We were migrating Worklight 6.2 project to MobileFirst 7.1 project.
We just set connectOnStartup to true.
Our MF7.1 iPhone direct update works fine.
But MF7.1 android app cant connect to worklight server.
We got this info from logcat:
Client registration failed with error:
{"responseHeaders":{},"status":403,"responseText":"/-secure-\n{\"reason\":\"App
authenticity security check failed\"}/","responseJSON":{"reason":"App
authenticity security check failed"},"invocationContext":null}
[/apps/services/api/**/android/init] failure. state: 403, response:
undefined
Our authenticationConfig.xml is shown below.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<staticResources>
<resource id="receiveSMS" securityTest="SubscribeServlet">
<urlPatterns>/receiveSMS*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="SubscribeServlet">
<test realm="wl_directUpdateRealm" step="1"/>
<test isInternalUserID="true" realm="SubscribeServlet"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="rejectAll" name="SubscribeServlet">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<realm loginModule="StrongDummy" name="SampleAppRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
</realm>
</realms>
<loginModules>
<loginModule expirationInSeconds="-1" name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule expirationInSeconds="-1" name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>
</tns:loginConfiguration>
Our Worklight version is : 7.1.0.00-20151107-1647
As I have mentioned in your other question: do not use connecOnStartup! Change to WL.Client.connect in your code.
The error clearly shows that it is the app authenticity check that is failing. Despite what you are showing in your authenticationConfig.xml file, are you 100% that you are using or not using app authenticity - please confirm
If you are using app authenticity, follow the tutorial and make sure that you are following it correctly. You need to make sure the wlapp file, the war and the .apk are all in sync, otherwise it will fail.
Make sure you are not doing any adapter request before properly connected to the server. Once connected, then you can invoke any calls to the server (via the onSuccess callback of the connect API).
Related
I am using the IBM MobileFirst studio plugin 7.0 and following the documentation here:Link to documentation on how to configure a direct update. I’m trying to understand how the pieces work together but I am not able to grasp the concept.
Using the code sample that is provided along with the tutorial, I see that the "mobileSecurityTest" is commented out and the "customSecurityTest" element present is also commented out.
Another thing I noticed is that in that application-descriptor.xml, there is no security test for the added environments?
How will the application know which securityTest to use at the app level app?
Does the securityTest need to be placed on the environment in general and specifically for a direct update?
The direct update wasn't getting triggered when running the sample and following the instructions on the app
Any advice is appreciated.
You specify what security test you want to use in the application-descriptor of you app.
Inside my application descriptor I have an iPhone app with customSecurityTest:
<iphone bundleId="com.PhoneUp" version="1.0" securityTest="customSecurityTests">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="false"/>
<testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
Inside my authentication config I have:
<customSecurityTest name="customSecurityTests">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
Now the security test that is protecting my application has a mapping to the security test in my authentication-config (security file on the server)
No a security test does not need to be placed on the application to trigger a direct update.
You may trigger the direct update just by the user trying to "login" to that realm.
WL.Client.login("wl_directUpdateRealm", {onSuccess:..., onFailure:...});
Direct update is a realm you can read more about that here.
The sample project from here does not have the security test commented in or a security test protecting the application. You are going to have to uncomment and add a security test in your appliation descriptor as described in the answer to number one.
I am using MobileFirst Server MFPF 7.1, IF20151114-1616
WLClientLogReceiver adapter has the following settings. I tried changing the securityTest value to "LogUploadServlet", I still receive the same error below.
<procedure name="log" securityTest="wl_unprotected" audit="true" />
To enable security that protects the loguploader servlet, I followed the instruction given in the IBM document on step one.
Server preparation for uploaded log data - Security
Configuration in my aunthenticationConfig.xml
Under staticResources
<resource id="logUploadServlet" securityTest="LogUploadServlet">
<urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource>
Under securityTests
<customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/>
<test realm="LogUploadServlet" isInternalUserID="true"/>
</customSecurityTest>
Under realms
<realm name="LogUploadServlet" loginModule="StrongDummy">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
Deployed the updated WAR file and adapter in server. I am receiving the below error while client send logs to server by calling send() method.
[2/12/16 14:14:28:768 CST] 0000014d LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:28:933 CST] 000000d1 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:30:542 CST] 000000de SystemOut
Not sure what i a missing in this.
To not leave a question unanswered, from the comments section:
Issue is with the realm com.worklight.core.auth.ext.HeaderAuthenticator that I set for logUploadServlet. after removing and make the security as isInternalUserID="true" its working fine.
I had a security test for login which is as below
<customSecurityTest name="SingleStepAuthAdapter-securityTest">
<test isInternalUserID="true" realm="SingleStepAuthRealm"/>
</customSecurityTest>
<realm loginModule="AuthLoginModule" name="SingleStepAuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationService.onAuthRequired"/>
<parameter name="logout-function" value="AuthenticationService.onLogout"/>
</realm>
I have adapters that have to be called before login and they work fine until I am putthis piece of code in my authenticationConfig.xml for pushnotification
<mobileSecurityTest name="PushApplication-strong-mobile-securityTest">
<testUser realm="SingleStepAuthRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
The adapters that are called before login like forgot password are not working and not giving any error.Can any help me in understanding why this issue exits, do I need to put some wl_unprotected in these adapters.Because I have tried that to. Do I need to do any thing else.I can give you more details if you need something else.
Please help.
Finally found the solution ..
I was putting security test for whole android app when I removed it worked for me...
instead of this..
<android version="1.0" securityTest="PushApplication-strong-mobile-securityTest">
using this worked
<android version="1.0" >
We are developing WL application using WL enterprise ver (6.2.0.1) fix pack 1.
We have implemented the App authenticity correctly 3 months ago and everything was working (No changes been made on authenticationConfig.xml).
Today, all our applications are failing on App authenticity for both environments (Dev,QA), error on WL server:
[3/10/15 14:13:43:821 EDT] 000000d3 AuthenticityL I
com.worklight.core.auth.ext.appauth.AuthenticityLoginModuleImpl login FWLSE0127E:
Authenticity check failed for application 'APPNAME'. sharedData = ca.company.AppIDiPhone , challengeData = 514738N882129N341449C605766C744589X0355BCA6S214650C169432N928395XEDA8943BS085337C264942N797462X2B0C6AA2S462207X9035E6C7S . [project Name]
[3/10/15 14:13:43:853 EDT] 000000d3 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'wl_authenticityRealm': login fail [project Name]
The error appears on the time of launching the app and it is inconsistent, it happens (1/10)times.
AuthenticationConfig.xml:
<securityTests>
<customSecurityTest name="CompanyTestmobile">
<test realm="wl_antiXSRFRealm" step="1"/>
<test realm="wl_authenticityRealm" step="1"/>
<test realm="wl_remoteDisableRealm" step="1"/>
<test realm="wl_directUpdateRealm" mode="perSession" step="1"/>
<test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
<test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
</customSecurityTest>
<webSecurityTest name="CompanyTest">
<testUser realm="CompanyRealm" />
</webSecurityTest>
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
Application-descriptor.xml (For iPhone):
<iphone applicationId="AppID" bundleId="ca.company.AppIDiPhone" securityTest="CompanyTestMobile" version="1.0">
<worklightSettings include="false"/>
<security>
<encryptWebResources enabled="true"/>
<testWebResourcesChecksum enabled="true" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
</security>
</iphone>
All our configuration is matching the WL document.
PS1: according to my understanding that the appAuthenticity will fail always or will not fail at all. why it is failing sometimes and working other times.
PS2: the deployment on our servers are not touchable and can't be modified once we deploy. That's a confirmation that the environment is stable and secured.
Thank you.
From the PMR this appeared to have happened due to a race condition triggered by applicative code calling to adapter requests simultaneously , which led to infrequent failures of the authenticity tests.
The customer adjusted their code to not cause a race condition after which the issue could no longer be reproduced.
Have a question can we use the security tests in a external application(war) that gets deployed in Websphere liberty profile server. if yes then how to configure the same. The security test will be independent to worklight application and that of the external application.
What exactly are you talking about? Your scenario is not clear to me.
Worklight security tests are meant to be configured in the Worklight project's authenticationConfig.xml and to then be used to protect adapter procedures in the adapter XML file and/or applications in application-descriptor.xml; they are not meant to be used in any other context.
Your question is not clear.
I believe you want to protect your Worklight console (war) with security test and it is possible. you can protect your console with username and password. ( possible to use plain text or encrypted). For more info see this
to enable security test you need to edit your authenticationConfig.xml with the following code.
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="requireLogin" name="WorklightConsole">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
</realms>
<loginModules>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
</loginModules>