I have an worklight application which as two modules i.e; user module and admin module. How should I secure my adapters for respective module from not being accessed by other module.
So you have a single application with two separate logics in it - user and admin.
In an application you must specify the adapter name and procedure name of the adapter in order to call it.
So simply put, only call your adapter (and its procedure) in the right module (user or admin) - this is purely applicative as I see it. Don't call an adapter where it shouldn't be called, and it won't.
If this does not answer your question, please further explain the scenario.
Related
I am trying to invoke worklight adapter from external application. I also got the answer in Calling Worklight adapter from external app thread. However I dont want to send adapter name, procedure name and parameters as query params. Rather, I want to send them as payload inside request body. Pls suggest answers.
If you were using MFP v7.0+ you know that each MFP adapter is exposed as a REST API as well.
you just need to remove the security so external applications can access that REST API easily.
Not sure if its healthy to reduce security.
but you can mark the (via the adapter xml file) method as "wl_unprotected"
I want to create a simple login module which authenticates users so they can, through a servlet using the weblogic client, access EJB's methods annotated with #RolesAllowed. As you probably noted, I have two seperate tiers - one with a webapp (Tomcat) and one containing business logic (WebLogic).
Generally speaking, I followed this JAAS tutorial (setting things accordingly).
According to the answer to this question, the principals should be propaged to the business tier (even having the tiers on separate machines?)
However, what I'm getting is an error page with following header: HTTP Status 500 - [EJB:010160]Security violation: User <anonymous> has insufficient permission to access EJB type=<ejb>
Also, I created corresponding roles in the WebLogic console.
Some tests from the servlet's GET method (without calling Bean's annotaed method):
request.getUserPrincipal().getName(): ADMIN
request.getParameter("role"): null
request.isUserInRole("admins"): true
(request is obtained from the argument #Context HttpServletRequest request)
Is there any additional thing to do to make it work? Or is it sufficient but there may be an error somewhere?
Let me also point I'm quite new in creating Java EE applications.
Help appreciated
The integration of security information between a servlet container and an EJB container is vendor specific. The question that you cited refers to remote calls between containers from the same vendor.
In your case, you have two different vendors - Apache Tomcat and Oracle WebLogic. Therefore, you are going to have more work to do.
You don't state which version of WebLogic that you're using, however the article Using JAAS Authentication in Java Clients describes the additional steps that you need to do in order to correctly propogate the security context from Tomcat to WebLogic 11g. You will likely be able to find similar information for other WebLogic versions.
I have multiple adapters that are public and require authentication.
Some of my adapters use a common adapter procedure that should not be visible to the public, but only visible to my adapters. Is there a way to create, a sort of private procedure which will be accessed only by other adapters?
The code that you put in an adapter is not public. No client can see this code. So you can put your method in one of the adapters and use it from other adapters.
More information regarding this issue can be found here:
http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v620/04_11_Advanced_adapter_usage_and_mashup.pdf
I am using the client side API WL.Client.InvokeProcedure(invocationData, options, UseSendInvoke) in worklight 6. But I could not find a description for the parameter UseSendInvoke in the API. Do you guys know what it is?
This parameter is used internally by WL authentication framework. Technically there should not be a reason for developer to use it.
There are several ways to invoke adapters.
(1) First one is via client application. This is where you use WL.Client.invokeProcedure(invocationData, options) API.
(2) Second is by using adapter invocation service - http://pic.dhe.ibm.com/infocenter/wrklight/v6r0m0/index.jsp?topic=%2Fcom.ibm.worklight.help.doc%2Fdevref%2Fc_adapter_invocation_service.html. Basically issuing an http request to WL server and getting a response from adapter. RPC style.
When you're doing it via (1) - you have two authentication layers - first is security test defined for application, second is security test defined for adapter procedure.
When you're doing it via (2) - there is only one security layer - security test defined for adapter procedure.
UseSendInvoke param (which is, once again, for internal usage) means that your application will go via path (2) instead of regular path (1).
There's no UseSendInvoke argument that WL.Client.invokeProcedure takes, at least not in the public API defined in the documentation. You can look at the documentation for Worklight v6.0.0, Worklight v5.0.6, Worklight v5.0.5 to learn more about that particular API.
I have a requirement to write a WCF service that will be called from MS Excel using the Service Moniker from VBA code. So far that part I have figured out.
I also have impersonation working so that if I were to return the current user from a web method it will return my username and not IIS\DefaultAppPool or whatever IIS is running as...
So here is my issue. I have a third party dll "CyberArk Password Management if anyone is interested" where I create a PWD object, set some parameters and then call a method named Getpassword. Now I can call the method but I always get a authenication failure. If I dig into the logs of the CyberArk agent that I have running it seems that even though I am using Impersonation that the dll method is still being called as IIS\DefaultAppPool
Here are a few snippets...
Impersonation is turned on at the method Level
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
A call to this method returns my Domain and User name as I would expect
WindowsIdentity.GetCurrent().Name
But this line is being called as IIS\DefaultAppPool
password = PasswordSDK.GetPassword(passRequest);
I have tried doing Impersonation in Code rather than using the Annotaion, I have also tried a Impersonation object with a using bolck and nothing seems to work so here is what I am thinking.
The dll somehow does not allow me to impersonate the caller for security reasons
It may be the .NET framework not allowing this again for security reasons
I have no clue and would love some help :-)
You can self-host the application instead of using IIS to host. Then the service will be running in a process that is already running as the current user.
(If this an option)