*EDIT: An IBM Employee visited us today to have a look at this problem as well.
We did not solve the problem, but we think the root of the problem is something else. So I will rewrite the problem description.
The server was refusing connection due to the appAuthenticityTest failing. So for now we disabled the appAuthenticityTest to test the server configuration.
But we are now seeing the following errors in the log:
[3/4/16 16:12:06:529 CET] 000000a4 LoginContext E com.worklight.core.auth.impl.LoginContext processRequest FWLSE0059E: Login into realm 'wl_authenticityLoginModule' failed. Missing app authenticity configuration parameters. [project mapruntime]
com.worklight.gadgets.GadgetRuntimeException: Missing app authenticity configuration parameters
at com.worklight.core.auth.ext.appauth.AuthenticityAuthenticatorImpl.processRequest(AuthenticityAuthenticatorImpl.java:82)
at com.worklight.core.auth.ext.AuthenticityAuthenticator.processRequest(AuthenticityAuthenticator.java:79)
at com.worklight.core.auth.impl.LoginContext.processRequest(LoginContext.java:212)
at com.worklight.core.auth.impl.AuthenticationContext.checkAuthentication(AuthenticationContext.java:779)
at com.worklight.core.auth.impl.AuthenticationContext.processRealms(AuthenticationContext.java:679)
at com.worklight.core.auth.impl.AuthenticationContext.pushCurrentResource(AuthenticationContext.java:652)
at com.worklight.core.auth.impl.AuthenticationServiceBean.accessResource(AuthenticationServiceBean.java:81)
at com.worklight.core.auth.impl.AuthenticationFilter.doFilter(AuthenticationFilter.java:228)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.worklight.analytics.AnalyticsFilter.doFilter(AnalyticsFilter.java:124)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3926)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1007)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1049)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInboundPostHandshake(SSLConnectionLink.java:717)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyHandshakeCompletedCallback.complete(SSLConnectionLink.java:413)
at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:1073)
at com.ibm.ws.ssl.channel.impl.SSLHandshakeIOCallback.complete(SSLHandshakeIOCallback.java:87)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
[3/4/16 16:12:06:537 CET] 000000a4 LoginContext E com.worklight.core.auth.impl.LoginContext processRequest FWLSE0117E: Error code: 4, error description: AUTHENTICATION_ERROR, error message: An error occurred while performing authentication using loginModule wl_authenticityLoginModule, User Identity Not available. [project mapruntime] [project mapruntime]
My application-descriptor.xml contains:
<android securityTest="MAPCertLogin" version="1.0.4">
<worklightSettings include="false"/>
<pushSender key="**********" senderId="******"/>
<compressWebResources enabled="true"/>
</android>
<common securityTest="MAPCertLogin"/>
My authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2006, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp. -->
<!---->
<!-- Sample security tests
Even if not used there will be some default webSecurityTest and mobileSecurityTest
Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-descriptor.xml as well. -->
<securityTests>
<mobileSecurityTest name="MAPCertLogin">
<testUser realm="MAPLoginRealm"/>
<testDirectUpdate mode="perRequest"/>
<testDeviceId provisioningType="custom" realm="MAPLoginRealm"/>
<!-- testAppAuthenticity -->
</mobileSecurityTest>
<!--
<customSecurityTest name="PushSecurityTest">
<test isInternalUserID="true" realm="MAPLoginRealm"/>
<test isInternalDeviceID="true" realm="MAPLoginRealm" />
</customSecurityTest>
-->
</securityTests>
<realms>
<realm loginModule="StrongDummy" name="SampleAppRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
<realm loginModule="MAPLoginModule" name="MAPLoginRealm">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
<parameter name="validate-csr-function" value="Authenticator.validateCSR"/>
</realm>
</realms>
<loginModules>
<loginModule expirationInSeconds="-1" name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="MAPLoginModule">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningLoginModule</className>
<parameter name="validate-certificate-function" value="Authenticator.validateCertificate"/>
</loginModule>
</loginModules>
</tns:loginConfiguration>
Why do we get the "Missing app authenticity configuration parameters" error while having the appAuthenticityTest disabled?
Regards,
Stijn
I believe this error happens because you are also trying to implement Custom Device Provisioning, however device provisioning requires authenticity... so either fix your authenticity setup per the Application Authenticity tutorial, or remove the device provisioning definition as well.
Related
I'm using ActiveMQ Artemis 2.18.0. Firstly I configured setup with SSL and artemis was starting without errors then I wanted to test my setup without SSL, I removed all SSL related settings from broker.xml and bootstrap.xml and now when I trying to run Artemis I'm getting this:
2021-10-13 07:34:26,047 INFO [org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.18.0 [amq1, nodeID=bee15e5b-2bf7-11ec-887f-0800277c53f8]
2021-10-13 07:34:26,263 INFO [org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
2021-10-13 07:34:26,297 INFO [org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
2021-10-13 07:34:26,548 INFO [io.hawt.HawtioContextListener] Initialising hawtio services
2021-10-13 07:34:26,571 INFO [io.hawt.system.ConfigManager] Configuration will be discovered via system properties
2021-10-13 07:34:26,573 INFO [io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.13.5
2021-10-13 07:34:26,580 INFO [io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "activemq" authorized role(s): "amq" role principal classes: "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
2021-10-13 07:34:26,595 INFO [io.hawt.web.proxy.ProxyServlet] Proxy servlet is disabled
2021-10-13 07:34:26,600 INFO [io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/home/vagrant/artemis-broker/etc/jolokia-access.xml]
java.lang.IllegalStateException: /home/vagrant/artemis-broker/etc/keystore.jks is not a valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1203)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:322)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
at org.eclipse.jetty.server.Server.doStart(Server.java:401)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
at org.apache.activemq.artemis.component.WebServerComponent.start(WebServerComponent.java:263)
at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.addExternalComponent(ActiveMQServerImpl.java:908)
at org.apache.activemq.artemis.cli.commands.Run.execute(Run.java:126)
at org.apache.activemq.artemis.cli.Artemis.internalExecute(Artemis.java:155)
at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:103)
at org.apache.activemq.artemis.cli.Artemis.execute(Artemis.java:130)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.apache.activemq.artemis.boot.Artemis.execute(Artemis.java:134)
at org.apache.activemq.artemis.boot.Artemis.main(Artemis.java:50)
2021-10-13 07:34:26,847 INFO [io.hawt.web.auth.AuthenticationFilter] Destroying hawtio authentication filter
2021-10-13 07:34:26,848 INFO [io.hawt.HawtioContextListener] Destroying hawtio services
2021-10-13 07:34:26,875 INFO [org.apache.activemq.hawtio.plugin.PluginContextListener] Destroyed artemis-plugin plugin
2021-10-13 07:34:26,878 INFO [org.apache.activemq.hawtio.branding.PluginContextListener] Destroyed activemq-branding plugin
2021-10-13 07:34:26,902 INFO [org.apache.activemq.artemis.core.server] AMQ221002: Apache ActiveMQ Artemis Message Broker version 2.18.0 [bee15e5b-2bf7-11ec-887f-0800277c53f8] stopped, uptime 11.619 seconds
Not sure what Jolokia property is overriden. Did I forgot to do something else?
bootstrap.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<broker xmlns="http://activemq.org/schema">
<jaas-security domain="activemq"/>
<server configuration="file:/home/vagrant/artemis-broker/etc//broker.xml"/>
<web bind="https://0.0.0.0:8161" path="web">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</web>
</broker>
broker.xml:
<?xml version='1.0'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<configuration xmlns="urn:activemq"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude"
xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
<core xmlns="urn:activemq:core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:activemq:core ">
<name>amq1</name>
<persistence-enabled>true</persistence-enabled>
<!-- this could be ASYNCIO, MAPPED, NIO
ASYNCIO: Linux Libaio
MAPPED: mmap files
NIO: Plain Java Files
-->
<journal-type>ASYNCIO</journal-type>
<paging-directory>data/paging</paging-directory>
<bindings-directory>data/bindings</bindings-directory>
<journal-directory>data/journal</journal-directory>
<large-messages-directory>data/large-messages</large-messages-directory>
<journal-datasync>true</journal-datasync>
<journal-min-files>2</journal-min-files>
<journal-pool-files>10</journal-pool-files>
<journal-device-block-size>4096</journal-device-block-size>
<journal-file-size>10M</journal-file-size>
<!--
This value was determined through a calculation.
Your system could perform 31.25 writes per millisecond
on the current journal configuration.
That translates as a sync write every 32000 nanoseconds.
Note: If you specify 0 the system will perform writes directly to the disk.
We recommend this to be 0 if you are using journalType=MAPPED and journal-datasync=false.
-->
<journal-buffer-timeout>28000</journal-buffer-timeout>
<!--
When using ASYNCIO, this will determine the writing queue depth for libaio.
-->
<journal-max-io>4096</journal-max-io>
<max-disk-usage>100</max-disk-usage>
<!-- should the broker detect dead locks and other issues -->
<critical-analyzer>true</critical-analyzer>
<critical-analyzer-timeout>150000</critical-analyzer-timeout>
<critical-analyzer-check-period>60000</critical-analyzer-check-period>
<critical-analyzer-policy>HALT</critical-analyzer-policy>
<page-sync-timeout>1628000</page-sync-timeout>
<global-max-size>204Mb</global-max-size>
<connectors>
<connector name="amq1">tcp://amq1:61616</connector>
<connector name="amq2">tcp://amq2:61616</connector>
<connector name="amq3">tcp://amq3:61616</connector>
<connector name="amq4">tcp://amq4:61616</connector>
<connector name="amq5">tcp://amq5:61616</connector>
<connector name="amq6">tcp://amq6:61616</connector>
</connectors>
<acceptors>
<acceptor name="artemis">tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDuplicateDetection=true</acceptor>
<acceptor name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpMinLargeMessageSize=102400;amqpDuplicateDetection=true</acceptor>
<acceptor name="stomp">tcp://0.0.0.0:61613?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=STOMP;useEpoll=true</acceptor>
<acceptor name="hornetq">tcp://0.0.0.0:5445?anycastPrefix=jms.queue.;multicastPrefix=jms.topic.;protocols=HORNETQ,STOMP;useEpoll=true</acceptor>
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true</acceptor>
</acceptors>
<broadcast-groups>
<broadcast-group name="artemis-broadcast-group">
<group-address>231.7.7.7</group-address>
<group-port>9876</group-port>
<broadcast-period>2000</broadcast-period>
<connector-ref>amq1</connector-ref>
</broadcast-group>
</broadcast-groups>
<discovery-groups>
<discovery-group name="artemis-discovery-group">
<group-address>231.7.7.7</group-address>
<group-port>9876</group-port>
<refresh-timeout>10000</refresh-timeout>
</discovery-group>
</discovery-groups>
<cluster-user>admin</cluster-user>
<cluster-password>admin</cluster-password>
<cluster-connections>
<cluster-connection name="artemis-cluster">
<connector-ref>amq1</connector-ref>
<retry-interval>1000</retry-interval>
<retry-interval-multiplier>3</retry-interval-multiplier>
<max-retry-interval>5000</max-retry-interval>
<initial-connect-attempts>-1</initial-connect-attempts>
<reconnect-attempts>-1</reconnect-attempts>
<use-duplicate-detection>true</use-duplicate-detection>
<message-load-balancing>STRICT</message-load-balancing>
<max-hops>1</max-hops>
<discovery-group-ref discovery-group-name="artemis-discovery-group"/>
</cluster-connection>
</cluster-connections>
<!-- Other config -->
<ha-policy>
<replication>
<master>
<group-name>artemis-group-1</group-name>
<quorum-vote-wait>12</quorum-vote-wait>
<vote-on-replication-failure>true</vote-on-replication-failure>
<!--for auto failback -->
<check-for-live-server>true</check-for-live-server>
</master>
</replication>
</ha-policy>
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>
<addresses>
<address name="exampleQueue">
<anycast>
<queue name="exampleQueue"/>
</anycast>
</address>
<address name="DLQ">
</address>
<address name="ExpiryQueue">
<anycast>
<queue name="ExpiryQueue" />
</anycast>
</address>
</addresses>
<address-settings>
<!-- if you define auto-create on certain queues, management has to be auto-create -->
<address-setting match="activemq.management#">
<dead-letter-address>DLQ</dead-letter-address>
<expiry-address>ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<!-- with -1 only the global-max-size is in use for limiting -->
<max-size-bytes>-1</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
<auto-create-queues>true</auto-create-queues>
<auto-create-addresses>true</auto-create-addresses>
<auto-create-jms-queues>true</auto-create-jms-queues>
<auto-create-jms-topics>true</auto-create-jms-topics>
</address-setting>
<!--default for catch all-->
<address-setting match="#">
<dead-letter-address>DLQ</dead-letter-address>
<expiry-address>ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<auto-create-dead-letter-resources>true</auto-create-dead-letter-resources>
<!-- with -1 only the global-max-size is in use for limiting -->
<max-size-bytes>-1</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
<auto-create-queues>true</auto-create-queues>
<auto-create-addresses>true</auto-create-addresses>
<auto-create-jms-queues>true</auto-create-jms-queues>
<auto-create-jms-topics>true</auto-create-jms-topics>
</address-setting>
<address-setting match="exampleQueue">
<dead-letter-address>DLQ</dead-letter-address>
<redelivery-delay>1000</redelivery-delay>
<max-delivery-attempts>3</max-delivery-attempts>
<max-size-bytes>-1</max-size-bytes>
<page-size-bytes>1048576</page-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
</address-settings>
<!-- Uncomment the following if you want to use the Standard LoggingActiveMQServerPlugin pluging to log in events
<broker-plugins>
<broker-plugin class-name="org.apache.activemq.artemis.core.server.plugin.impl.LoggingActiveMQServerPlugin">
<property key="LOG_ALL_EVENTS" value="true"/>
<property key="LOG_CONNECTION_EVENTS" value="true"/>
<property key="LOG_SESSION_EVENTS" value="true"/>
<property key="LOG_CONSUMER_EVENTS" value="true"/>
<property key="LOG_DELIVERING_EVENTS" value="true"/>
<property key="LOG_SENDING_EVENTS" value="true"/>
<property key="LOG_INTERNAL_EVENTS" value="true"/>
</broker-plugin>
</broker-plugins>
-->
</core>
</configuration>
ActiveMQ Artemis is failing because the bind attribute of the web element is using the HTTPS protocol:
<web bind="https://0.0.0.0:8161" path="web">
To fix this issue the bind attribute should use HTTP protocol:
<web bind="http://0.0.0.0:8161" path="web">
I'm using Tomcat 10 and eclipse to develop a J2E (or Jakarta EE) web application. I followed this tutorial (http://objis.com/tutoriel-securite-declarative-jee-avec-jaas/#partie2) which seems old (it's a french document, because i'm french, sorry if my english isn't perfect), but I also read the Tomcat 10 documentation.
The dataSource works, I followed instructions on this page (https://tomcat.apache.org/tomcat-10.0-doc/jndi-datasource-examples-howto.html#Oracle_8i,_9i_&_10g) and tested it, but it seems that the realm doesn't work, because I can't login successfully. I always have an authentification error, even if I use the right login and password.
I tried a lot of "solutions" to correct this, but no one works. And I still don't know if I have to put the realm tag inside context.xml, server.xml or both. I tried context.xml and both, but i don't see any difference.
My web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<web-app
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://Java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Servlet -->
<servlet>
<servlet-name>Accueil</servlet-name>
<servlet-class>servlet.Accueil</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Accueil</servlet-name>
<url-pattern></url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Bar</servlet-name>
<servlet-class>servlet.Bar</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Bar</servlet-name>
<url-pattern>/bar</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Galerie</servlet-name>
<servlet-class>servlet.Galerie</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Galerie</servlet-name>
<url-pattern>/galerie</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Cave</servlet-name>
<servlet-class>servlet.Cave</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Cave</servlet-name>
<url-pattern>/cave</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Mentions</servlet-name>
<servlet-class>servlet.Mentions</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Mentions</servlet-name>
<url-pattern>/mentions-legales</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Plan</servlet-name>
<servlet-class>servlet.Plan</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Plan</servlet-name>
<url-pattern>/plan-acces</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Restaurant</servlet-name>
<servlet-class>servlet.Restaurant</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Restaurant</servlet-name>
<url-pattern>/restaurant</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Catalogue</servlet-name>
<servlet-class>servlet.catalogue</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Catalogue</servlet-name>
<url-pattern>/catalogue</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>AdminCatalogue</servlet-name>
<servlet-class>servlet.AdminCatalogue</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AdminCatalogue</servlet-name>
<url-pattern>/admin/administration-catalogue</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Test authentification Tomcat</display-name>
<!-- Liste des pages protégées -->
<web-resource-collection>
<web-resource-name>Page sécurisée</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<!-- Rôles des utilisateurs ayant le droit d'y accéder -->
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<!-- Connection sécurisée -->
<!-- <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> -->
</security-constraint>
<!-- Configuration de l'authentification -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Espace administration</realm-name>
<form-login-config>
<form-login-page>/WEB-INF/login.jsp</form-login-page>
<form-error-page>/WEB-INF/erreur-authentification.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Rôles utilisés dans l'application -->
<security-role>
<description>Administrateur</description>
<role-name>admin</role-name>
</security-role>
<!-- Ajoute taglibs.jsp au début de chaque jsp -->
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<include-prelude>/WEB-INF/taglibs.jsp</include-prelude>
</jsp-property-group>
</jsp-config>
<!-- Déclaration de référence à une source de données JNDI -->
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/caradoc</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
context.xml :
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- The contents of this file will be loaded for each web application -->
<Context>
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<!-- Uncomment this to enable session persistence across Tomcat restarts -->
<!--
<Manager pathname="SESSIONS.ser" />
-->
<Resource name="jdbc/caradoc" auth="Container" type="javax.sql.DataSource"
maxTotal="100" maxIdle="30" maxWaitMillis="10000"
username="root" password="Caradoc22600!" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3307/caradoc"/>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
daraSourceName="jdbc/caradoc" localDataSource="true" userTable="utilisateurs"
userRoleTable="roles" userNameCol="login" userCredCol="mdp"
roleNameCol="role">
<CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
/>
</Realm>
</Context>
server.xml :
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="9000" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
HTTP Connector: /docs/config/http.html
AJP Connector: /docs/config/ajp.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
URIEncoding = "UTF-8" />
<!-- <Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="autosigned-cert.keystore"
keyAlias="tomcat"
keystorePass="azertyuiop" /> -->
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.DataSourceRealm"
daraSourceName="jdbc/caradoc" localDataSource="true" userTable="utilisateurs"
userRoleTable="roles" userNameCol="login" userCredCol="mdp"
roleNameCol="role">
<CredentialHandler className="org.apache.catalina.realm.SecretKeyCredentialHandler"
algorithm="PBKDF2WithHmacSHA512"
iterations="100000"
keyLength="256"
saltLength="16"
/>
</Realm>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
login.jsp :
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Connexion Administrateur</title>
</head>
<body>
<div align="center">
<h2>Identification</h2>
</div>
<form action="j_security_check" method="post" accept-charset="utf-8">
<table align="center">
<tr>
<td>Login : </td>
<td><input type="text" name="j_username"/></td>
</tr>
<tr>
<td>Mot de passe : </td>
<td><input type="password" name="j_password"/></td>
</tr>
</table>
<p align="center"><input type="submit" value="Connexion"/></p>
</form>
</body>
</html>
erreur-authentifiction.jsp, has same content as login.jsp, but with an error message.
User table (password hash obtained with digest.bat) :
User table
Role table with foreign key on login referencing login column of user table :
Role table
This is my project arborescence, if it can help : arborescence
So please, can someone tell me what I did wrong ?
EDIT : I verified that we find the correct hash if we use the parameters specified in the CredentialHandler tag, it match.
That's the java code i used to verify :
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
public class test{
private static final char[] HEX_ARRAY = "0123456789ABCDEF".toCharArray();
public static byte[] hexStringToByteArray(String s) {
int len = s.length();
byte[] data = new byte[len / 2];
for (int i = 0; i < len; i += 2) {
data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
+ Character.digit(s.charAt(i+1), 16));
}
return data;
}
public static String bytesToHex(byte[] bytes) {
char[] hexChars = new char[bytes.length * 2];
for (int j = 0; j < bytes.length; j++) {
int v = bytes[j] & 0xFF;
hexChars[j * 2] = HEX_ARRAY[v >>> 4];
hexChars[j * 2 + 1] = HEX_ARRAY[v & 0x0F];
}
return new String(hexChars);
}
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeySpecException
{
String password = "password";
byte[] salt = hexStringToByteArray("e0cfcb0169f81fc46c861ecefeb7446b");
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 100000, 256);
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
byte[] hash = factory.generateSecret(spec).getEncoded();
String res = bytesToHex(hash);
System.out.println(res);
}
}
I obtained the same encodedCredential as in data base ("33D6898C30FBE3E48B9A9EA2D5A0DAD01FD8FD809C9E6A6F3911BB23A481FB0F")
I obtained logs concerning realm :
juin 10, 2021 1:07:14 PM org.apache.catalina.realm.DataSourceRealm open
SEVERE: Exception lors de l'anthentification
java.lang.NullPointerException: Cannot invoke "String.length()" because "n" is null
at java.naming/javax.naming.NameImpl.<init>(NameImpl.java:283)
at java.naming/javax.naming.CompositeName.<init>(CompositeName.java:237)
at org.apache.naming.NamingContext.lookup(NamingContext.java:174)
at org.apache.catalina.realm.DataSourceRealm.open(DataSourceRealm.java:385)
at org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:255)
at org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate(FormAuthenticator.java:244)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1696)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:832)
As Piotr P. Karwasz said it, I misspelled dataSourceName in context.xml and server.xml file. I feel bad that I didn't notice it.
But I still have one question : In which document should I put the realm tag ?
When running the Worklight Admin command line tool, version 6.3.0.00.20141127-1357, against same version server, I am receiving an error. This occurs when running the "list apps" command and a few other app-specific queries.
/app/IBM/MobileFirst_Platform_Server/shortcuts/wladm --configfile=/app/IBM/bldsrvwladmconfig.txt
Error accessing
http://localhost:9080/worklightadmin/management-apis/1.0/runtimes/worklight/applications?pageSize=1000000000&locale=en_US:
HTTP/1.1 500 Internal Server Error FWLSE3000E: A server error was
detected. Illegal JSON value for key 'deviceProvisioningRealm': null
Getting the content of the URL directly successfully returns data.
APAR PI33197 references a similar error, but without explanation of the cause or solution.
authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM 5725-G92 (C) Copyright IBM Corp.
2006, 2013. All Rights Reserved. US Government Users Restricted Rights -
Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp. -->
<staticResources>
<resource id="subscribeServlet" securityTest="SubscribeServlet">
<urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="SubscribeServlet">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="SubscribeServlet"/>
</customSecurityTest>
<customSecurityTest name="ISAMforWorklight-web-securityTest">
<test realm="wl_antiXSRFRealm" />
<test realm="WASLTPARealm" isInternalUserID="true" step="1"/>
</customSecurityTest>
<customSecurityTest name="ISAMforWorklight-Step-up-securityTest">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalDeviceID="false" isInternalUserID="true" realm="WASLTPARealm"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="WASLTPAModule" name="WASLTPARealm">
<className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/>
<parameter name="error-page" value="/loginError.html"/>
</realm>
<realm loginModule="rejectAll" name="SubscribeServlet">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<realm name="WorklightConsole" loginModule="requireLogin">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
<realm name="deviceProvisioningRealm" loginModule="rejectAll">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
</realms>
<loginModules>
<loginModule name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<loginModule name="WASLTPAModule">
<className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule>
</loginModules>
</tns:loginConfiguration>
This APAR has been fixed in version 6.3.0.00.20150305-1844. Please download the latest fix available at Fix Central. Our fixes are cumulative so the latest fix will include the fix for this APAR.
Hi I am trying to connect to production server and do App authenticity (native android app). But I Am getting following error "App authenticity security check failed".
What I am doing at MFP project level.
In authconfig xml.
<customSecurityTest name="AuthSecurityTest">
<test realm="wl_antiXSRFRealm" step="1" />
<test realm="wl_authenticityRealm" step="1" />
<test realm="wl_remoteDisableRealm" step="1" />
<test isInternalUserID="true" realm="AuthRealm" step="1" />
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true"
step="2" />
</customSecurityTest>
<realm loginModule="AuthLoginModule" name="AuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthAdapter.onAuthRequired" />
<parameter name="logout-function" value="AuthAdapter.onLogout" />
</realm>
<loginModule name="AuthLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
My application descriptor :
<nativeAndroidApp xmlns="http://www.worklight.com/native-android-descriptor"
id="MFP_Android"
platformVersion="7.1.0.00.20160401-2103" securityTest="AuthSecurityTest" version="1.0">
<displayName>MFP_Android</displayName>
<description>MFP_Android</description>
<accessTokenExpiration>3600</accessTokenExpiration>
<publicSigningKey>MIIBHSAKJHDFKJHFKHDFKJHDKJHDFSKJHFDSKJHFDSKJDFHKJDFHDFHJDSKDFSHKDJFSHKJFDHSKJDFSHKJDFSHKJDFSHKJDFHSKJDFHlkasalJAscnmxzcncxmnzksjdadskjdsjsdjskjdksjdakjdssdjksdaj</publicSigningKey>
<packageName>com.mfp</packageName>
<targetCategory>UNDEFINED</targetCategory>
<licenseAppType>APPLICATION</licenseAppType>
</nativeAndroidApp>
I am calling the challenge hander on connect.
AndroidChallengeHandler challengeHandler = new AndroidChallengeHandler("AuthRealm");
WLClient client;
client.registerChallengeHandler(challengeHandler);
client.connect();
I am getting response as
/*-secure- {"reason":"App authenticity security check failed"}*/
y would I get such response.
I find it very strange that your package name is really "com.mfp" as seen in the descriptor XML file: <packageName>com.mfp</packageName>.
Are you absolutely sure this is your package name (that you can find in the AndroidManifest.xml file of your Android native project)?
Another possibility is that the key used to in the descriptor XML file does not match the key that was used to sign the .apk with.
Lastly, this could be due to the steps that you've defined in the Authentication Configuration XML file. Try changing the "wl_remoteDisableRealm" to be "step 2". This change will require you to re-deploy the updated .war file to your application server.
Trying to setup security on a 6.1 worklight server (Full WAS 8.5.5)
Getting error:
SRVE0232E: Internal Server Error.
Exception Message: [com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.]
com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.
IBM WebSphere Application Server
I have edited the following files before deploying the new WAR file...
worklight.properties:
#######################################################################################################################
# Protecting the Worklight Console
#######################################################################################################################
# You can protect the Worklight Console by defining user credentials required to access it.
# In addition to defining these two properties, you should also configure the authenticationConfig.xml file,
# located under <Worklight Root Directory>\server\conf.
console.username=consoleadmin
console.password=consolepassword
Authenticationconfig.xml:
<!-- Uncomment the next element to protect the worklight console and the first section in securityTests below. -->
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
<resource id="subscribeServlet" securityTest="SubscribeServlet">
<urlPatterns>/subscribeSMS*;/receiveSMS*</urlPatterns>
</resource>
</staticResources>
<!-- Sample security tests
Even if not used there will be some default webSecurityTest and mobileSecurityTest
Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-descriptor.xml as well. -->
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
<!--
<mobileSecurityTest name="mobileTests">
<testAppAuthenticity/>
<testDeviceId provisioningType="none" />
<testUser realm="myMobileLoginForm" />
</mobileSecurityTest>
<webSecurityTest name="webTests">
<testUser realm="myWebLoginForm"/>
</webSecurityTest>
<customSecurityTest name="customTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
-->
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
Looks to be related to the following questions:
SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user
https://www.ibm.com/developerworks/community/forums/html/topic?id=3ea7b2ae-b9f2-422d-8739-433fa01a190d