I am using MobileFirst Server MFPF 7.1, IF20151114-1616
WLClientLogReceiver adapter has the following settings. I tried changing the securityTest value to "LogUploadServlet", I still receive the same error below.
<procedure name="log" securityTest="wl_unprotected" audit="true" />
To enable security that protects the loguploader servlet, I followed the instruction given in the IBM document on step one.
Server preparation for uploaded log data - Security
Configuration in my aunthenticationConfig.xml
Under staticResources
<resource id="logUploadServlet" securityTest="LogUploadServlet">
<urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource>
Under securityTests
<customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/>
<test realm="LogUploadServlet" isInternalUserID="true"/>
</customSecurityTest>
Under realms
<realm name="LogUploadServlet" loginModule="StrongDummy">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
Deployed the updated WAR file and adapter in server. I am receiving the below error while client send logs to server by calling send() method.
[2/12/16 14:14:28:768 CST] 0000014d LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:28:933 CST] 000000d1 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:30:542 CST] 000000de SystemOut
Not sure what i a missing in this.
To not leave a question unanswered, from the comments section:
Issue is with the realm com.worklight.core.auth.ext.HeaderAuthenticator that I set for logUploadServlet. after removing and make the security as isInternalUserID="true" its working fine.
Related
I am using the IBM MobileFirst studio plugin 7.0 and following the documentation here:Link to documentation on how to configure a direct update. I’m trying to understand how the pieces work together but I am not able to grasp the concept.
Using the code sample that is provided along with the tutorial, I see that the "mobileSecurityTest" is commented out and the "customSecurityTest" element present is also commented out.
Another thing I noticed is that in that application-descriptor.xml, there is no security test for the added environments?
How will the application know which securityTest to use at the app level app?
Does the securityTest need to be placed on the environment in general and specifically for a direct update?
The direct update wasn't getting triggered when running the sample and following the instructions on the app
Any advice is appreciated.
You specify what security test you want to use in the application-descriptor of you app.
Inside my application descriptor I have an iPhone app with customSecurityTest:
<iphone bundleId="com.PhoneUp" version="1.0" securityTest="customSecurityTests">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
Inside my authentication config I have:
<customSecurityTest name="customSecurityTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
Now the security test that is protecting my application has a mapping to the security test in my authentication-config (security file on the server)
No a security test does not need to be placed on the application to trigger a direct update.
You may trigger the direct update just by the user trying to "login" to that realm.
WL.Client.login("wl_directUpdateRealm", {onSuccess:..., onFailure:...});
Direct update is a realm you can read more about that here.
The sample project from here does not have the security test commented in or a security test protecting the application. You are going to have to uncomment and add a security test in your appliation descriptor as described in the answer to number one.
We were migrating Worklight 6.2 project to MobileFirst 7.1 project.
We just set connectOnStartup to true.
Our MF7.1 iPhone direct update works fine.
But MF7.1 android app cant connect to worklight server.
We got this info from logcat:
Client registration failed with error:
{"responseHeaders":{},"status":403,"responseText":"/-secure-\n{\"reason\":\"App
authenticity security check failed\"}/","responseJSON":{"reason":"App
authenticity security check failed"},"invocationContext":null}
[/apps/services/api/**/android/init] failure. state: 403, response:
undefined
Our authenticationConfig.xml is shown below.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<staticResources>
<resource id="receiveSMS" securityTest="SubscribeServlet">
<urlPatterns>/receiveSMS*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="SubscribeServlet">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="SubscribeServlet"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="rejectAll" name="SubscribeServlet">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<realm loginModule="StrongDummy" name="SampleAppRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
</realms>
<loginModules>
<loginModule expirationInSeconds="-1" name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>
</tns:loginConfiguration>
Our Worklight version is : 7.1.0.00-20151107-1647
As I have mentioned in your other question: do not use connecOnStartup! Change to WL.Client.connect in your code.
The error clearly shows that it is the app authenticity check that is failing. Despite what you are showing in your authenticationConfig.xml file, are you 100% that you are using or not using app authenticity - please confirm
If you are using app authenticity, follow the tutorial and make sure that you are following it correctly. You need to make sure the wlapp file, the war and the .apk are all in sync, otherwise it will fail.
Make sure you are not doing any adapter request before properly connected to the server. Once connected, then you can invoke any calls to the server (via the onSuccess callback of the connect API).
We are developing WL application using WL enterprise ver (6.2.0.1) fix pack 1.
We have implemented the App authenticity correctly 3 months ago and everything was working (No changes been made on authenticationConfig.xml).
Today, all our applications are failing on App authenticity for both environments (Dev,QA), error on WL server:
[3/10/15 14:13:43:821 EDT] 000000d3 AuthenticityL I
com.worklight.core.auth.ext.appauth.AuthenticityLoginModuleImpl login FWLSE0127E:
Authenticity check failed for application 'APPNAME'. sharedData = ca.company.AppIDiPhone , challengeData = 514738N882129N341449C605766C744589X0355BCA6S214650C169432N928395XEDA8943BS085337C264942N797462X2B0C6AA2S462207X9035E6C7S . [project Name]
[3/10/15 14:13:43:853 EDT] 000000d3 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'wl_authenticityRealm': login fail [project Name]
The error appears on the time of launching the app and it is inconsistent, it happens (1/10)times.
AuthenticationConfig.xml:
<securityTests>
<customSecurityTest name="CompanyTestmobile">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
<webSecurityTest name="CompanyTest">
<testUser realm="CompanyRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
Application-descriptor.xml (For iPhone):
<iphone applicationId="AppID" bundleId="ca.company.AppIDiPhone" securityTest="CompanyTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
All our configuration is matching the WL document.
PS1: according to my understanding that the appAuthenticity will fail always or will not fail at all. why it is failing sometimes and working other times.
PS2: the deployment on our servers are not touchable and can't be modified once we deploy. That's a confirmation that the environment is stable and secured.
Thank you.
From the PMR this appeared to have happened due to a race condition triggered by applicative code calling to adapter requests simultaneously , which led to infrequent failures of the authenticity tests.
The customer adjusted their code to not cause a race condition after which the issue could no longer be reproduced.
Have a question can we use the security tests in a external application(war) that gets deployed in Websphere liberty profile server. if yes then how to configure the same. The security test will be independent to worklight application and that of the external application.
What exactly are you talking about? Your scenario is not clear to me.
Worklight security tests are meant to be configured in the Worklight project's authenticationConfig.xml and to then be used to protect adapter procedures in the adapter XML file and/or applications in application-descriptor.xml; they are not meant to be used in any other context.
Your question is not clear.
I believe you want to protect your Worklight console (war) with security test and it is possible. you can protect your console with username and password. ( possible to use plain text or encrypted). For more info see this
to enable security test you need to edit your authenticationConfig.xml with the following code.
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="requireLogin" name="WorklightConsole">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
</realms>
<loginModules>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>
Wishing to have a Worklight Console Authentication I followed the infocenter instructions from this link at infocenter.It seems to be working at the first glance as entering the console it prompts the login form.
Going to the console URL at http://192.168.168.154:9080/finance/console/#catalog it brings the login page right away. So far so good.
After entering the right username/password (both defined at worklight.properties) the login page redirects to the Worklight console at port 10080 and fails to load the page
Unable to connect
Firefox can't establish a connection to the server at 192.168.168.154:10080.
As you can read it tries to connect to http://192.168.168.154:10080/finance/console. It should not happen I guess, as port 10080 was not configured.
I have no idea why it is redirecting to this port. I searched inside the config files for 10080 and could not find any reference to it. I think somehow WL is getting this 10080 as a default as it is the port used for development.
Here is the files snippets I am using to enable Login Console:
worklight.properties:
#publicWorkLightHostname=localhost
# http or https
#publicWorkLightProtocol=http
# For default port leave empty
#publicWorkLightPort=10080 <-- it is commented out
console.username=finance
console.password=finance
authenticationConfig.xml
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
....
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
...
</securityTests>
server.xml
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" >
<tcpOptions soReuseAddr="true"/>
</httpEndpoint>
<!-- Declare the JNDI properties for the IBM Worklight Console. -->
<jndiEntry jndiName="worklight/publicWorkLightProtocol" value='"http"'/>
<jndiEntry jndiName="worklight/publicWorkLightPort" value='"9080"'/>
<jndiEntry jndiName="worklight/serverSessionTimeout" value='"10"'/>
Any idea on how to solve this port mismatch issue ? Env is WL 6.0 on Liberty
P.S: Later on we plan to user LDAP instead. For now, having the username/passaword in the properties would suffice.
In worklight.properties, uncomment the #publicWorkLightPort=10080 property and change it to 9080.
worklight.properties is part of the Worklight project's .war file that is deployed into the application server; the application server may have its own port number set in server.xml, but the .war (project) has some specific properties of its own.
During my testing I encountered the same issue, but once uncommenting and changing the port value in worklight.properties, the re-direct then worked properly after logging-in.