What is ClassName used for in the following?
<realms>
<realm name="CustomDeviceProvisioningRealm" loginModule="CustomDeviceProvisioningLoginModule">
<className>com.worklight.core.auth.ext.DeviceAutoProvisioningAuthenticator</className>
<parameter name="validate-csr-function" value="ProvisioningAdapter.validateCSR" />
</realm>
Can I put more than on className in the same realm?
How can I merge an realm used for authentication with the realm used for Device provisioning?
For example: merging the one at the top with this one:
<realm loginModule="BankingLoginModule" name="MobileBankingRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationAdapter.onAuthRequired" />
<parameter name="logout-function" value="AuthenticationAdapter.onLogout" />
</realm>
and how will this reflect on the Mobile Security test?
The classname element designates which Java class implements the authenticator and/or login module.
There cannot be more than 1 per realm/login module.
The mentioned class names in your question are the default ones provided by Worklight.
These are public classes that can be extended, which may be what you're looking for, instead of "merging".
You can also create your own that implement WorklightAuthenticator and WorklightLoginModule interfaces.
Related
We need to do a LDAP Authentication for login. It works fine for checking with a single AD server.
<loginModules>
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url}"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="exists"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
</loginModule>
It works fine, if I use a single url in the ldapprovider URL. I wanted to add 2 ldap urls, one as primary & other as secondary. I tried adding comma ',' separated url's, where if the primary fails, it needs to check for the secondary url. the urls are configured in worklight.properties as below
ldap.security.dom1.url = LDAP://10.40.88.10/DC=10.40.88.10
ldap.security.dom2.url = LDAP://10.30.88.10/DC=10.30.88.10
The code is as below
<parameter name="ldapProviderUrl" value="${ldap.security.dom1.url},${ldap.security.dom2.url}"/>
But it throws the below error
LdapLoginModule authentication failed. Reason 'javax.naming.InvalidNameException: Invalid name: DC=10.30.28.10,LDAP://10.40.88.10/DC=10.40.88.10
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)
at javax.naming.ldap.LdapName.parse(LdapName.java:789)
at javax.naming.ldap.LdapName.<init>(LdapName.java:125)
at com.sun.jndi.ldap.LdapNameParser.parse(LdapNameParser.java:39)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:299)
Kindly advice.
According to the documentation found here, ldapProviderUrl is expected to be a single, RFC-2253 parsable URL or IP address. You're receiving this error, because the module has no notion of a delimited "list" for this value.
I had a security test for login which is as below
<customSecurityTest name="SingleStepAuthAdapter-securityTest">
<test isInternalUserID="true" realm="SingleStepAuthRealm"/>
</customSecurityTest>
<realm loginModule="AuthLoginModule" name="SingleStepAuthRealm">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="AuthenticationService.onAuthRequired"/>
<parameter name="logout-function" value="AuthenticationService.onLogout"/>
</realm>
I have adapters that have to be called before login and they work fine until I am putthis piece of code in my authenticationConfig.xml for pushnotification
<mobileSecurityTest name="PushApplication-strong-mobile-securityTest">
<testUser realm="SingleStepAuthRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
The adapters that are called before login like forgot password are not working and not giving any error.Can any help me in understanding why this issue exits, do I need to put some wl_unprotected in these adapters.Because I have tried that to. Do I need to do any thing else.I can give you more details if you need something else.
Please help.
Finally found the solution ..
I was putting security test for whole android app when I removed it worked for me...
instead of this..
<android version="1.0" securityTest="PushApplication-strong-mobile-securityTest">
using this worked
<android version="1.0" >
I am currently trying to authenticate mobile application users using a LDAP loginModule with Worklight.
Instead of using the UID property as the username, I want to authenticate users by their email adress (field "mail" in an LDAP user entry).
I read the IBM Worklight documentation and follow the tutorial but I don't really understand how to do that with a LDAP login module.
I have tried this loginModule configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="{username}"/>
<parameter name="ldapSearchFilterPattern" value="(mail={username})"/>
<parameter name="ldapSearchBase" value="ou=people,dc=mycompany,dc=com"/>
</loginModule>
But the LDAP returns an error 409 : invalid credentials.
Have you an idea to help me ?
Thank you very much !
Please use this link to get know Worklight related sample projects with sample projects.
You can find LDAP example project also under Authentication and security
AFAIK
simple ldapSecurityAuthentication used to send password with fully qualified DN as clear text and it uses LDAP_Simple_ Bind request to connect to LDAP server
Strong ldapSecurityAuthentication is a much stronger authentication method that can require a signed certificate or other method of authenticating the user.
Am not sure about None option for ldapSecurityAuthentication.
The above info's i got it from LDAP admin. Am also new to LDAP
Thank you for your answers which help me a lot to understand.
The application requirements changed in the beginning of the week and I need now to authenticate users with the UID.
I have succeeded with this configuration :
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389"/>
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},OU=people,DC=mycompany,DC=com"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="OU=people,DC=mycompany,DC=com"/>
</loginModule>
It's work very well, so my problem is resolved.
However, to resolve this post, I am still trying to authenticate users with e-mail adress but I don't know how to do this. Maybe the only solution is to use a custom authentication module and to use a LDAP Java library ?
Thanks a lot.
I am using IBM Worklight 6.1 and trying to check if the user is authenticated or not:
I have a Realm defined in server/conf/authenticationConfig.xml
<realm name="myRealm" loginModule="myLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="authentication.onAuthRequired" />
<parameter name="logout-function" value="authentication.onLogout" />
</realm>
and its login module
<loginModule name="myLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
and after logging in, or even before that, when I try to check if the user is authenticated or not using
WL.Client.isUserAuthenticated("myRealm")
I have the following response
Unknown realm [myRealm]. null returned for key: isUserAuthenticated
Anyone have an idea about that ?
Is there something wrong with my Realm definition ?
Is there a better way to check if a user is authenticated ?
Did you first call to WL.Client.updateUserInfo();?
From the documentation:
updateUserInfo(options)
This method refreshes user data after an exception. Use this method
when the application receives an exception after calling the
invokeProcedure() method. The method refreshes the data for the
following methods:
WL.Client.getUserName(realm)
WL.Client.getLoginName(realm)
WL.Client.isUserAuthenticated(realm)
After such an exception, you can verify the user authentication status
by calling this function first, and then the isUserAuthenticated()
method.
Parameters: options - Optional. A standard options object.
On the same server, I need to deploy two versions of the same webapp (one for production and another for validation).
These two webapps use authentication with different databases.
I am struggling with the implementation of two different context for the two apps.
I have implemented the following code in server.xml but the authentication doesn't work anymore :
<Context path="http://localhost:8080/myapp1" docBase="/path/webapps/myapp1.war" debug="0" privileged="true">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.postgresql.Driver" digest="MD5"
connectionURL="jdbc:postgresql://localhost/postgres_prod?user=postgres&password=postgres"
userTable="utilisateurs" userNameCol="login" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
</Context>
<Context path="http://localhost:8080/myapp2" docBase="/path/webapps/myapp2.war" debug="0" privileged="true">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="org.postgresql.Driver" digest="MD5"
connectionURL="jdbc:postgresql://localhost/postgres_val?user=postgres&password=postgres"
userTable="utilisateurs" userNameCol="login" userCredCol="password"
userRoleTable="user_roles" roleNameCol="role_name" resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
</Context>
I don't understand if I need to change something else in web.xml or tomcat-users.xml.
The authentication work when I test it with just one app (when I don't need a context tag).
Thank you in advance for your help !
I moved the content of the two Context tags in the context.xml file of the two applications.
Another resolved problem : With this part of the code in the server.xml I was not able to login as the tomcat manager.