Worklight adapter calls are not encrypted (WL.Clie

2019-09-16 18:29发布

问题:

I'm using Worklight adapters to fetch data from a webservice. From client side I'm doing

WL.Client.invokeProcedure

Server side has respective code. Issue is this client to server adapter communication is via plain text and can easily be sniffed. Though my url is HTTPS but is of no use. Please help, I'm sure there should be a way in IBM worklight to make a secure application.

Thanks

回答1:

AFAIK worklight is providing only two options for security between your mobile app and wroklight server. As you mentioned in your question Worklight is providing HTTPS for security. You can compress the data using compressResponse in your WL.Client.invokeProcedure

{
  adapter : 'adapter-name',
  procedure : 'procedure-name',
  parameters : [],
  compressResponse : true/false
}

compressResponse - Optional. A string that requests the response from the server to be sent in a compressed format to reduce the amount of data that is transferred between Worklight Server and the device. The default value, if compressResponse is not specified, is false. Note: This option is applicable for Android, iOS, Windows Phone 8, BlackBerry 10, Mobile Web, and Adobe AIR. For Mobile Web applications, compression is supported only when the device browser can decompress GZIP data. If the size of the payload is larger than the compress.response.threshold property set on the server, this option is ignored


You can always encrypt/decrypt, adapter requests/responses using javascript AES library.

You can use Stanford Javascript Crypto Library - SCJL for simple encrypt and decrypt. I guess SCJL is ships with Worklight.

SCJL is very simple to use. You find the below code to encrypt and decrypt.

sjcl.encrypt("password", "data");
sjcl.decrypt("password", "encrypted-data");