I'm trying to run the sample code from the tutorial of IBM,
Form_based_authentication, but it doesn't work correctly.
It doesn't show the login form, and when I click on the "Call protected adapter proc" button, it shows an access denied error like this one:
I cannot reproduce your scenario.
Open the Chrome DevTools and inspect the console view when you click on the button. What errors do you see?
Did you add any environment or are you simply previewing the common web resources?
Anything else about your environment that you did not mention?
Imported the Form-based authentication sample (.zip file) for Worklight 6.0
Started the server, deployed the adapter and application
Opened Worklight Console
Previewed the common web resources
Clicked on "Call protected adapter proc"
Entered random values for username/password (since a non-validating authenticator is being used in this sample
Clicked on "Call protected adapter proc" again
Result:
Clear the data of the app from the setting than it will work. Form based authentication work for same day or same session after that it will throw error in console
"[ERROR ] FWLSE0335E: Authorization failed: ClientId 8a822ed6a93bec9c9f810e128cdb5dba4bb8f762 was not found on the server. [project xyz]
"
Related
We have configured RP as my application with ADFS server. When I try login with ADFS login page separately with following URL https://<>/adfs/ls/IdpInitiatedSignon.aspx, user credentials work. When we invoke from our client application, we are presented with ADFS login page. Post entering credentials we are presented with "Error Occurred" with Activity Id that is GUID. What may be the issue. Kindly guide.
You need to look in the Event Viewer on the server under "Applications and Services Logs" / "AD FS" / Admin.
That will give you a more detailed error message.
And if the answer by #nzpcmad does not give you enough information, you can right click the 'Admin' node, go to 'View' and enable 'Show Analytics and Debug Logs'.
This will show another node called 'AD FS Tracing' under the 'Applications and Services Logs'. Right click the 'Debug' sub-node and click 'Enable Log'. Then repro the issue and refresh the view to see the ADFS trace logs.
I'm trying to make a simple example of a connection to a WS (JAX-RS), when I call from the browser, I should return a string but I get the following error message:
missing_authorization, this is the URL to access the resource (REST):
http://localhost:10080/PruebaWSProject/adapters/MyAdapter/users/pramirez
When I test it directly from MobileFirst Studio using "Call MobileFirst Adapter", it works perfectly.
It seems to be a problem with HTTP authentication, apparently I have to set something in the XML file server: authenticationConfig.xml, but I do not know what I have to put and I read the following in a web:
Disabling the authentication requirement for a specific procedure.
You can do so by adding the securityTest="wl_unprotected" property to the element in the adapter XML file.
I do not know how to turn off the security to call the resource to obtain the chain. The name of the classes generated by the Java adapter are: MyAdapterResource and MyAdapterApplication.
Java Adapters are protected by default.
When you use "Call MobileFirst Adapter", a test token is automatically added to help you preview.
If you want to test your adapter outside of the wizard, you have 2 main options:
Disable security by adding #OAuthSecurity(enabled=false) before your procedure code (in MyAdapterResource). Keep in mind that your procedure will no longer be protected. See Protecting Adapters.
Generate a test token manually. You can request a test token which you will add to your HTTP headers. See In Postman
The instructions you saw regarding securityTest="wl_unprotected" are for JavaScript adapters, not Java.
Worklight 6.1.0.1, and using Chrome based simulator to start the mobile web application. Application and adapters deployed from WL studio to the WL development Server.
I have a secure adapter procedure(s) and I've tested with two configurations:
<procedure requestTimeoutInSeconds="20" name="getBaseData" securityTest="Connections-securityTest"/>
<procedure requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
and
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getBasetData" securityTest="Connections-securityTest"/>
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
getBaseData simply creates the active user (including id + pwd for later use), and returns fixed data to the app.
getCommunityMemberOf is an https adapter that retrieves data from a backend server. This adapter retrieves the id + pwd from the active user and includes this information as input to the https request.
I start the first chrome simulator session with the javascript console showing that the application invoked procedure getBaseData. The credentials are collected and authenticated, and setActiveUser is completed. The application then invokes procedure getCommunityMembersOf and this procedure call processes with no authentication, as expected.
I start a second chrome simulator session for the same application and the javascript console shows that the invoke procedure getBaseData is not challenged, and is processed which seems to indicate that the authentication completed indicating simulator session #1 authentication also satisfied simulator session #2 authentication. This is a behavior I want to prevent and have both simulator session require authentication independently. Appreciate any advice about why this is happening, and what I can do to prevent this session sharing. Thank You.
Chrome is sharing the session between the different tabs, it has nothing to do with Worklight.
What you can do is open a new browser in incognito mode to prevent sharing the session. Or open a different kind of browser.
I am using Jquery Mobile to start with IBM worklight project. I have created a Login Page. Whenever user click on the submit button I need the function too run to check for the username and password in the Database.
Database -> I am using MY SQl database. Using the command client I have added the tables, username Password and values. I need to check this table whenever user clicks on the submit button. IBM worklight tutorial says I need to add the JDBC jar file to server/lib. I have copy pasted the downloaded file on the same folder.
I don`t know whether I need to make my own Custom login Module or default thing is available.
There Isn`t a clear examples available in the IBM website for the Authentication. Please help me with this.
I would suggest reading the following:
Authentication concepts
Adapter-based authentication + Exercise and code sample
Adapter framework overview
SQL adapter – Communicating with SQL database + Exercise and code sample
from the Getting Started page. Also take a look at InfoCenter if you need more documentation.
From the adapter-based auth code sample, you can start by replacing:
if(username == "worklight" && password == "worklight") with a call to your backend (see sql adapter code sample) that checks if the username and password are valid.
While debugging, we observe following behavior:
1) When trying to get encryption key from server then error on both (iOS or Android) platform
response [https://xxxx.xxxx.com:443/worklight/apps/services/random]
success: Exception thrown by application class
'com.ibm.ws.webcontainer.session.impl.HttpSessionContextImpl.checkSecurity():685'
SESN0008E: A user authenticated as anonymous has
attempted to access a session owned by user:NewRealm/CN=test
user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.
2) When trying to read a stored value error on android is [Logcat]
Android Message: Uncaught 9 at
file:///data/data/com.xxxx.xxxxapp/files/www/default/wlclient/js/encryptedcache.js:63
Where try to call WL.EncryptedCache.read
Worklight version used is 5.0.5 Consumer Edition (with Oracle 11i) on
Windows 2008 R2
WebSphere Liberty profile
Worklight server is sitting behind IBM Datapower XI52. All SSL calls to the server are going via DP.
Authenticator - WebSphereFormBasedAuthenticator & LoginModule - WASLTPAModule
The following is not really an answer, since I'm not familiar with authentication (LTPA, FormBasedAuth, Data Power, etc.)... just a couple of comments that could help you debug/isolate the issue.
Looks like a problem with authentication:
A user authenticated as anonymous has attempted to access a session
owned by user:NewRealm/CN=test user,OU=Temporary
Users,OU=Acc,DC=xxxx,DC=com.
Not with the Encrypted Offline Cache (EOC).
EOC will try to get a random token calling the following function:
WL.EncryptedCache.secureRandom(function (data) {
console.log(data);
});
It should output something like this:
response [/apps/services/random] success: 9053bdcfd902aac3dfb59a9874c9cf55223b7d17
9053bdcfd902aac3dfb59a9874c9cf55223b7d17
You can view the functions source code typing the following in a JS console:
WL.EncryptedCache.secureRandom
If you're using Google Chrome developer tools there's a checkbox for Log XMLHttpRequests when you click on the gear icon > General > Console.
You can also try to request the URL directly. Assuming the host is localhost, port is 10080 and project name is wlproj:
http://localhost:10080/wlproj/apps/services/random
9053bdcfd902aac3dfb59a9874c9cf55223b7d17
You can view HTTP traffic with Wireshark or Charles Proxy.
I imagine this will fix the EOC issue for you, if you don't mind generating the random token locally (less security, AFAIK):
WL.EncryptedCache.secureRandom = function(callback){callback(Math.random()+"")}
For example:
Notice it never goes to the server, everything is done locally.
A user authenticated as anonymous has attempted to access a session owned by user:NewRealm/CN=test user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.
This usually means that there is a conflict with the session sent by the user (the session cookie) belongs to a user (in this case), but the LTPA token sent as a cookie was not sent or was not valid. There could be a few causes of this. This best way is to do a trace between datapower and the worklight server to make sure an LTPA token is even being sent to the worklight server. If it is, verify all of the LTPA requirements are met (synchronized time, same private key on both machines).