We have an HTTP adapter with a couple of secure procedures declared as follows:
<wl:adapter name="PushAdapter" ...
.
.
<procedure name="submitNotification" securityTest="AdapterSecurityTest"/>
<procedure name="submitNotificationMass" securityTest="AdapterSecurityTest"/>
Security test is performed using adapter based authentication as below:
<securityTests>
<mobileSecurityTest name="AdapterSecurityTest">
<testUser realm="MyRealm"/>
<testDeviceId provisioningType="none"/>
</mobileSecurityTest>
</securityTests>
<realms>
<realm name="MyRealm" loginModule="NonValidatingLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function">AuthenticationAdapter.onAuthRequired</parameter>
<parameter name="logout-function">AuthenticationAdapter.onLogout</parameter>
</realm>
</realms>
We need to be able to invoke the adapter procedures in HTTP using the adapter invocation service. Using the invocation service, the invocation URL should be as below:
http://<server>:<port>/<Context>/invoke?adapter=PushAdapter&procedure=submitNotification¶meters=[userId, notification text to be sent]
The invocation works as expected when the procedure security test is set to 'wl_unprotected'. But if the security test is used, the invocation returns the below response:
/*-secure-{"WL-Authentication-Failure":{"wl_remoteDisableRealm":{"reason":"Login Failed"}}}*/
The question is, how can we authenticate using the invocation service? We tried setting the authorization HTTP header with now luck.
Thank you
I have followed the procedure's to implement with the help Adapter based Authentication from Worklight 6.2 Samples.
Step 1:
Add the following value's in header, based your environment actuals
x-wl-app-details:{"applicationDetails":{"platformVersion":"6.2.0.00.20140613-0730","nativeVersion":""}}
x-wl-app-version:1.0
Request: http://x.x.x.x:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/init
Response:
/*-secure- {"challenges":{"wl_antiXSRFRealm":{"WL-Instance-Id":"gi1cqaqd3p89763l1amoklsq3u"}}}*/
Step 2:
Add the WL-Instance-Id: gi1cqaqd3p89763l1amoklsq3u in the header which was the part of previous response
Request:
http://xx.xx.xx.xx:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/query?adapter=SingleStepAuthAdapter&procedure=submitAuthentication¶meters=['worklight','worklight']
Response:
/*-secure-
{"isSuccessful":true,"WL-Authentication-Success":{"SingleStepAuthRealm":{"userId":"worklight","isUserAuthenticated":1,"attributes":{"foo":"bar"},"displayName":"worklight"},"wl_antiXSRFRealm":{"userId":"j136h3aus2v1vlbjr860mmossc","attributes":{},"isUserAuthenticated":1,"displayName":"j136h3aus2v1vlbjr860mmossc"},"wl_anonymousUserRealm":{"userId":"747809a4-3574-4958-a55a-f084b2c9f02c","attributes":{},"isUserAuthenticated":1,"displayName":"747809a4-3574-4958-a55a-f084b2c9f02c"}},"authRequired":false}*/
Step 3:
Add Authorization header and the value from previous response
"SingleStepAuthRealm":{"userId":"worklight","isUserAuthenticated":1,"attributes":{"foo":"bar"},"displayName":"worklight"}
Request: http://xx.xx.xx.xx:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/query?adapter=SingleStepAuthAdapter&procedure=getSecretData
Response:
/*-secure-
{"isSuccessful":true,"secretData":"A very very very very secret data"}*/
To know more about this process follow this IBM Community Blog.
I believe this what you are looking for.
Related
Is there a way to setup apigee to use external authentication server, to better explain the situation:
we generate a token from an app (test.app.com/services/oauth2/token)
we send this token with the request to the apigee endpoint
the apigee should call (test.app.com/services/oauth2/introspect) with authentication header (basic) and with body containing the token to verify it.
Im fairly new in apigee and have not seen similar implementations in my search
I am not sure if you figured another approach to this but I would you a service callout policy to call the authentication server as below:
<ServiceCallout async="false" continueOnError="false" enabled="true" name="SC-GetAuthPass">
<DisplayName>SC-GetAuthPass</DisplayName>
<Properties/>
<Request clearPayload="true" variable="ABCDLogin">
<Set>
<Headers>
<Header name="Content-Type">application/x-www-form-urlencoded</Header>
</Headers>
<Verb>POST</Verb>
<FormParams>
<FormParam name="username">{server_username}</FormParam>
<FormParam name="password">{server_password}</FormParam>
</FormParams>
</Set>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</Request>
<Response>calloutResponseGetAuthPass</Response>
<HTTPTargetConnection>
<Properties/>
<URL>{authentication_server_url}</URL>
</HTTPTargetConnection>
Then I could just extract the token and pass it to Apigee
<JSONPayload>
<Variable name="authpass">
<JSONPath>$.</JSONPath>
</Variable>
</JSONPayload>
<Source clearPayload="false">calloutResponseGetAuthPass</Source>
Then you could just call the verification endpoint with the extracted token (I assume this would be another service callout)
I have three different systems. I am using Spring integration to sync data in all these system.
System 1 calls --- > System 2 via http:inbound gateway
<int-http:inbound-gateway id="gateway"
path="/save" supported-methods="POST, PUT"
request-channel="requestChannel" reply-channel="replyChannel"
request-payload-type="com.model.Request"
mapped-request-headers="source" error-channel="errorChannel" />
System 2 will call service method to persist data which returns response if request is valid else throws exception
<int:service-activator ref="serviceMethod"
method="saveIfValid" input-channel="requestChannel"
output-channel="serviceOutput" />
<int:recipient-list-router id="id1"
input-channel="serviceOutput">
<int:recipient channel="system1" />
<int:recipient channel="system3" />
</int:recipient-list-router>
I need to send service method response to system 1 and system 3 only if operation is successful.
After calling service method, based on service method response, request for system 3 will be generated using transformer. After transformer I am putting request in mq queue.
<int:transformer id="transformer1"
method="convert" input-channel="system3"
output-channel="jmsInput">
<bean
class="com.transformer.System3Transformer" />
</int:transformer>
<int-jms:outbound-channel-adapter id="adapter"
channel="jmsInput" destination-name="queueName">
</int-jms:outbound-channel-adapter>
Updated JMS outbound code
<int-jms:outbound-channel-adapter id="jms1"
channel="jmsIn" destination-name="queueName">
<int-jms:request-handler-advice-chain>
<bean
class="org.springframework.integration.handler.advice.ExpressionEvaluatingRequestHandlerAdvice">
<property name="onSuccessExpression" value="T(Boolean).TRUE" />
<property name="successChannelName" value="afterSuccessDeleteChannel" />
<property name="onFailureExpression" value="T(Boolean).FALSE" />
<property name="failureChannelName" value="afterFailRenameChannel" />
</bean>
</int-jms:request-handler-advice-chain>
</int-jms:outbound-channel-adapter>
My question is
if service class fails I need to send error response and stop the flow
if service method successful persisted data, but transformation fails, system 1 should get success response and error should be logged.
Here as I am using error channel in outbound adapter, even if error occurs in transformer it is returned to system 1.
please suggest how can i handle error without using global error channel and how to handle error in jms outbound adapter.
thank you for answering my quesion
For the first case you should really just rely on the exception propagation - the flow stops and error is sent to the system1 as an HTTP response.
For the second (transformer) case you should take a look into the ExpressionEvaluatingRequestHandlerAdvice and use it with the <request-handler-advice-chain> for the <transformer>.
The same can be applied for the <int-jms:outbound-channel-adapter>, if you should acknowledge to the system1.
http://docs.spring.io/spring-integration/reference/html/messaging-endpoints-chapter.html#expression-advice
https://github.com/spring-projects/spring-integration-samples/tree/master/intermediate/retry-and-more
I am using MobileFirst Server MFPF 7.1, IF20151114-1616
WLClientLogReceiver adapter has the following settings. I tried changing the securityTest value to "LogUploadServlet", I still receive the same error below.
<procedure name="log" securityTest="wl_unprotected" audit="true" />
To enable security that protects the loguploader servlet, I followed the instruction given in the IBM document on step one.
Server preparation for uploaded log data - Security
Configuration in my aunthenticationConfig.xml
Under staticResources
<resource id="logUploadServlet" securityTest="LogUploadServlet">
<urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource>
Under securityTests
<customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/>
<test realm="LogUploadServlet" isInternalUserID="true"/>
</customSecurityTest>
Under realms
<realm name="LogUploadServlet" loginModule="StrongDummy">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
Deployed the updated WAR file and adapter in server. I am receiving the below error while client send logs to server by calling send() method.
[2/12/16 14:14:28:768 CST] 0000014d LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:28:933 CST] 000000d1 LoginContext W com.worklight.core.auth.impl.LoginContext invokeLoginModule FWLSE0239W: Authentication failure in realm 'LogUploadServlet': Please check the credentials [project usbusiness]
[2/12/16 14:14:30:542 CST] 000000de SystemOut
Not sure what i a missing in this.
To not leave a question unanswered, from the comments section:
Issue is with the realm com.worklight.core.auth.ext.HeaderAuthenticator that I set for logUploadServlet. after removing and make the security as isInternalUserID="true" its working fine.
I'm using IBM Worklight Studio V6.2.0.0 and I would like to use Worklight SMS Notification messages with Skebby SMS Broker. I configured the SMSConfig.xml file as well for the Broker according to Worklight documentation and Skebby documentation API :
<sms:config xmlns:sms="http://www.worklight.com/sms/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<gateway id="skebby" hostname="gateway.skebby.it" port="80"
programName="api/send/smseasy/advanced/http.php" toParamName="recipients[]" textParamName="text">
<parameter encode="true" name="method" value="send_sms_classic"/>
<parameter encode="true" name="username" value="foo"/>
<parameter encode="true" name="password" value="foo"/>
<parameter encode="true" name="sender_string" value="Foo"/>
</gateway>
</sms:config>
From WebSphere Console output, I don't see any error but analyzing HTTP traffic, I see an error since the request is made by HTTP GET and this method but only POST is allowed.
How can I "force" HTTP POST instead of GET?
Then I tried to use HTTPS using port 443 with no luck getting a ClientProtocolException, is it possible to use HTTPS?
Then I've figured out that the value recipients[] of the toParamName key is urlencoded recipients%5B%5D=, how to avoid also this?
Thanks
Currently, the SMS support in Worklight supports only HTTP and only GET calls.
You can submit a feature request to be evaluated by Worklight product designers for future releases.
See here: http://www.ibm.com/developerworks/rfe/
I am using IBM Worklight 6.1 and trying to check if the user is authenticated or not:
I have a Realm defined in server/conf/authenticationConfig.xml
<realm name="myRealm" loginModule="myLoginModule">
<className>com.worklight.integration.auth.AdapterAuthenticator</className>
<parameter name="login-function" value="authentication.onAuthRequired" />
<parameter name="logout-function" value="authentication.onLogout" />
</realm>
and its login module
<loginModule name="myLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
and after logging in, or even before that, when I try to check if the user is authenticated or not using
WL.Client.isUserAuthenticated("myRealm")
I have the following response
Unknown realm [myRealm]. null returned for key: isUserAuthenticated
Anyone have an idea about that ?
Is there something wrong with my Realm definition ?
Is there a better way to check if a user is authenticated ?
Did you first call to WL.Client.updateUserInfo();?
From the documentation:
updateUserInfo(options)
This method refreshes user data after an exception. Use this method
when the application receives an exception after calling the
invokeProcedure() method. The method refreshes the data for the
following methods:
WL.Client.getUserName(realm)
WL.Client.getLoginName(realm)
WL.Client.isUserAuthenticated(realm)
After such an exception, you can verify the user authentication status
by calling this function first, and then the isUserAuthenticated()
method.
Parameters: options - Optional. A standard options object.