Have a multipage form that allows users to register a card through our worklight mobilewebapp.
There is no authentication for this as it is just a web based form that uses adapters to get the information back to the servers and continue through the process. Apparently this is bad and the clients are sharing the same session if they start the process at the same time. Basically, if two or more devices begin the enrollment process at the same time, the last one that started will cross-polinate that data to the other client and will get the data and information from the previous client.
I have been told to add connectAs="endUser" to each procedure call but this requires authentication which we are not using. Does anyone have a simple procedure that can be added at the start of the session to ensure each session is unique and this problem will not happen?
create a security test with one single user auth realm - wl_anonymousUserRealm, e.g.
<customSecurityTest name="forAdapterProcedures">
<test realm="wl_anonymousUserRealm" isInternalUserId="true"/>
</customSecurityTest>
Use this security test to protect your adapter procedure and define them as connectAs="endUser"
Related
I have one scenario, In which I have to record the script for a Mobile application that is dependent on web application alert notifications.
Scenario: 1. From the Web Application I have to create one incident(Unique ID) by filling the form details same Unique ID I have to dispatch to Mobile Application from here I have to update some additional details for that Unique ID and close the Unique ID, This is the scenario how I can record the script by using Jmeter, and where I have to do Co relations?
Given you start JMeter's HTTP(S) Test Script Recorder you can use it as the proxy for both the mobile and the web application
Most probably (in case of HTTPS protocol) you will need to install JMeter's self-signed certificate into your browser, for "mobile" you will also need to:
iOS - enable full trust for root certificates
Android - add the following section to your network_security_config.xml file:
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
once done you will need to recompile your app in debug mode and replace the release version
With regards to correlation - at least your "Unique ID" needs to be extracted from the HTTP Request sampler which issues the call to the web application, but there may be more dynamic values
Im working in a hybrid mobilefirst 6.3 app, and i want to access to an adapter previous to my login, is there a way that i can do that? because every time that i want to access my adapter the handleChallenge method occurs.
application-descriptor.xml:
<android version="1.0" securityTest="NevadaApplication-strong-mobile-securityTest">
my adapter config xml:
<procedure name="getPhoneNumber" securityTest="wl_unprotected"/>
Because you have set a security test also on the application level, meaning on the environment in application-descriptor.xml, you will get hit with a challenge handler despite having the adapter procedure set with a security test set as wl_unprotected.
To achieve what you're looking for you will need to add security tests to your adapter procedures (with the one you want unprotected as wl_protected), and leave the environment without a security test assigned to it in application-descriptor.xml.
Read more on security tests here: https://www.ibm.com/developerworks/community/blogs/worklight/entry/understanding_predefined_worklight_authentication_realms_and_security_tests11?lang=en
Read more on the different authentication options here: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-6-3/authentication-security/authentication-concepts/
I'm using LDAP Login Module to authenticate users with LDAP server in hybrid app. In authenticationConfig.xml I configured loginModule parameters.
<parameter name="ldapSecurityPrincipalPattern"
value="uid={username}, cn=users,dc=kadrlar,dc=uz"/>
<parameter name="ldapSearchFilterPattern"
value="(uid={username})"/>
<parameter name="ldapSearchBase"
value="dc=kadrlar,dc=uz"/>
Authentication works fine. This is one part of users.
I have some users in LDAP where I must use ldapSecurityPrincipalPattern with value="uid={username}, cn=users,dc=core,dc=kadrlar,dc=uz"/>
All other parameters are the same. This is another part of users.
How can I point the value of ldapSecurityPrincipalPattern to be able to authenticate any user from both parts of users without changing the value of ldapSecurityPrincipalPattern?
ldapSecurityPrincipalPattern is used to tell the LDAP adapter what identifying information is needed in order to successfully authenticate the user.
for example if your LDAP server was setup to use email, your pattern would be {username}#domain.com. Your question is equivalent to asking how to get the adapter to authenticate both {username}#google.com and {username}#stackoverflow.com, Which is obviously impossible since the LDAP adapter doesn't have the functionality to handle multiple attempts and the logic involved in dealing with a fail to connect and retrying using another security pattern.
A possible solution would be to set the the pattern as just {username},
and force the end user to pass in the full email address including the domain.
Similarly, in your case what you could do is set ldapSecurityPrincipalPattern to {username}, and introduce some logic in the implementation, that takes the login name from your end user,
and decide whether to set username="uid={login}, cn=users,dc=kadrlar,dc=uz"
or username="uid={login}, cn=users,dc=core,dc=kadrlar,dc=uz".
I have a question about the connectAs="endUser" option, found in the adapter XML file.
In the design mode I can read
- endUser: The connection to the back end will be created with the user's identity, as authenticated by the authentication realm
So my question is: Does it have sense to use the option connectAs="endUser" without being authenticated and without defining a security test?
I am having this question, because I used to put the connectAs="endUser" in the authentication procedure
<procedure name="authenticate" connectAs="endUser"/>
Is that wrong?
So as you can see in the documentation using connectAs="endUser" is "Only valid if a user realm has been identified in the security tests for this procedure."
Here are some resources you may want to look into:
procedure element of the adapter XML file
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr__procedure_.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
The authentication element of the HTTP adapter
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr_the__authentication__element_o.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
Can you please provide your scenario to how you would like to use this setting in greater detail
Worklight 6.1.0.1, and using Chrome based simulator to start the mobile web application. Application and adapters deployed from WL studio to the WL development Server.
I have a secure adapter procedure(s) and I've tested with two configurations:
<procedure requestTimeoutInSeconds="20" name="getBaseData" securityTest="Connections-securityTest"/>
<procedure requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
and
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getBasetData" securityTest="Connections-securityTest"/>
<procedure connectAs="endUser" requestTimeoutInSeconds="20" name="getCommunityMembersOf" securityTest="Connections-securityTest"/>
getBaseData simply creates the active user (including id + pwd for later use), and returns fixed data to the app.
getCommunityMemberOf is an https adapter that retrieves data from a backend server. This adapter retrieves the id + pwd from the active user and includes this information as input to the https request.
I start the first chrome simulator session with the javascript console showing that the application invoked procedure getBaseData. The credentials are collected and authenticated, and setActiveUser is completed. The application then invokes procedure getCommunityMembersOf and this procedure call processes with no authentication, as expected.
I start a second chrome simulator session for the same application and the javascript console shows that the invoke procedure getBaseData is not challenged, and is processed which seems to indicate that the authentication completed indicating simulator session #1 authentication also satisfied simulator session #2 authentication. This is a behavior I want to prevent and have both simulator session require authentication independently. Appreciate any advice about why this is happening, and what I can do to prevent this session sharing. Thank You.
Chrome is sharing the session between the different tabs, it has nothing to do with Worklight.
What you can do is open a new browser in incognito mode to prevent sharing the session. Or open a different kind of browser.