IBM Worklight 6.1 - WL.Server.setActiveUser credentials, is it secure?

Question

Worklight 6.1 documentation identifies that "credentials" such as password can be added to the user identity object (UIO) provided to WL.Server.setActiveUser().

How & where is the UIO stored on the WL server, and is this considered a secure storage?

Trying to understand the security implications of storing password in this structure to be retrieved and used for subsequent back-end access (Cloud) requests. If not secure, can encryption be applied to the any part of the UIO?

Appreciate any advice you can provide.

Answer 1

The User Identity object is kept in memory and is scoped to the current session.
In other words, the credentials are not persisted; one would need to dump the server memory and dig through it or connect with a debugger. It's considered secure. The production server is also supposed to run in a secure environment with limited access to the process, etc... of course.

The credentials stored in this object can be used by the adapter to authenticate with a back-end on behalf of the user.

• In a HTTP adapter, the authentication schemes Basic, Digest and NTLM use that technique
• In non-HTTP adapter and in custom authentication schemes, the developer can use those credentials as necessary.