I have a Worklight app and I am trying to set up an adapter to capture client-side logs from it. (I have first tried to use Analytics, but it keeps crashing with PermGen out of memory error, perhaps I will have to look at it if this fails.) I followed the steps described in http://www-01.ibm.com/support/knowledgecenter/#!/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/devref/c_uploaded_client_log_data.html up to "Server security". I have no idea how to actually configure the server realm/security check/etc. for the log uploader servlet. Currently it returns this error (both on development and production server):
[ERROR ] FWLSE0059E: Login into realm 'WLRemoteDisableNullLoginModule' failed. Cannot find application 'null'. [project Project]
Cannot find application 'null'
[ERROR ] FWLSE0117E: Error code: 4, error description: AUTHENTICATION_ERROR, error message: An error occurred while performing authentication using loginModule WLRemoteDisableNullLoginModule, User Identity {wl_directUpdateRealm=null, wl_authenticityRealm=null, Project=(name:2, loginModule:ProjectLoginModule), wl_remoteDisableRealm=null, SampleAppRealm=null, wl_antiXSRFRealm=null, wl_deviceAutoProvisioningRealm=null, WorklightConsole=null, wl_deviceNoProvisioningRealm=null, myserver=(name:2, loginModule:ProjectLoginModule), wl_anonymousUserRealm=null}. [project Project] [project Project]
[ERROR ] FWLSE0059E: Login into realm 'WLRemoteDisableNullLoginModule' failed. Cannot find application 'null'. [project Project]
Cannot find application 'null'
[ERROR ] FWLSE0117E: Error code: 4, error description: AUTHENTICATION_ERROR, error message: An error occurred while performing authentication using loginModule WLRemoteDisableNullLoginModule, User Identity {wl_directUpdateRealm=null, wl_authenticityRealm=null, Project=(name:2, loginModule:ProjectLoginModule), wl_remoteDisableRealm=null, SampleAppRealm=null, wl_antiXSRFRealm=null, wl_deviceAutoProvisioningRealm=null, WorklightConsole=null, wl_deviceNoProvisioningRealm=null, myserver=(name:2, loginModule:ProjectLoginModule), wl_anonymousUserRealm=null}. [project Project] [project Project]
[ERROR ] com.worklight.core.messages:Invoke procedure failed due to: null
[ERROR ] com.worklight.core.messages:Invoke procedure failed due to: null
I tried uncommenting the customTests section in authenticationConfig.xml containing the wl_remoteDisableRealm, but to no avail.
How should this be configured?
I see from your comment you got it working. We did not want to duplicate documentation for authenticationConfig.xml and risk it getting out of sync on the "Server preparation for uploaded log data" KnowledgeCenter topic page in the "Server security" section. That said, we should have provided a link to the Worklight Security Framework topic page.
There is nothing special or unique about the configuration for log receiver servlet in the context of security. The point being made in that section is that if you configure authenticationConfig.xml so that security issues challenges to the app that requires user interaction, you should
send logs only when you are sure your are already authenticated, or
change security constraints such that the log upload servlet URL authentication does not require user interaction
If you leave these in place, the risk is that the end-user will see a random prompt for credentials when they do not expect it.
The reason the "Server preparation for uploaded log data"
Related
In my work I give support to users, and the following problem has been sent to me.
Logs Jenkins: (Automated tests that run in the night)
[HttpAuthenticationRequestFilter$UPDCredentialsProvider] Domain
request authentication with the realm 'dolmen'
Logs Server:
23/01/2018 01:28:25.637 [http-thread-pool-8080(15)] WARN java.util.logging.Logger.doLog WEB9102: Web Login Failed:
com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Security Exception
23/01/2018 01:28:25.646 [http-thread-pool-8080(29)] ERROR java.util.logging.Logger.doLog jdbcrealm.invaliduserreason
Via asadmin I've checked that the realm dolmen exists
asadmin> list-auth-realms
Authentication failed with password from login store: /root/.asadminpass
Enter admin password for user "admin">
admin-realm
file
certificate
dolmen
pnf-realm
Command list-auth-realms executed successfully.
asadmin>
What could be the problem?
UPDATE 1)
I was able to reproduce the error in SOAPUI. During the call to the web service, I noticed that if I change a letter in the login user or password, I can see the error message : " request authentication with the realm 'dolmen'"
Log SOAPUI:
But as you can see, in the image "Log SOAPUI:" I also have a HTTP 401.
In SoapUI Preferences, I notice that the option "Authenticate Preemptively" was disable. After enable the option "Authenticate Preemptively" I was able to finish a test in my local machine without error.
In the machine where Jenkins is installed (Where the Automated tests run in the night), I notice that the file soapui-preferences.xml does not exist. So maybe the solution for the problem is here.
I'm waiting for a time frame to be able to test without impacting testers.
I will keep you posted.
UPDATE 2)
To get rid of this problem I've rebuild my glassfish domain.
Got my web site pretty much set the way I needed it and so went ahead and converted the site to SSL installing a certificate and then rebuilt my project and pushed it up to the sub folder figuring that would be it. It wasn't the case!
What I have is a two tier'd web site with a landing site that is Anonymous and then a application sub site in a subfolder which uses Windows authentication. The landing site/page works fine yet but when you click on the link to launch the web app and initiate the web app in the sub folder where the Windows authentication is taking place, you are prompted for credentials as you should but upon validation you get this error:
Server Error in '/CInTrac' Application.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for
user 'NT AUTHORITY\ANONYMOUS LOGON'.
Source Error:
An unhandled exception was generated during the execution of the current
web request. Information regarding the origin and location of the exception
can be identified using the exception stack trace below.
Stack Trace:
[SqlException (0x80131904): Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.]
Now admittedly this is my first time setting up SSL so I'm sure that there are things that I could be missing here and so I've likely made some mistakes here but what one earth would cause this to act this way. There is no anonymous calls in the code at all and this runs fine in VS on the desktop. It did run fine prior to setting up the certificate on the server
Any suggestions would be greatly appreciated!
Thanks
Ken...
For some reason, I had to switch to using Basic Authentication with ASP.NET Impersonation enabled (Impersonating the authenticated user) in order to get this to work with the SSL certificate in place. After doing so all was fine.
When testing my IBM MobileFirst 7.1 Application with a custom Login Module against a server, I am getting the following log:
[6/15/16 13:21:47:785 COT] 000000f3 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'CustomAuthenticatorRealm': com.httpclient.AuthClient (initialization failure) [project MyProject]
I understand that Authentication failure is a very common log. However, I would like to know if anyone knows about the meaning of (initialization failure) part. What could be the problem here?
You didn't really provide anything to base an investigation after, like which device this is (Android or iOS or?), what is the app type (hybrid or native), how did you implement your custom authentication class and so on...
From what it seems, this specific error may happen when there is a conflict between different http clients. If you are using several, then use only the one bundled by IBM Mobilefirst. If you are not, then provide much more information and more complete logs.
If we keep our WL apps in background for a while, they seem to be lost connection with the MF server. I thought this could be related with features defined in application-descriptor.xml as there's a accessTokenExpiration attribute with a value of 3600, and the MF server logged errors below:
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'46ejj4elqjtg3vrn8j4qaql8es', client token:'2kvma3lscib0h1q5dlu7mak818'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'k8irk7mftj0j4ostbbba7smqto', client token:'mptvg1t1l4n8e7qfr1ratrcf30'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'dhfjgut9aku08hcm88rlb9rjo2', client token:'46ejj4elqjtg3vrn8j4qaql8es'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'mdva1p1nt428oii6nvd91n7vu5', client token:'46ejj4elqjtg3vrn8j4qaql8es'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'jmbvd7ocaoj4gb709n0b3mh62g', client token:'dhfjgut9aku08hcm88rlb9rjo2'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'tv1t1blffk8sekc1422oq6s64a', client token:'mdva1p1nt428oii6nvd91n7vu5'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'sh06en0ihc0i7dvd77fpkrj57s', client token:'jmbvd7ocaoj4gb709n0b3mh62g'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'6070lc7pafqusf4jslhsh8a49b', client token:'tv1t1blffk8sekc1422oq6s64a'. [project Dummy]
[ERROR ] FWLSE4007E: Received bad token from client. Server token:'vhds5i92t64pkfn3htdcjr3749', client token:'6070lc7pafqusf4jslhsh8a49b'. [project Dummy]
So it's a too short time that connection expires. And how can we can make a "remember me" function between MobileFirst and the client that unless the end-users quit the app, otherwise they will always being logged in?
Session timeout
In the server\conf\worklight.properties file, take a look at the property named serverSessionTimeout.
The default is 10 minutes which means that if the server does not get any request from that client within 10 minutes, the session will expire with everything attached to it. As long as the user is active, the session is renewed. Keep in mind that a longer session timeout may increase the server's memory usage.
There is also a feature called heartbeat, that sends a ping to the server to keep the session alive, but this only works when your application is in the foreground.
If your application is native, I guess you could implement your own heartbeat to keep it alive.
Token expiration
In the application-descriptor.xml, the element accessTokenExpiration will define the default OAuth token expiration for this specific application. The default is 3600 seconds (1 hour). Which means that from the moment the user logs in, they have 1 hour of trusted access, whether or not they are active.
Realm expiration
In the authenticationConfig.xml file, each loginModule has a expirationInSeconds property. Similar to the one above, it will define how long is the user trusted after they logged-in to this specific login module / realm. When the expiration happens, the server will send a new challenge for the associated realm.
In 7.0, -1 means the user is trusted until serverSessionTimeout happens. In 7.1, -1 is no longer a valid value.
If any of the above is expired, the client may need to get a new token. Depending on the expiration of each loginModule, the user may or may not receive a new challenge.
Remember Me Sample
The RememberMe sample (https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-1/foundation/advanced-topics/remember-me/) uses the idea of storing the unique Client-ID to an external database to automatically login the user when his session has expired.
You can configure expiration tokes in the server\conf\worklight.properties file.
There is also a "Remember Me" tutorial and sample application, based on MobileFirst Platform 7.1: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-7-1/foundation/advanced-topics/remember-me/
I configure IS and AM with SAML SSO as described in official documentation.
SSO login for AM console function well, I can log in as admin using unique credendital as defined in IS.
When I try to login to publisher or store, login is redirected to IS SamlSSO page as expected, but when I insert uid/pwd, browser is redirected to publisher login page asking for user credentials. AM carbon log report this WARN and ERROR:
TID: [0] [AM] [2014-05-07 17:27:28,171] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -
Illegal access attempt at [2014-05-07 17:27:28,0171] from IP address 192.168.50.60 :
Service is RemoteAuthorizationManagerService
{org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [0] [AM] [2014-05-07 17:27:28,172] ERROR {org.apache.axis2.engine.AxisEngine} -
Access Denied. Please login first. {org.apache.axis2.engine.AxisEngine} org.apache.axis2.AxisFault: Access Denied. Please login first.
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:97)
any suggestion on how to solve this?
Giovanni,
I made contact with WSO2 as I had the same problem and they directed me to https://wso2.org/jira/browse/APIMANAGER-2118
It appears that there maybe a bug in the priority of the SAMLSSOAuthentication and Basic Authentication. I followed the points in the above link and modified the APIMHOME/repository/conf/security/authenticators.xml and changed the priority for SAMLSSO from 10 to 0
I am now able to move between store/publisher and also carbon for API Manager, Identity Server also BAM.
Hope this helps
Carl.