I am using MF 7.0 and have configured the MF Analytics for the server. Everything is working just fine but I one have question over the logs collection mechanism of the MF Analytics. In my adapter I have following procedure defined for user to login:
<procedure name="login"/>
function(userId,passKey){
var jsonLoginParms = JSON.stringify({username: userId, password: passKey});
var input = {
method : 'post',
returnedContentType : jsonContentType,
path : "login",
body :{
contentType: jsonHeader,
content:jsonLoginParms
}
};
response = WL.Server.invokeHttp(input);
}
This procedure accepts username and password to authenticate the user over RESTful WebService. When the rest call is over, if I go to Analytics --> Search --> Server log Search and look for the logs, its prints the password in plain text (I haven't print the username/password anywhere). Is there anyway I configure this to not print the adapter procedure arguments?
Following is the screenshot of it:
Your analytics console is collecting data from the MobileFirst Platform Foundation server. When you perform the:
WL.Server.invokeHttp(input);
All from that call is collected and forwarded to the analytics server.
Increase the logging verbosity and you will no longer see FINE logs showing up.
Example:
<logging traceSpecification="com.worklight.*=FATAL=enabled"/>
Related
I am trying to create a web app whose main task is fixing appointment.
I do not want to access any mail data of the logged in user.
I only want to implicitly login using an outlook account (my account) to which I have admin access. I want to connect with this account, fetch its calendar events and display the events to the logged in user so that the user can select any available spots.
I have registered my app in the azure portal and provided all the application permissions (earlier I tried with Delegated permissions as well; but I guess delegated permissions are not for my use case).
Thereafter, I tried to fetch the token for my profile using:
this.http.post(`https://login.microsoftonline.com/f8cdef31-a31e-4b4a-93e4-5f571e91255a/oauth2/v2.0/token`,
{
client_id: 'my-client-uuid',
scope: 'https://graph.microsoft.com/.default',
grant_type: 'client_credentials',
client_secret: '****myclientsecret****'
},
{
headers: {
Host: 'login.microsoftonline.com',
'Content-type': 'application/x-www-form-urlencoded'
}
}
).subscribe(resp => {
console.log(resp);
});
as suggested in this article.
However, my request fails while doing this and states that the request body must contain 'grant_type' when I am clearly sending that.
Can someone please suggest me how I can implicitly get data from my own outlook account in a web app.
Update: I used the suggestion from this, appears that the request is going through now. However, the browser throws CORS error saying that the server didn't have appropriate headers.
Update 2: Found this link, which seems to address the exact issue I am facing. I however already have the redirect URI for SPA. The issue still persists.
I've just started implementing Authentication in my Web API.
I want to start with Basic Authentication
I learned that i've to pass Username and Password in every request.
So, lets say i'm doing some Admin task and making API call for same like this:
$.ajax({
url: host + "homework/delete/" + $(this).data("id"),
type: 'DELETE',
headers:
{
Authorization: 'Basic ' + btoa(username + ':' + password)
},
success: function (d) {
$tr.remove();
},
error: function () {
alert("Error please try again");
}
});
So, although my username/password is in variable, but their value must be at page(source). whosoever access that page, can see those credentials.
That means, whosoever get to know the url of that page, can see the credentials.
If i put a login page, how should i check on admin page that this user is authenticated. Should i use Cookies? to set something if user is coming through login page?
To enhance security, I think there should be another approach. At first you need to authenticate to you service using username and password, and receive authentication token with limited lifetime, then you should use this token to access your services.
I think you have to choose another approach:
create a server side application with UI (PHP, Java, ...)
this application has a session management
the credentials are stored in the configuration of the server side app
the requests to the service which is secured by Basic Authentication are performed by the server app. The responses are delivered to the client
You can't hide the credentials if you are creating a client side JavaScript application. Another issue with your approach maybe this: does the secured service support CORS (cross origin resource sharing) ?
As per my requirement, I am using WL.APP.setServerURL before every login request WLAuthorizationManager.loginof mobilefirst.
When I do first an valid/Invalid login attempt it works fine. As on next attempt I do WL.App.setServerURL, and then WLAuthorizationManager.login (login request) OR WLAuthorizationManager.obtainAccessToken (obtain access token request) don't respond anything. No success and no fail. Although non-secure adapter method works fine.
If I do WL.APP.setServerURL only once on application startup, everything works fine but in between call cause application failure.
let url = ... //fetcht url from adapter call
WL.App.setServerUrl(url, function (sucess) {
WLAuthorizationManager.login(securityCheckName, loginParam).then((data) => {
.... //After login code
}, (response) => {
//Login fail code
});
}, function (error) {
});
Flow :-
I call above code on click of login button.I call a method to get server url from adapter first then I set that url as server url.
When I do an invalid attempt of login it works find for first time, and on next call MFP login, it doesn't respond. Not success nor fail in application.
I am getting error in native logs android.
Android Error logs :-
E/SecurityCheckChallengeHandler(30199): SecurityCheckChallengeHandler.submitChallengeAnswer in SecurityCheckChallengeHandler.java:51 :: submitAnswer has been called for unknown request
.
MobileFirst server version :- 8.0.0.00-20170911-123510
MobileFirst Cordova(plugin) version :- 8.0.2017102403
The WL.App.setServerUrl API is meant to be used sparingly whenever the app needs to connect to a server other than the one defined in mfpclient.properties. If you want to keep the server URL constant, you should just put it up in the mfpclient.properties.
Having said that, the behaviour you mention is not expected - can you update your question with a code snippet of your app performing login & setServerUrl
We have successfully configured a MobileFirst 7.0 server for testing and production environment, and deploy an application on it. But after several real devices installing the App (both iOS and Android), we CAN NOT see any devices in the worklightconsole.
No device registered in this runtime.
So how can these devices which havd already installed the app be recognized and displayed in the worklightconsole device tab.
See here: http://engtest01w.francelab.fr.ibm.com:9090/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/c_the_application_descriptor.html
userIdentityRealms
A comma-separated ordered list of user identity realms for OAuth
authentication. The realms should be ordered by preference. The first
successfully authenticated realm in this list is selected as the user
identity realm. If the list is empty, or no realm in the list was
authenticated, the ID token contains no identity information. This
element is optional and the default value is an empty list.
<userIdentityRealms>WASLTPARealm,
CustomAuthenticatorRealm</userIdentityRealms>
Note: This attribute is
used to set user identity in the OAuth-based flows. For the classic
(pre-V7.0) flows, see the documentation for the customSecurityTest
security test.
You'll need to provide your realm name in the application-descriptor.xml file in order for the app to be listed in the Devices tab.
This was caused by losing connecting with the MF server.
Simple checking the connection by use the following code:
function wlCommonInit(){
WL.Client.connect({
onSuccess: onConnectSuccess,
onFailure: onConnectFailure
});
}
function onConnectSuccess() {
WL.Logger.debug ("Connecting to MobileFirst Server.");
}
function onConnectFailure(data){
WL.SimpleDialog.show("CAN NOT Connecting to MobileFirst Server", "try it again",
[{
text : 'Reload',
handler : WL.Client.reloadApp
},
{
text: 'Close',
handler : function() {}
}]);
}
I'm developing a POC for integration testing of IBM worklight adapters. In doing so I'm using RESTAssured framework. I have an adapter having security test applied to it.
XML Snippet:
<procedure name="getCatalog"
securityTest="SingleStepAuthAdapter-securityTest" />
For authentication I have another adapter:
<procedure name="submitAuthentication" />
In my test I'm calling SubmitAuthentication adapter and then I'm calling getCatalog adapter. This is returning me following error response:
Runtime: The resource 'proc:SampleHttpAdapter.getCatalog' should only
be accessed when authenticated in realm 'SingleStepAuthRealm'.
Below is the test case i'm executing:
public void testGetCatalog() {
Response response = RestAssured.given().get(BASE_URL.concat("SampleHttpAdapter&
procedure=submitAuthentication¶meters=[\"worklight\",\"worklight\"]"));
String sessionid = response.getSessionId();
Cookie cookie1 = new Cookie.Builder("JSESSIONID", sessionid).build();
System.out.println("cookie value" + cookie1.getValue());
RequestSpecification spec_two = new RequestSpecBuilder().addCookie(cookie1)
.setSessionId(sessionid).build();
Response catalog_response = RestAssured.given()
.spec(spec_two)
.get(BASE_URL.concat("SampleHttpAdapter&procedure=getCatalog¶meters=[]"));
String catalog_json = catalog_response.asString();
System.out.println(catalog_json);
}
As per the response it seems like the authentication is not persisting in my request of getCatalog. How can i do so ?
Without knowing how your adapter procedures are written it is difficult to investigate the issue above. Can you please include the adapter procedures of submitAuthentication as well as getCatalog?
I can include to you a sample and tutorial Worklight proivides on adapter based authentication that will describe in great detail how the authentication process works. You can even use this project as a basis, since it accomplishes single step adapter authentication. Use the mechanisms it provides with authentication and add in your getCatalog method for testing.
Adapter Based Authentication Presentation:
http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v610/08_03_Adapter_based_authentication.pdf
Adapter Based Authentication Project:
http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v610/AdapterBasedAuthenticationProject.zip