Authentication with Mobilefirst Java Adapter - ibm-mobilefirst

We are working with MobileFirst 7.0 version. We want to achieve authentication using adapter based authetication process. Earlier we used HTTP Adapter and it worked. But we changed it to Java Adapter and want to acheive authentcation with Java Adapter Based authetication.
My questions are :
Is it possible?
If yes, how can we move forward?
If not, what is the alternative of doing authentication usig Java Adapter?

There is some documentation covering your question.
Here are links to get you started:
Authentication concepts in MFP 7.0: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/authentication-security/authentication-concepts/
Adapters overview: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/server-side-development/adapter-framework-overview/
Java adapters: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/server-side-development/java-adapter/
Adapter-based authentication: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-0/authentication-security/adapter-based-authentication/
You need to use a JavaScript adapter.
Read the documentation.
Use OAuth.

I found this blog entry, and in particular the second video answered many questions.
OAuth Blog
In all cases I have ever seen we set up a Worklight security Realm and use adapter-based authentication to authenticate to that Realm. Our OAuth-protected resources then reference that realm.
In principle we could define realms that do not depend upon a JavaScript adapter for authentication, the MFP Security model is open to extension. In practice this is probably more work than you want to do. I find that the JavaScript model is itself quite extensible, as it can call down to Java code when something complex is needed.

Related

Should Keycloak be used in my website user registration and log in?

I am using JBoss JSF to develop a personal project, and the website needs a user registration and login feature, as many other sites do. There are lots of tutorials on how to develop a user registration component in Java EE and JPA framework. I just happened to find the KeyCloak project. It seems that KeyCloak can be used for user registration and management purpose, especially if you use JBoss to develop the application.
My question is, do I really need to use this for user registration? It seems very heavy, and I didn't find any API docs that I can refer to integrate it into my web application.
What's the best use case of Keycloak? And how to integrate it in a Java EE application? Any quickstart or tutorial for Java application would be appreciated.
The main Keycloak project includes a adapters documentation (to be used to secure clients) examples project showing how to secure a JEE application using JEE application security.
If you use Spring, there's a Spring Security adapter that support a more very flexible security implementation as well, including examples for this as well.

Why need worklight adapter instead direct ajax?

I just curious, why we need worklight adapter to communicate with the database? Why not can't using direct ajax? Last time I'm using direct ajax it's not working at all. After I switch to worklight adapter it's running like charm? No problem at all. Why?
You did not provide any specific details about your scenario, like Where is that backend system located, if there is any security involved, what is the topology, etc... so why it's not working with AJAX is impossible to answer.
As for why use Worklight adapters, read:
http://javatechig.com/cross-platform/ibm-worklight/how-to-create-a-http-adapter-in-ibm-worlight
Adapters provide templated (adapter types) connectivity settings to various backend systems - HTTP, SOAP, SQL, JMS and so on
Adapters provide a means to auto-generate an adapter for WSDL and sap web services
Adapters can also be pure Java JAX-RS web apps, allow far greater flexibility and functionality (in MFP 7.0)
You must use Worklight adapters if you intend on using the unified push notifications support
Adapters must be used if you intend to utilize any of the Worklight security features (adapter-based, custom login module, device provisioning, custom provisioning and so on)
and so on

Customize Worklight Adapter URL

I am building an iOS and Android Apps using Worklight Framework, the worklight server will be protected by IBM Security Access Manager (ISAM) SSO, and therefore the Apps can only be reaching the worklight server after passing the Security challenges. I've found some docs about this integration and it works as intended.
But the apps also offers some features that doesn't required login, in which the Security Manager shouldn't intercept the adapter request to worklight server. The only workaround that suggested by IBM is to create a URL mapping junction in ISAM that defines the URLs that can access by public, and those which shall not. for example /worklight/public and /worklight/secured
But the URL pattern for all worklight adapter are /worklight/invoke?adapter=ADAPTER_NAME, so do we have a way to create a customized URL for public and secured adapter, for example:
/worklight/public/invoke
/worklight/secued/invoke
EDIT 1: Worklight Version 6.0
Thanks in advance.
Please mention the version of Worklight you are using.
One way to achieve this is to create and deploy the adapters in two different projects. That way the context root of both the adapters will be different. So, you'll have URLs such as
/Project1/invoke?... and Project2/invoke?... which you can apply to your filters.

IBM Worklight Adapter requires OAuth

Here is my problem: I would like to create an application with IBM Worklight which will call via an adapter a service that requires OAuth (ie: Twitter).
Anyone have some thought for the best method to implement this using IBM Worklight?
For example, use one method to get the token, store the token in the session and then other methods to interact with the service?
Is there some out of the box functionality in IBM Worklight to handle the token acceptance in such case (ie: automatically open a browser to provide the authorization)?
Many thanks
Dominique
You can use the cordova inappbrowser plugin to get the access token and pass the token to the Worklight adapters. I am working on a devworks article now with an example so I will update this response with a link once it's live.
Here's the link to the article that might be helpful to you: http://www.ibm.com/developerworks/library/mo-worklight-linkedin/index.html

Does JBoss have a user management API which I can use?

I am going to run a Web App on JBoss App Server 7. Does JBoss have some sort of inbuilt user management module/API which I can use rather than code my own? Or do I have to make this module myself. I know about the default JAAS pieces providing authentication AND authorisation, however I am looking to manage, add, edit, delete users from the datasource as well.
I'm not being lazy or anything, just want to know if JBoss has an easy inbuilt way before I start :)
Google implies no so I want to make sure by asking here.
As far as I know they don't provide any easy to managed identity provider, they "only" provide way to connect to identity provider using standard protocol like LDAP, SAML and WS-trust, openid to provide container managed authentication.
They have a idm project but it seems to provide standard protocol SSO identity backed by some identity store but doesn't provide way to manage the users.
PicketBox and PricketLink are the tow JBoss project you should look for more information.
These element can be used if you want to use global identity system, existing one, new product deployment or custom build.
(disclaimer: I have sped some time on Picket* projects documentation and I still don't think I get a good knowledge on how it works... )
There is a web interface and a command line interface for management operations. See the Management Clients section of the documentation.
The security realms could be what you're after. I'm not really a security expert though.
Maybe a security domain could be helpful too.