I am developing an app which has both Hybrid App and MobileWebApp.
I am currently using mobileSecurityTest but that breaks for MobileWebApp as wl_deviceNoProvisioningRealm does not work.
Can someone please guide.
Thanks in advance.
You can't protect adapter with two security tests. If you want to protect adapter in both mobile and web environment the security test you use must be the lowest common set of realms. Basically you need two security tests - one for mobile env, one for web env. Security test for mobile env should contain same realms that web env security test has plus realms for device authentication (e.g. wl_deviceNoProvisioningRealm). Once you have it - protect adapter procedures with web env security test and protect your mobile env with mobile env security test. You can read more about it here -https://www.ibm.com/developerworks/community/blogs/worklight/entry/understanding_predefined_worklight_authentication_realms_and_security_tests11?lang=en
Related
We have to develop a larger application with an Angular App on top and a lot of ASP.NET Core based Microservices under the hood.
Also we have to support external applications.
The external applications can be services without UI and also user GUI client applications.
Now the requirement is, that all internal Microservices are auto-trusted automatically and only for external Application the user should get the trust workflow in IdentityServer.
We're not sure how the workflow here should be configured or is be named in this scenario.
I think we need two different workflow configurations for internal and external application trusts.
Can anybody push me into the right direction which workflow and configuration fits most to our requirement?
Following providers we have to support:
- Simple Forms Authentication for our platform
- External Azure Active Directory
I have a REST API developed using Mule. It is deployed on prem Test and SystemTest environments. I can see that using Postman we can hit both test, systemtest API.
How do I make sure only applications can consume the API in the appropriate environments. There are system userids for each environments(C-users) and passwords which can be given to application consumers. The credentials need to be validated with Active directory LDAP Server.
How can we achieve this via Mule ESB?
For ex: application a1 running in Test should be able to consume only the API running in TEST. Application a1 running in Test should be able to consume only the API running in TEST.
Vinay,
I assume that the option of having multiple environments is not achievable.
Do you have access to Anypoint Platform? If you do, you can register your API there and generate a client id per environment.
Then you can apply Client ID Enforcement policy.
Application Server
AIX V7.1
WebSphere
Application Server V8.5.5.4
Java SDK V7.0.8
MobileFirst Platform Foundation 6.3
DB2 V10.1 client
Database Server
AIX V7.1
DB2 V10.1
We have a MobileFirst application that is our mobile front-end to an existing application. The existing application is a WebSphere application that provides RESTful web services. The MobileFirst application interfaces with the existing WebSphere application via a MobileFirst Adapter. The RESTful web service URLs are protected URLs and authentication is done using LDAP and a LTPA token is created. The LDAP is configured in WebSphere via the WAS console.
Our MobileFirst application works fine and can connect to and use the RESTful web services but only if the MobileFirst application is running in a separate WebSphere profile or on a separate WebSphere server. If we attempt to install the MobileFirst application into the same WebSphere profile as our existing WebSphere application that provides the RESTful web services, it breaks. The Mobile device authenticates with MobileFirst successfully and then calls the Adapter to invoke the RESTful web service call. However, the next Adapter invocation from the mobile device ends with a HTTP 401 error, which is an authorization error.
I'm speculating that after the Adapter authenticates with our existing WebSphere application that provides the web services that somehow this is overwriting the authentication that was done between the mobile device and MobileFirst.
My questions are as follows.
Can both the MobileFirst application and our existing WebSphere application that provides the RESTful web services run in the same WebSphere profile and share the LTPA token such that when the Mobile device authenticates with MobileFirst that it would also be authorized to execute the web servies running in the same WebSphere profile.
Is it advisable to run both applications in the same WebSphere profile or should they be running separate profiles or on separate servers.
Cost is a concern as we do not necessarily want the additional operational cost of adding a physically separate server just to run MobileFirst.
From an operational perspective, it is additional work to add and maintain multiple WAS profiles.
Ideally, we would really like to run both applications in the same WebSphere profile.
Here is a Google Drive link (no signin required) to the trace.log, SystemOut.log, SystemErr.log, and firebug-console.html
MobileFirst Trace log
The MobileFirst application was run in a browser using "Preview as Common Resources". I get the same result when using an actual Android or iOS device. The MobileFirst application WAR was run in the same WAS profile as the web services WAR that it was accessing through the adapter. This same code works successfully when the MobileFirst application WAR is running in a separate WAS profile or on a separate WAS server.
Please advise.
I have resolve the issue myself. This was a codebase that my team had inherited from another team.
What was happening was the mobile device was initiating a connection to MobileFirst running on WebSphere which creates a JSESSIONID cookie and a LTPA2Token cookie. Then an adapter was being called that invoked a HTTP call to a web service running in the same WebSphere profile. Calling the web service created new JSESSIONID and LTPA2Token cookies. These new cookies were being returned to the mobile device and JavaScript code on the mobile device was taking those new cookie values and then overwriting document.cookies, which wiped out the original cookies. Then when the mobile device attempted to connect with MobileFirst on a subsequent call, it's session was invalid and ended up getting a HTTP 401 error, which is an authorization error. So we attribute this problem to a poor implementation of our application.
I'm interested in using Azure Mobile services with SPA applications... perhaps with PhoneGap and or Kendo.UI as well.
I would like to add authentication to my app, and am looking at Azure Mobile Services. What isn't clear to me is if I can use Zumo (mobile services) to authenticate my app?
Example
User downloads app from store (or uses HTML5 caching to store the app)
The SPA app connects to Azure Mobile to get the OAUTH credentials
The Credentials secure my REST calls to the database (as secured by Azure Mobile)
Can anyone clarify if this architecture is possible?
You can definitely do this. If you go into the quickstart page after creating a new Mobile Service, you'll see one of the supported platforms is HTML/JS. You can download that quickstart application to run a local website that will connect to your Mobile Service and can set up authentication using this flow (http://www.windowsazure.com/en-us/develop/mobile/tutorials/get-started-with-users-html/). Dropping this into a PhoneGap application is very simple and just requires downloading the jQuery and Mobile Service javascript files locally (phonegap can't reference remote JS files). The bulk of the HTML can be the exact same. You'll just need to take the JS from the HTML/JS quickstart and drop it into the onReady method (I believe that's what PhoneGap calls once the device is ready for you to use). Hope that helps.
I have client apps that talk to my silverlight application and its web services. So the client app is running on the client machine and making calls directly to the silverlight app running on the machine and also making web service calls.
I want the usernames/password security to be handled by the 3rd party client app.
Any idea how I can do this?
I'd try the Application Scenario's, Guidelines and How Tos sections of this CodePlex Link. You should be able to find a scenario that matches closely to yours and follow the guidelines and configuration to get yourself going.
If I've understood this correctly, the client application would pass a username/password to your silverlight app which would require a wsHttpBinding that has clientCredentials="Username". You would need to be able to authenticate this against a user store configured on your server, for example you could configure a SQL Server provider.
I'm not sure how your 3rd party client app works, but you would require a seperate security configuration for that communication. You could use a less secure binding if the apps were on the same machine and possibly use clientCredentials="Windows"/"None"/"Basic".
Difficult to advise further without knowing your exact situation. What do you have so far?