how to protect the RESTFul service using Bluemix App Id?
I am developing a native mobile app (iOS & Android) and using Bluemix App Id service for the security. After the user get authenticated (logged in with either facebook or google id), the app calls some RESTFul service in the backend. These RESTFul services are implemented in Liberty for Java in Bluemix. How to implement the client and server side to protect the RESTFul services, allowing only authenticated users to invoke the services?
Hi,
Please look at this documentation topic, which explains how to configure your existing Liberty for Java backend: https://console.bluemix.net/docs/services/appid/existing.html#existing-liberty.
These topic explains how to integrate your existing mobile app with App ID Android and iOS client SDKs: https://console.bluemix.net/docs/services/appid/existing.html#existing-android https://console.bluemix.net/docs/services/appid/existing.html#existing-ios
So you need to perform the following steps:
Create an App ID service instance from Bluemix Catalog.
Configure your Java backend application as explained above.
Bind the App ID service instance to your backed.
Integrate App ID client SDKs with your mobile applications.
Configure the desired identity providers in the App ID service dashboard. You can leave the default configuration for the testing purposes for a while.
You can select the "Service Credentials" item located in the left navigation bar of the service dashboard to see the service credentials (tenantID and so on).
How it works behind the scene. Once you integrated the App ID client SDK and called the "login" API, the user is presented with Login widget, that allows him to select the desired identity provider (as configured in the service dashboard). Here App ID handles the whole work that is required to authenticate the user. When the authentication process is completed, the Bearer access token is sent back from the App ID server and stored in authorization manager. The access token is added automatically to Authorization header of each outbound request if you're using the Request class. Note, that if you don't call the "login" API and your protected resource returns 401, the Login widget will be displayed automatically by the client SDK if you're using the Request class. The Authorization header is processed by the Java authentication filter. Your web.xml should specify what APIs should be protected (see the docs mentioned above).
We recommend to download our Java onboarding sample form the service dashboard and examine its backend part for more info.
Best regards, Vitaly
Hi Vitaly, Thanks a lot for you response. I tried the Java sample. I also created a JAX-RS RESTFul service and annotated it with @RolesAllowed("myrole") I did not change anything in server.xml I added the following in web.xml
<web-resource-collection>
<web-resource-name>ProtectedRestService</web-resource-name>
<url-pattern>/jaxrs/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
I used the Request class to call the service in Xcode. The following is the swift code:
BMSClient.sharedInstance.initialize(bluemixRegion: AppID.REGION_US_SOUTH) BMSClient.sharedInstance.authorizationManager = AppIDAuthorizationManager(appid:AppID.sharedInstance) var request:Request = Request(url: "https://appidx5-java-6417b190-7855-4c55-8b72-e2b453f9acc0.stage1.mybluemix.net/appidSample/jaxrs/appid/hello")
request.send(completionHandler: {(response:Response?, error:Error?) in
print("got response !")
print(response?.statusCode)
print(response?.responseText)
print("ok")
//code handling the response here
})
The above code does not work. I got status code 401. I checked the Liberty log, there are some errors: 2017-10-15T16:46:08.75-0400 [APP/PROC/WEB/0] ERR [ERROR ] CWPKI0033E: The keystore located at /home/vcap/app/wlp/usr/servers/defaultServer//mytruststore.jks did not load because of the following error: KeyStore "/home/vcap/app/wlp/usr/servers/defaultServer/mytruststore.jks" does not exist.
2017-10-15T16:53:46.70-0400 [APP/PROC/WEB/0] ERR [ERROR ] CWWKS1703E: The OpenID Connect client requires SSL (HTTPS) but the OpenID Connect provider URL is HTTP: [${cloud.services.App ID-x5.connection.oauthServerUrl}/authorization]. Update the configuration so that [enforceHTTPS] attribute matches the target URL scheme.
Did I miss anything? How to fix these errors? For the first error, I did not see any keystore is included in the sample app. How do I configure this keystore?
Thanks
Hi,
I see that this path in the error: /home/vcap/app/wlp/usr/servers/defaultServer//mytruststore.jks contains extra "/" before "mytruststore.jks". Please make sure that your config is correct:
keyStore id="appidtruststore" password="Liberty" location="${server.config.dir}/mytruststore.jks"
and {server.config.dir} does not contain a trailing slash.
The mytrustkeystore.jks is located in the same directory as server.xml and referenced in the openidConnectClient tag.
Best regards,
Vitaly
Actually I see this error in our out of the box sample (it's something new), for some reason mytruststore.jks is missing from the downloaded zip. We're checking the code generator.
Please extract the attached file to your Liberty folder.
When extracted, the folder structure should look like this:
There is a problem with Java code generator, therefore some files are missing from the generated project. Also, we have updated certificates in the Liberty truststore.
Best regards,
Vitaly
The problem with code generator has been fixed.
Best regards,
Vitaly