I am using the IBM MobileFirst studio plugin 7.0 and following the documentation here:Link to documentation on how to configure a direct update. I’m trying to understand how the pieces work together but I am not able to grasp the concept.
Using the code sample that is provided along with the tutorial, I see that the "mobileSecurityTest" is commented out and the "customSecurityTest" element present is also commented out.
Another thing I noticed is that in that application-descriptor.xml, there is no security test for the added environments?
How will the application know which securityTest to use at the app level app?
Does the securityTest need to be placed on the environment in general and specifically for a direct update?
The direct update wasn't getting triggered when running the sample and following the instructions on the app
Any advice is appreciated.
You specify what security test you want to use in the application-descriptor of you app.
Inside my application descriptor I have an iPhone app with customSecurityTest:
<iphone bundleId="com.PhoneUp" version="1.0" securityTest="customSecurityTests">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
Inside my authentication config I have:
<customSecurityTest name="customSecurityTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
Now the security test that is protecting my application has a mapping to the security test in my authentication-config (security file on the server)
No a security test does not need to be placed on the application to trigger a direct update.
You may trigger the direct update just by the user trying to "login" to that realm.
WL.Client.login("wl_directUpdateRealm", {onSuccess:..., onFailure:...});
Direct update is a realm you can read more about that here.
The sample project from here does not have the security test commented in or a security test protecting the application. You are going to have to uncomment and add a security test in your appliation descriptor as described in the answer to number one.
Related
I am using MobileFirst Server MFPF 7.1, IF20151114-1616
WLClientLogReceiver adapter has the following settings. I tried changing the securityTest value to "LogUploadServlet", I still receive the same error below.
<procedure name="log" securityTest="wl_unprotected" audit="true" />
To enable security that protects the loguploader servlet, I followed the instruction given in the IBM document on step one.
Server preparation for uploaded log data - Security
Configuration in my aunthenticationConfig.xml
Under staticResources
<resource id="logUploadServlet" securityTest="LogUploadServlet">
<urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource>
Under securityTests
<customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/>
<test realm="LogUploadServlet" isInternalUserID="true"/>
</customSecurityTest>
Under realms
<realm name="LogUploadServlet" loginModule="StrongDummy">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
Deployed the updated WAR file and adapter in server. I am receiving the below error while client send logs to server by calling send() method.
[2/12/16 14:14:28:768 CST] 0000014d LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:28:933 CST] 000000d1 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:30:542 CST] 000000de SystemOut
Not sure what i a missing in this.
To not leave a question unanswered, from the comments section:
Issue is with the realm com.worklight.core.auth.ext.HeaderAuthenticator that I set for logUploadServlet. after removing and make the security as isInternalUserID="true" its working fine.
I am using the following configuration on my local host to disable direct update, but the direct update shows up randomly.
<securityTests>
<customSecurityTest name="iOSSecurityTest">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test mode="disabled" realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="wl_anonymousUserRealm" step="1"/>
<test isInternalDeviceID="true" realm="wl_deviceNoProvisioningRealm" step="2"/>
</customSecurityTest>
I would try two things:
Remove the wl_directUpdateRealm test altogether from the security test
Experiment with the expiration value of wl.realm.expiration.directUpdate in worklight.properties, as it is this value that dictates when will the direct update check take place.
Either way it sounds like you may want to open a PMR to have it checked by the development team why "disable" is not working.
Note that if this is in an external server you must re-deploy the .war file if making any changes to any file under the "server" folder.
We are developing WL application using WL enterprise ver (6.2.0.1) fix pack 1.
We have implemented the App authenticity correctly 3 months ago and everything was working (No changes been made on authenticationConfig.xml).
Today, all our applications are failing on App authenticity for both environments (Dev,QA), error on WL server:
[3/10/15 14:13:43:821 EDT] 000000d3 AuthenticityL I
com.worklight.core.auth.ext.appauth.AuthenticityLoginModuleImpl login FWLSE0127E:
Authenticity check failed for application 'APPNAME'. sharedData = ca.company.AppIDiPhone , challengeData = 514738N882129N341449C605766C744589X0355BCA6S214650C169432N928395XEDA8943BS085337C264942N797462X2B0C6AA2S462207X9035E6C7S . [project Name]
[3/10/15 14:13:43:853 EDT] 000000d3 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'wl_authenticityRealm': login fail [project Name]
The error appears on the time of launching the app and it is inconsistent, it happens (1/10)times.
AuthenticationConfig.xml:
<securityTests>
<customSecurityTest name="CompanyTestmobile">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
<webSecurityTest name="CompanyTest">
<testUser realm="CompanyRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
Application-descriptor.xml (For iPhone):
<iphone applicationId="AppID" bundleId="ca.company.AppIDiPhone" securityTest="CompanyTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
All our configuration is matching the WL document.
PS1: according to my understanding that the appAuthenticity will fail always or will not fail at all. why it is failing sometimes and working other times.
PS2: the deployment on our servers are not touchable and can't be modified once we deploy. That's a confirmation that the environment is stable and secured.
Thank you.
From the PMR this appeared to have happened due to a race condition triggered by applicative code calling to adapter requests simultaneously , which led to infrequent failures of the authenticity tests.
The customer adjusted their code to not cause a race condition after which the issue could no longer be reproduced.
We are developing a hybrid application on Worklight, and we need to implement the app authenticity.
We are using Worklight Enterprise edition 6.2.0.1 with IBM app centre.
However, We are seeing the following error on the server log when we launch the app on Android (iOs the same too, but will provide Android log).
[1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty packageName for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileApp]
[1/19/15 15:25:05:388 EST] 00000254 WLNewAuthenti E com.worklight.core.auth.ext.appauth.WLNewAuthenticityScheme isInvalidAndroidParams FWLSE0260E: Missing or empty publicsigningkey for android authenticity check, cannot test authenticity. If App Authentication is not set to 'Disabled' or 'Enabled, servicing' in Worklight Console the request will fail. [project MobileBanking].
The security test on authenticationConfig.xml is :
<securityTests>
<mobileSecurityTest name="MobileAppTestMobile">
<testAppAuthenticity/>
<testDeviceId provisioningType="auto" />
<testUser realm="MobileAppRealm" />
<testDirectUpdate mode="perSession" />
</mobileSecurityTest>
<webSecurityTest name="MobileAppTest">
<testUser realm="MobileAppRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
The application-descriptor.xml:
<iphone bundleId="ca.company.MobileApp" securityTest="MobileAppTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
<android securityTest="MobileAppTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>"We have added our public signing key here by extracting it from our keystore file"</publicSigningKey>
</security>
</android>
We have deployed all the app from scratch after updating the WAR file.
The worklight console shows the three values for the authenticity "Disable - Enabled, servicing - Enabled , Blocking"
When we put "Enabled, Blocking" or "Enabled , servicing" we are getting the error log on the server that shared at the top of the post.
On the app screen we are getting an error " an error was encountered while processing the request from the application".
Please advise.
Thank you
The problem has been fixed.
Solution:
1- we changed the MobileSecurityTest in authenticationConfig.xml to be customSecurityTest as the following, AND redeployed the WAR file:
<customSecurityTest name="MobileSecurityTest">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
2- In application-descriptor.xml:
For android, I used what Idan said about adding the <packageName> property.
<android securityTest="MobileSecurityTest" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>"Our public signing Key placed here"</publicSigningKey>
<packageName>ca.company.MobileTest</packageName>
</security>
</android>
For iOS, the issue was in the applicationId, we thought the applicationId value is the last section of the bundleId,
for example: if the bundleId is "com.company.Myapp" that's mean the applicaiotnId is "Myapp", which is not true.
This is incorrect definition:
<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTestiPhone" securityTest="MobileSecurityTest" version="1.0" >
The applicationId is the value inside the worklight.plist file, which is located inside the iPhone or iPad native folder and this file is generated after doing the build.
AND for our appliction it has a totally different value.
The correct one was:
<iphone bundleId="ca.company.MobileTestiPhone" applicationId="MobileTest" securityTest="MobileSecurityTest" version="1.0" >
That's why the app was being blocked from our WL server when we put the App authenticity value to "Enable,Blocking".
Thank you #Idan for your help.
Per the error message, you are missing the Android Package Name (in application-descriptor.xml).
This is the Authenticity tutorial for Hybrid apps for v6.3, but it's the same for 6.2. From the Android instructions:
Take the Application package name value from the package attribute of
the manifest node in the AndroidManifest.xml. If you decide to change
the value to another, verify that you change it in both locations.You
can also directly edit application-descriptor.xml and add a
packageName:
<android version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
<publicSigningKey>MIGff ...</publicSigningKey>
<packageName>com.MyBankApp</packageName>
</security>
</android>
Have a question can we use the security tests in a external application(war) that gets deployed in Websphere liberty profile server. if yes then how to configure the same. The security test will be independent to worklight application and that of the external application.
What exactly are you talking about? Your scenario is not clear to me.
Worklight security tests are meant to be configured in the Worklight project's authenticationConfig.xml and to then be used to protect adapter procedures in the adapter XML file and/or applications in application-descriptor.xml; they are not meant to be used in any other context.
Your question is not clear.
I believe you want to protect your Worklight console (war) with security test and it is possible. you can protect your console with username and password. ( possible to use plain text or encrypted). For more info see this
to enable security test you need to edit your authenticationConfig.xml with the following code.
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="requireLogin" name="WorklightConsole">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
</realms>
<loginModules>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>