Application Server
AIX V7.1
WebSphere
Application Server V8.5.5.4
Java SDK V7.0.8
MobileFirst Platform Foundation 6.3
DB2 V10.1 client
Database Server
AIX V7.1
DB2 V10.1
We have a MobileFirst application that is our mobile front-end to an existing application. The existing application is a WebSphere application that provides RESTful web services. The MobileFirst application interfaces with the existing WebSphere application via a MobileFirst Adapter. The RESTful web service URLs are protected URLs and authentication is done using LDAP and a LTPA token is created. The LDAP is configured in WebSphere via the WAS console.
Our MobileFirst application works fine and can connect to and use the RESTful web services but only if the MobileFirst application is running in a separate WebSphere profile or on a separate WebSphere server. If we attempt to install the MobileFirst application into the same WebSphere profile as our existing WebSphere application that provides the RESTful web services, it breaks. The Mobile device authenticates with MobileFirst successfully and then calls the Adapter to invoke the RESTful web service call. However, the next Adapter invocation from the mobile device ends with a HTTP 401 error, which is an authorization error.
I'm speculating that after the Adapter authenticates with our existing WebSphere application that provides the web services that somehow this is overwriting the authentication that was done between the mobile device and MobileFirst.
My questions are as follows.
Can both the MobileFirst application and our existing WebSphere application that provides the RESTful web services run in the same WebSphere profile and share the LTPA token such that when the Mobile device authenticates with MobileFirst that it would also be authorized to execute the web servies running in the same WebSphere profile.
Is it advisable to run both applications in the same WebSphere profile or should they be running separate profiles or on separate servers.
Cost is a concern as we do not necessarily want the additional operational cost of adding a physically separate server just to run MobileFirst.
From an operational perspective, it is additional work to add and maintain multiple WAS profiles.
Ideally, we would really like to run both applications in the same WebSphere profile.
Here is a Google Drive link (no signin required) to the trace.log, SystemOut.log, SystemErr.log, and firebug-console.html
MobileFirst Trace log
The MobileFirst application was run in a browser using "Preview as Common Resources". I get the same result when using an actual Android or iOS device. The MobileFirst application WAR was run in the same WAS profile as the web services WAR that it was accessing through the adapter. This same code works successfully when the MobileFirst application WAR is running in a separate WAS profile or on a separate WAS server.
Please advise.
I have resolve the issue myself. This was a codebase that my team had inherited from another team.
What was happening was the mobile device was initiating a connection to MobileFirst running on WebSphere which creates a JSESSIONID cookie and a LTPA2Token cookie. Then an adapter was being called that invoked a HTTP call to a web service running in the same WebSphere profile. Calling the web service created new JSESSIONID and LTPA2Token cookies. These new cookies were being returned to the mobile device and JavaScript code on the mobile device was taking those new cookie values and then overwriting document.cookies, which wiped out the original cookies. Then when the mobile device attempted to connect with MobileFirst on a subsequent call, it's session was invalid and ended up getting a HTTP 401 error, which is an authorization error. So we attribute this problem to a poor implementation of our application.
Related
I am learning Asp.net Core Web Api. I need to access the api from a flutter application but am not ready to host the api on Azure. What are my options if I want to host the api locally on my computer so I can access it from another application like my Flutter app client, and is there any tutorials I can follow to learn how to implement the solution.
There are several ways to go about this, here are some options:
FROM VISUAL STUDIO: You can simply run the ASP.NET Core Web API from Visual Studio in Development Mode by Pressing F5
FROM COMMAND PROMPT: Run the API Project from the command line by opening a command prompt window in the root project folder of the project and use the dotnet run command. See here for more info about the command: dotner run command
HOSTING IN IIS: I am assuming you are running a windows OS. You can turn on IIS and its features. Simply follow the instructions on this page: Host ASP.NET Core in IIS on how to deploy ASP.NET Core to IIS. The advantage of this is that you have the application always running while you work on your flutter application locally.
I hope this helps you resolve your situation.
What are my options if I want to host the api locally on my computer so I can access it from another application like my Flutter app client, and is there any tutorials I can follow to learn how to implement the solution.
If your application is developing now, there is no need to host the application and let the Flutter app client to access. We could build some json file as the right format like web api response to develop the client app.
If your client application and web api has now developed successfully, you want to host the web api to let fluent app or other application to access from internet. You should have a public IP address and host the application on IIS or else. Public IP address you should ask for the IP provider company. Without a public address, the client side app couldn't access your application from internet.
If your web api and the client app are in the same intranet, you could let the client app directly access the web api after the web api hosted on IIS by using hosting server's IP address.
About how to host the asp.net core application on IIS, you could refer to this article.
i am working on a MobileFirst application. It needs to be integrated with IBM security access manager. i have configured the login modules, realms and authentication configurations. On the code side, what should be done?.
Read the help for this product: http://www-01.ibm.com/support/docview.wss?uid=swg24034222
The integration package includes sample applications and adapter to
validate successful HTTP header or LTPA token integration, single
sign-on to backend data sources using Worklight Adapters, OAuth
authentication, context/risk-based access, Device Single Sign-On and
MobileFirst Platform Foundation generated Certificate Authentication.
The sample applications and challenge handlers are intended to be used
as references for developing your own IBM MobileFirst Platform
Foundation mobile application integration with IBM Security Access
Manager.
I am building an iOS and Android Apps using Worklight Framework, the worklight server will be protected by IBM Security Access Manager (ISAM) SSO, and therefore the Apps can only be reaching the worklight server after passing the Security challenges. I've found some docs about this integration and it works as intended.
But the apps also offers some features that doesn't required login, in which the Security Manager shouldn't intercept the adapter request to worklight server. The only workaround that suggested by IBM is to create a URL mapping junction in ISAM that defines the URLs that can access by public, and those which shall not. for example /worklight/public and /worklight/secured
But the URL pattern for all worklight adapter are /worklight/invoke?adapter=ADAPTER_NAME, so do we have a way to create a customized URL for public and secured adapter, for example:
/worklight/public/invoke
/worklight/secued/invoke
EDIT 1: Worklight Version 6.0
Thanks in advance.
Please mention the version of Worklight you are using.
One way to achieve this is to create and deploy the adapters in two different projects. That way the context root of both the adapters will be different. So, you'll have URLs such as
/Project1/invoke?... and Project2/invoke?... which you can apply to your filters.
I'm using Worklight 6.0.0.1 which deployed on WebSphere Liberty 8.5.5.0 and I have my Application which using 2 HTTP adapters.
In the first adapter I putted my Login and logout functions (based form authentication).
In the second adapter I putted some others procedures.
So my problem is as bellow :
When I deployed Worklight (.war) on WebSphere and my other WAR file which containing the Webservices on an other server (Tomcat), Things is going good.
But when I deployed the WAR of worklight and the one containing my Webservices on the same server (WebSphere Liberty), things going wrong with the second adapter (the one that doesn't contain the login function). In each invocation procedure in the second Adapter, I get "authentication required" as response.
But when I invoke a procedure in the first adapter, it returns me the right response.
any idea ? I couldn't figure out the problem
I add that I'm calling the same web services in the two adapter.
This is the log I get :
{"status":200,"invocationContext":null,"invocationResult":{"responseID":"64","statusCode":200,"result":{},"errors":["authentication required"],"isSuccessful":true,"statusReason":"OK","responseHeaders":{"Content-Language":"en-US","Transfer-Encoding":"chunked","Date":"Thu, 05 Dec 2013 06:13:15 GMT","Content-Type":"application/json;charset=UTF-8","X-Powered-By":"Servlet/3.0"},"success":0,"totalTime":280,"responseTime":271}}
When you invoke a procedure in your first adapter, does it call the web service?
If not, I'm assuming that only the second adapter is trying to access the web service.
Considering that, I'm guessing your Tomcat server is not securing the web service. Which means that you can access your web service without any authentication.
WAS or Liberty on the other hand could have application security enabled. Which means that if you try to access your web service deployed on WAS or Liberty, you will be prompted for authentication.
As it works with WAS and Tomcat, the issue seems occurring only under Liberty Profile. In this case only the Worklight trace and the Liberty Profile security trace can allow to understand the possible cause of the issue.
I currently have a Mobile Application that communicates through a WCF Service to access a Database. The Mobile App can access on the network as well as externally. It connects to the WCF Service which is hosted on one server inside the network. From there the WCF Service is pointing at another server which is hosting the Database that the Mobile Device is accessing.
With the above process how would you setup authentication using Active Directory which would confirm the user of the Mobile Application before it can access the WCF Service to confirm that the user is a member of AD and they can then login after authorization is complete. This would occur as the user opens up the Application. Would this be coded into the App to prompt for the information, then send the information to the WCF Service which would then allow access? If not this then are there any other ways or information/links that can be provided please?
Take a look at the BUILD 2013 videos. Visual Studio 2013 will create a webproject that will automagically do all that for you (I think). Just bare in mind, it uses the Microsoft.OWin.Security beta packages.
Also...you will need to install the AspNetWebTools2013 package first...
http://www.asp.net/visual-studio/overview/2013/creating-web-projects-in-visual-studio#orgauthoptions