Im working in a hybrid mobilefirst 6.3 app, and i want to access to an adapter previous to my login, is there a way that i can do that? because every time that i want to access my adapter the handleChallenge method occurs.
application-descriptor.xml:
<android version="1.0" securityTest="NevadaApplication-strong-mobile-securityTest">
my adapter config xml:
<procedure name="getPhoneNumber" securityTest="wl_unprotected"/>
Because you have set a security test also on the application level, meaning on the environment in application-descriptor.xml, you will get hit with a challenge handler despite having the adapter procedure set with a security test set as wl_unprotected.
To achieve what you're looking for you will need to add security tests to your adapter procedures (with the one you want unprotected as wl_protected), and leave the environment without a security test assigned to it in application-descriptor.xml.
Read more on security tests here: https://www.ibm.com/developerworks/community/blogs/worklight/entry/understanding_predefined_worklight_authentication_realms_and_security_tests11?lang=en
Read more on the different authentication options here: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-6-3/authentication-security/authentication-concepts/
Related
I'm trying to make a simple example of a connection to a WS (JAX-RS), when I call from the browser, I should return a string but I get the following error message:
missing_authorization, this is the URL to access the resource (REST):
http://localhost:10080/PruebaWSProject/adapters/MyAdapter/users/pramirez
When I test it directly from MobileFirst Studio using "Call MobileFirst Adapter", it works perfectly.
It seems to be a problem with HTTP authentication, apparently I have to set something in the XML file server: authenticationConfig.xml, but I do not know what I have to put and I read the following in a web:
Disabling the authentication requirement for a specific procedure.
You can do so by adding the securityTest="wl_unprotected" property to the element in the adapter XML file.
I do not know how to turn off the security to call the resource to obtain the chain. The name of the classes generated by the Java adapter are: MyAdapterResource and MyAdapterApplication.
Java Adapters are protected by default.
When you use "Call MobileFirst Adapter", a test token is automatically added to help you preview.
If you want to test your adapter outside of the wizard, you have 2 main options:
Disable security by adding #OAuthSecurity(enabled=false) before your procedure code (in MyAdapterResource). Keep in mind that your procedure will no longer be protected. See Protecting Adapters.
Generate a test token manually. You can request a test token which you will add to your HTTP headers. See In Postman
The instructions you saw regarding securityTest="wl_unprotected" are for JavaScript adapters, not Java.
I am trying to develope a simple hybrid app using an adapter based authentification.
All the examples I have found explain how to do it assuming that firstly we call a secured procedure to fire the authentication process.
I've been trying to develope a login calling directly to a "login adapter" to perform the authentication. I've tried using the "submitAdapterAuthentication" but the challenge handler is creating a infinite loop.
I did manage to make a login invoking the "login adapter" as a common procedure("WL.Client.invokeProcedure(...)"), but then I was not able to subscribe to a event source and I need PUSH notification functionality. I got always the next error:
Can't subscribe, notification token is not updated on the server
Is it posible to authenticate against Worklight Server calling directly to a "login adapter" using Adapter Based Authentificaton? How?
I think the approach of a direct login call makes sense but I haven't found any official solution to it.
If you want to invoke authentication process explicitly, you can use WL.Client.login(realm, options) API provided by Worklight.
http://pic.dhe.ibm.com/infocenter/wrklight/v6r0m0/index.jsp?topic=%2Fcom.ibm.worklight.help.doc%2Fapiref%2Fr_wl_client_login.html
Another option is to add a security test at the application level inside of application-descriptor.xml for each environment.
This will cause the app to ask for authentication immediately.
<iphone securityTest="nameOfMobileTest" bundleId="com.myApp" version="1.0>
....
</iphone>
<android securityTest="nameOfMobileTest" version="1.0">
....
</android>
I have a question about the connectAs="endUser" option, found in the adapter XML file.
In the design mode I can read
- endUser: The connection to the back end will be created with the user's identity, as authenticated by the authentication realm
So my question is: Does it have sense to use the option connectAs="endUser" without being authenticated and without defining a security test?
I am having this question, because I used to put the connectAs="endUser" in the authentication procedure
<procedure name="authenticate" connectAs="endUser"/>
Is that wrong?
So as you can see in the documentation using connectAs="endUser" is "Only valid if a user realm has been identified in the security tests for this procedure."
Here are some resources you may want to look into:
procedure element of the adapter XML file
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr__procedure_.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
The authentication element of the HTTP adapter
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr_the__authentication__element_o.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
Can you please provide your scenario to how you would like to use this setting in greater detail
My problem is as follows :
I have an application protected by a mobile security test involving a LDAP server. The corresponding realm is called LDAPrealm. I use the form-based authenticator + custom LDAP login module.
When the connection to the worklight server is lost and then re-established, I see that the current user is not authenticated in the LDAP realm anymore.
What I want is be able to re authenticate the user without having him enter credentials again.
However, since the user is still authenticated for other realms included by default in the mobile security test, the worklight server does not challenge the client again for credentials, which is causing j_security_check error when trying to submit credentials.
As a side note those credentials are stored in the encrypted json store for offline authentication and use of the app.
So my question is :
Is it possible to force the server to challenge the client again for this LDAPrealm and use submitLoginForm to re-log in?
More generally, is there a way to clear a user+device from all realms before trying to log in again?
Edit reasons : previous error was caused by a typo
In the case where the user first logs in online then loses connection then get connection again, calling
WL.Client.logout("LDAPRealm",{onSuccess:stealthed_relog});
and calling WL.Client.connect() later in stealthed_relog before sending credentials seems to wield the desired behaviour.
However, when the user logs in offline and then gets connection, when I try to use WL.Client.connect(), it says another instance of WL.Client.connect has already been called.
edit : for the log offline case, the application get challenged automatically shortly after that the connected event fires (cause of heartbeat? I do not really know), so you just have to use
login_clientside.submitLoginForm();
to successfully log in again.
If someone has a better way to implement auto-reconnecting in worklight with ldap server, feel free to post it and I'll unaccept my answer.
Worklight 6.1.0.1, and using Chrome based simulator to start the mobile web application. Application and adapters deployed from WL studio to the WL development Server.
I have a secure adapter procedure(s) and I've tested with two configurations:
<procedure requestTimeoutInSeconds="20" name="getBaseData" securityTest="Connections-securityTest"/>
<procedure requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
and
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getBasetData" securityTest="Connections-securityTest"/>
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
getBaseData simply creates the active user (including id + pwd for later use), and returns fixed data to the app.
getCommunityMemberOf is an https adapter that retrieves data from a backend server. This adapter retrieves the id + pwd from the active user and includes this information as input to the https request.
I start the first chrome simulator session with the javascript console showing that the application invoked procedure getBaseData. The credentials are collected and authenticated, and setActiveUser is completed. The application then invokes procedure getCommunityMembersOf and this procedure call processes with no authentication, as expected.
I start a second chrome simulator session for the same application and the javascript console shows that the invoke procedure getBaseData is not challenged, and is processed which seems to indicate that the authentication completed indicating simulator session #1 authentication also satisfied simulator session #2 authentication. This is a behavior I want to prevent and have both simulator session require authentication independently. Appreciate any advice about why this is happening, and what I can do to prevent this session sharing. Thank You.
Chrome is sharing the session between the different tabs, it has nothing to do with Worklight.
What you can do is open a new browser in incognito mode to prevent sharing the session. Or open a different kind of browser.