I'm using Worklight 6.0.0.1 which deployed on WebSphere Liberty 8.5.5.0 and I have my Application which using 2 HTTP adapters.
In the first adapter I putted my Login and logout functions (based form authentication).
In the second adapter I putted some others procedures.
So my problem is as bellow :
When I deployed Worklight (.war) on WebSphere and my other WAR file which containing the Webservices on an other server (Tomcat), Things is going good.
But when I deployed the WAR of worklight and the one containing my Webservices on the same server (WebSphere Liberty), things going wrong with the second adapter (the one that doesn't contain the login function). In each invocation procedure in the second Adapter, I get "authentication required" as response.
But when I invoke a procedure in the first adapter, it returns me the right response.
any idea ? I couldn't figure out the problem
I add that I'm calling the same web services in the two adapter.
This is the log I get :
{"status":200,"invocationContext":null,"invocationResult":{"responseID":"64","statusCode":200,"result":{},"errors":["authentication required"],"isSuccessful":true,"statusReason":"OK","responseHeaders":{"Content-Language":"en-US","Transfer-Encoding":"chunked","Date":"Thu, 05 Dec 2013 06:13:15 GMT","Content-Type":"application/json;charset=UTF-8","X-Powered-By":"Servlet/3.0"},"success":0,"totalTime":280,"responseTime":271}}
When you invoke a procedure in your first adapter, does it call the web service?
If not, I'm assuming that only the second adapter is trying to access the web service.
Considering that, I'm guessing your Tomcat server is not securing the web service. Which means that you can access your web service without any authentication.
WAS or Liberty on the other hand could have application security enabled. Which means that if you try to access your web service deployed on WAS or Liberty, you will be prompted for authentication.
As it works with WAS and Tomcat, the issue seems occurring only under Liberty Profile. In this case only the Worklight trace and the Liberty Profile security trace can allow to understand the possible cause of the issue.
Related
I have a SOAP WCF service hosted in IIS and it is consumed by another company SAP system and everything was working fine for couple of years until our security team implemented Header validation in request and it stopped working all of sudden since the client SAP system request doesn't contain header CallingType. So then they added CallingType and pushed request to our system and F5 server allowed access and request entered to our system where WCF hosted. But WCF did not logged request and no data we got. So i would like to know how i can troubleshoot and provide fix. My network team is telling request is validated and passed by F5 server and pushed to our server. But why WCF is not logging anything??Do i need to add any custom header in webconfig of WCF service, or our IIS is preventing something? How can i see IIS is blocking the request.
Application Server
AIX V7.1
WebSphere
Application Server V8.5.5.4
Java SDK V7.0.8
MobileFirst Platform Foundation 6.3
DB2 V10.1 client
Database Server
AIX V7.1
DB2 V10.1
We have a MobileFirst application that is our mobile front-end to an existing application. The existing application is a WebSphere application that provides RESTful web services. The MobileFirst application interfaces with the existing WebSphere application via a MobileFirst Adapter. The RESTful web service URLs are protected URLs and authentication is done using LDAP and a LTPA token is created. The LDAP is configured in WebSphere via the WAS console.
Our MobileFirst application works fine and can connect to and use the RESTful web services but only if the MobileFirst application is running in a separate WebSphere profile or on a separate WebSphere server. If we attempt to install the MobileFirst application into the same WebSphere profile as our existing WebSphere application that provides the RESTful web services, it breaks. The Mobile device authenticates with MobileFirst successfully and then calls the Adapter to invoke the RESTful web service call. However, the next Adapter invocation from the mobile device ends with a HTTP 401 error, which is an authorization error.
I'm speculating that after the Adapter authenticates with our existing WebSphere application that provides the web services that somehow this is overwriting the authentication that was done between the mobile device and MobileFirst.
My questions are as follows.
Can both the MobileFirst application and our existing WebSphere application that provides the RESTful web services run in the same WebSphere profile and share the LTPA token such that when the Mobile device authenticates with MobileFirst that it would also be authorized to execute the web servies running in the same WebSphere profile.
Is it advisable to run both applications in the same WebSphere profile or should they be running separate profiles or on separate servers.
Cost is a concern as we do not necessarily want the additional operational cost of adding a physically separate server just to run MobileFirst.
From an operational perspective, it is additional work to add and maintain multiple WAS profiles.
Ideally, we would really like to run both applications in the same WebSphere profile.
Here is a Google Drive link (no signin required) to the trace.log, SystemOut.log, SystemErr.log, and firebug-console.html
MobileFirst Trace log
The MobileFirst application was run in a browser using "Preview as Common Resources". I get the same result when using an actual Android or iOS device. The MobileFirst application WAR was run in the same WAS profile as the web services WAR that it was accessing through the adapter. This same code works successfully when the MobileFirst application WAR is running in a separate WAS profile or on a separate WAS server.
Please advise.
I have resolve the issue myself. This was a codebase that my team had inherited from another team.
What was happening was the mobile device was initiating a connection to MobileFirst running on WebSphere which creates a JSESSIONID cookie and a LTPA2Token cookie. Then an adapter was being called that invoked a HTTP call to a web service running in the same WebSphere profile. Calling the web service created new JSESSIONID and LTPA2Token cookies. These new cookies were being returned to the mobile device and JavaScript code on the mobile device was taking those new cookie values and then overwriting document.cookies, which wiped out the original cookies. Then when the mobile device attempted to connect with MobileFirst on a subsequent call, it's session was invalid and ended up getting a HTTP 401 error, which is an authorization error. So we attribute this problem to a poor implementation of our application.
I am accessing a third party web api from my WCF application. While development I was able to access those APIs but when I deployed my WCF to IIS, its not able to connect to the web API and throwing me the following error:
"System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it X.X.X.X:443"
Just to make sure that my server is fine where I deployed my WCF. I tried accessing those web api from a simple console application. It accessed those apis from my development machine and from the server machine as well. Now I feel the culprit is not the third party web api server, but something goes wrong when a WCF service access' a web-api hosted in IIS.
Please help!!!
Finally I found the issue. IIS runs my WCF under user 'network service' or 'application pool identity'. These are nothing but window built-in users which has limited access. When I tried accessing third party API from the console application it worked because it was running under my user credential which has admin credential. So I concluded that when an application making cross-domain call then it should be running under a user with enough credential to make such calls.
Solution was to change my application pool identity to a admin user identity (I changed it to my logged in user). It worked and making calls to third party API from WCF service
I am building an iOS and Android Apps using Worklight Framework, the worklight server will be protected by IBM Security Access Manager (ISAM) SSO, and therefore the Apps can only be reaching the worklight server after passing the Security challenges. I've found some docs about this integration and it works as intended.
But the apps also offers some features that doesn't required login, in which the Security Manager shouldn't intercept the adapter request to worklight server. The only workaround that suggested by IBM is to create a URL mapping junction in ISAM that defines the URLs that can access by public, and those which shall not. for example /worklight/public and /worklight/secured
But the URL pattern for all worklight adapter are /worklight/invoke?adapter=ADAPTER_NAME, so do we have a way to create a customized URL for public and secured adapter, for example:
/worklight/public/invoke
/worklight/secued/invoke
EDIT 1: Worklight Version 6.0
Thanks in advance.
Please mention the version of Worklight you are using.
One way to achieve this is to create and deploy the adapters in two different projects. That way the context root of both the adapters will be different. So, you'll have URLs such as
/Project1/invoke?... and Project2/invoke?... which you can apply to your filters.
I have a JAX-WS endpoint which uses WS-Security, specifically the WebLogic pre-written Wssp1.2-2007-Wss1.1-UsernameToken-Plain-X509-Basic256.xml policy. I have a working command-line client where I build all the client credential providers and trust managers. Everything works great.
Now I also need to have another EE module deployed separately to the same server. According to http://docs.oracle.com/cd/E12839_01/web.1111/e13713/message.htm#i251852 I'm supposed to code the EE client as-if there was no security related WS-Policy at all but it doesn't work. Either I'm completely failing on setting up the credential mapping (which wouldn't surprise me because the documentation is lacking) or what I think seems to be more likely, the credential mapping isn't actually happening because I'm talking to localhost.
How do you create an JAX-WS EE client that uses a WS-Security enabled service on localhost? (I'd also like to see an remote host example too)