after app authenticity and if its successful will the server send back a validation I'd to app. ?
If app gets the validation I'd .
I want to send it to my web server and on each call I want to send this validation I'd to adapter level to check if the validation I'd is valid.
what happens after app authenticity and if its successful will the app send back a validation I'd to app. ?
Please review the authenticity tutorial, which explains how authenticity works: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-1/foundation/authentication-security/application-authenticity-protection/
Authenticity check is done on the application. Not on the adapter.
The check happens at the first time the application attempts to connect to the server. If it fails you will no longer be able to run the app again unless it is removed and re-installed.
I want to send it to my web server and on each call I want to send this validation I'd to adapter level to check if the validation I'd is valid.
Per my explanation above, this is irrelevant.
Related
Do we need to call WL.Client.Login API before submitLoginForm in MobileFIrst 7.1.0 while using Formbasedauthentication (LoginModule = LDAP).
IBM documentation does not mention it but we found that if we do not call it MobileFirst Server does not send any Challenge.But we call that before submitLoginForm we receive all challenge handler and got authenticated from LDAP.
Please Advice.
Yes.
submitLoginForm() is the step where the client side code ( challengehandler) sends the credentials to the server. This is in case of Form based login.
The challenge will come from the server as a result of the application connecting to the server by:
WL.Client.connect(). In this case, if the application is protected, server throws the challenge.
WL.Client.login(realmName). If this is a custom realm, the server sends a challenge to be handled.
Invoking a protected resource using WLResourceRequest. The server responds with a challenge.
When user enters wrong credentials to an earlier challenge
When the challenge comes, you handle it in the challengehandler. The handleChallenge flow in the client ends with the client submitting the credentials in the login form and sending it to the server using the API - submitLoginForm().
Disclaimer: First of all I'm not an Android developer but a security professional.
My company wants to implement fingerprint authentication in its Android app and I'm wondering if there is any way to log the failed authentication attempts in the application?
According to my current understanding after the application calls the fingerprint authentication API of the OS it does not see how many times the user failed to provide a valid fingerprint, it only waits for a callback containing the key extracted from the keystore in case of successful authentication or a "fingerprint authentication canceled" message if the user decides not to use the fingerprint authentication and fall back to PIN authentication instead (let's suppose that this is implemented).
Yes, there's a way to log failed authentication attempts inside your application. You can use the authenticate method from the FingerprintManager class. Then, using an instance of the AuthenticationCallback you can log to any analytics platform (Firebase, for example) the events for each one of the callbacks. Or you can just log them on your own servers.
There are three other callbacks aside from onAuthenticationSucceeded:
onAuthenticationError
For fatal errors such as timeouts/lockouts.
onAuthenticationFailed
For non-fatal errors where a fingerprint was aquired but not recognized.
onAuthenticationHelp
For non-fatal errors where a fingerprint couldn't be aquired, e.g. the sensor is dirty or the user didn't keep the finger steady.
I have no interest in authenticating my clients as they are.
I do, however, want to make sure that anyone reaching my FireBase is authorized. Namely, that it's only via my Android app.
Could it be done somehow? I couldn't find any option or alternative in FireBase documentation.
The best approach I see is to have my app signed by a certificate, and aithorize itself using it.
To authenticate your app, use FCM (but regretably, it requires a server code):
Create an anonymous firebase account.
send an FCM message to your server, with the firebase account uid.
the server will create a node such as /uids/$uid/enabled.
have a rule to require it, e.g.:
".read" : "root.child('uids').child(auth.uid).child('enabled').val() == true"
The reason for the FCM message, is that in order to send such a message, the app should be "registered", which means the developer's signing certificate for the app is known. anyone attempting to send such an FCM message and not through your app will fail - even if someone re-sign (and probably modify) your app.
The drawback is, of course, you need your server to receive FCMs - which is very easy on the device, but harder on the server side.
I am developing a BlackBerry application in which I need to use PUSH API. I already have registered with RIM and they have sent me the credentials for evaluation service. In my BlackBerry device, I installed sample push API application just to test that the push messaging works. After setting the content provider URL which is publicly accessible, I entered all the details for the sample application to register the it for receiving notification messages. When trying to register it asks for username and password but I don't know what they are for. In the email received from RIM, there are passwords for server application and content provider admin portal applications but not for the push client.
When I added an arbitrary username and password it fails with the message that java.lang.Exception Registration with Push API failed, caused by port is unavailable. But when I unregister it successfully unregisters the user with the given arbitrary username and password. By the I use the port given in the RIM's email.
I have no idea why this happens and I appreciate immediate response from you. Thank you.
The first thing to point out is that the RIM sample push application is ridiculously overcomplicated. The username and password you are referring to are used to authenticate against the sample push initiator web application which runs on your tomcat server. It doesn't matter what you put in there, they are not used for authentication. I can only assume they were added to show you that you can send a username and password to a web based service.
The only things you need in your BlackBerry app to register for the push service are:
Push Application ID (e.g. 2672-c870l6c924r1i298O4o33cc5391y0e75134)
Push Port (e.g. 31940)
BlackBerry Push Server URL (e.g. http://pushapi.eval.blackberry.com)
The port is unavailable message you're receiving is probably because the device you're using has not been provisioned for BlackBerry Internet Services (BIS). Make sure it has a SIM with an active BlackBerry data plan.
I'm struggling to combine client-side authentication with server-side authentication and I appreciate help from the community. My app is simple and all users are on Facebook so I would like to use FB widgets both for login/auth and registration.
After page is loaded I check FB.getLoginStatus and show the fb:login-button if the user is not logged in.Then the user press the login-button and I receive the auth.login event. It's from here I'm a bit uncertain on the next action and I wonder if I'm missing a point.
I try to redirect the user to the server and I was hoping I could use the php-sdk there to check if the user is logged in without any fuzz, but when I do $facebook->api('/me') I get no response.
So how should I pass authorization information to the server in a secure way (my app doesn't use https) so that I can ensure that the user is authentication and authorized on the server side as well when I use the fb-login-button?
does the following example from facebook work for you
http://developers.facebook.com/blog/post/534/
it is combining javascript with php SDK and there is some additional info you should check
hope this helps
In the Client Side Validation you can provide a better user experience by responding quickly at the browser level. When you perform a Client Side Validation, all the user inputs are validated in the user's browser itself. Client Side validation does not require a round trip to the server, so the network traffic which will help your server perform better. This type of validation is done on the browser side using script languages such as JavaScript, VBScript or HTML5 attributes.
For example, if the user enters an invalid email format, you can show an error message immediately before the user moves to the next field, so the user can correct every field before they submit the form.
Mostly the Client Side Validation depends on the JavaScript Language, so if users turn JavaScript off, it can easily bypass and submit dangerous input to the server. So the Client Side Validation can not protect your application from malicious attacks on your server resources and databases.
As both the validation methods have their own significances, it is recommended that the Server side validation is more SECURE!
In the Server Side Validation, the input submitted by the user is being sent to the server and validated using one of server side scripting languages such as Node.js. After the validation process on the Server Side, the feedback is sent back to the client by a new dynamically generated web page. It is better to validate user input on Server Side because you can protect against the malicious users, who can easily bypass your Client Side scripting language and submit dangerous input to the server.