IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 8 replies
  • Latest Post - ‏2012-11-04T21:48:40Z by SystemAdmin
andytjoslin
andytjoslin
1 Post

Pinned topic Worklight Console authentication on WAS Liberty Profile

‏2012-07-30T20:07:18Z |
We've installed the 32-bit RedHat Linux version of Worklight 5.0 server on a machine running Fedora, using Apache Derby as our database and WAS Libery as our server.

Everything seems to be working, except we can't get console security/authentication to happen. The console just lets us in without any username/password.

We tried a few things to get auhentication, and none of them worked:

1. Adding console.username and console.password to the worklight.properties file, as well as enabling the commented <staticResources> section in the authenticationConfig.xml, and making sure our WorklightConsole realm in authenticationConfig had a parameter pointing to a login page.
2. We also tried copy/pasting the +applicationcenter+'s security section in server.xml to the worklight application in server.xml, so we could at least have the same login on both the console and the application server.
3. Then we tried adding what quickStartSecurity.xml from /server/wlp/templates says to do to our server.xml under the worklight application. We also tried managementSecurity.xml's solution.

After each attempt, we restarted the worklight server and tried to go to console, but no authentication showed up. It just let us in.

Any ideas?

Thanks,

Andy Joslin | Mobile Consultant | ClearBlade
  • VV3R_mordechai_taitelman
    10 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-07-31T05:25:37Z  
    Worklight console URL is just another URL in a web server.
    There are plenty of non-Worklight solutions how to protect a URL in Tomcat, including those with a login form.
    Bare in mind: the web.xml inside the Worklight customization WAR may need to be updated too.

    My question: after every change you did in the worklight configuration , did you uploaded a new WAR file ? (or maybe you did live updates in tomcat/webapps/yourWAR/WEB-INF/... )
    can you elaborate ?
  • VV3R_mordechai_taitelman
    10 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-07-31T05:28:01Z  
    Worklight console URL is just another URL in a web server.
    There are plenty of non-Worklight solutions how to protect a URL in Tomcat, including those with a login form.
    Bare in mind: the web.xml inside the Worklight customization WAR may need to be updated too.

    My question: after every change you did in the worklight configuration , did you uploaded a new WAR file ? (or maybe you did live updates in tomcat/webapps/yourWAR/WEB-INF/... )
    can you elaborate ?
    I wrote Tomcat ... but it applies to Liberty as well.
  • SystemAdmin
    SystemAdmin
    300 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-07-31T10:48:29Z  
    Hi
    this works in my environment, so I will share with you.
    1. Go to worklight_dir../server/wlp/usr/servers/worklightServer/apps, open worklight.war with a tool like 7ZIP, etc. Go to WEB-INF\classes\conf\
    Edit authenticationConfig.xml
    Uncomment the console related section

    2. Edit worklight.properties in worklight.war. Go to WEB-INF\classes\conf\
    Add console.username and console.password properties at the bottom

    4. copy login.html file into worklight.war file in path: WEB-INF\classes\conf\

    3. Save changes to both files, make sure that they were updated in worklight.war
    Jelena
  • SystemAdmin
    SystemAdmin
    300 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-10-04T21:09:24Z  
    Hi
    this works in my environment, so I will share with you.
    1. Go to worklight_dir../server/wlp/usr/servers/worklightServer/apps, open worklight.war with a tool like 7ZIP, etc. Go to WEB-INF\classes\conf\
    Edit authenticationConfig.xml
    Uncomment the console related section

    2. Edit worklight.properties in worklight.war. Go to WEB-INF\classes\conf\
    Add console.username and console.password properties at the bottom

    4. copy login.html file into worklight.war file in path: WEB-INF\classes\conf\

    3. Save changes to both files, make sure that they were updated in worklight.war
    Jelena
    Jelena, would you mind pointing out where the login.html page is, or we have to code that ourselves?

    Ralph Pina
  • SystemAdmin
    SystemAdmin
    300 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-10-04T21:16:42Z  
    Hi
    this works in my environment, so I will share with you.
    1. Go to worklight_dir../server/wlp/usr/servers/worklightServer/apps, open worklight.war with a tool like 7ZIP, etc. Go to WEB-INF\classes\conf\
    Edit authenticationConfig.xml
    Uncomment the console related section

    2. Edit worklight.properties in worklight.war. Go to WEB-INF\classes\conf\
    Add console.username and console.password properties at the bottom

    4. copy login.html file into worklight.war file in path: WEB-INF\classes\conf\

    3. Save changes to both files, make sure that they were updated in worklight.war
    Jelena
    I believe I have found it. Is it the one in Worklight/server/wlp/usr/shared/resources/lib/com/worklight/console/webapp for Liberty?

    Ralph Pina
  • SystemAdmin
    SystemAdmin
    300 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-10-04T22:06:26Z  
    I believe I have found it. Is it the one in Worklight/server/wlp/usr/shared/resources/lib/com/worklight/console/webapp for Liberty?

    Ralph Pina
    Update:

    I am still not able to lock down the Console in a Liberty profile in a Ubuntu 12.04.1 LTS. I am using WL Server 5.0.0.3. Below are the steps I have taken:

    In the /opt/IBM/Worklight/WorklightServer/WEB-INF/classes/conf folder I have the follow 3 files:

    authenticationConfig.xml
    index.html
    worklight.properties

    in authenticationConfig.xml I have

    !-- Uncomment the next element to protect the worklight console -->
    <staticResources>
    <resource id="worklightConsole">
    <urlPatterns>/console*</urlPatterns>
    <resourceRealm>WorklightConsole</resourceRealm>
    </resource>
    </staticResources>

    <realms>
    <realm name="WorklightConsole" loginModule="requireLogin">
    <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html" />
    <onLoginUrl>/console</onLoginUrl>
    </realm>
    </realms>

    <loginModules>
    <loginModule name="requireLogin" canBeResourceLogin="true" isIdentityAssociationKey="true">
    <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
    </loginModule>
    </loginModules>

    In worklight.properties I have:

    console.username=username
    console.password=password

    Am I missing something?

    Ralph Pina
  • bdodd
    bdodd
    1 Post

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-10-29T16:13:25Z  
    Update:

    I am still not able to lock down the Console in a Liberty profile in a Ubuntu 12.04.1 LTS. I am using WL Server 5.0.0.3. Below are the steps I have taken:

    In the /opt/IBM/Worklight/WorklightServer/WEB-INF/classes/conf folder I have the follow 3 files:

    authenticationConfig.xml
    index.html
    worklight.properties

    in authenticationConfig.xml I have

    !-- Uncomment the next element to protect the worklight console -->
    <staticResources>
    <resource id="worklightConsole">
    <urlPatterns>/console*</urlPatterns>
    <resourceRealm>WorklightConsole</resourceRealm>
    </resource>
    </staticResources>

    <realms>
    <realm name="WorklightConsole" loginModule="requireLogin">
    <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html" />
    <onLoginUrl>/console</onLoginUrl>
    </realm>
    </realms>

    <loginModules>
    <loginModule name="requireLogin" canBeResourceLogin="true" isIdentityAssociationKey="true">
    <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
    </loginModule>
    </loginModules>

    In worklight.properties I have:

    console.username=username
    console.password=password

    Am I missing something?

    Ralph Pina
    Hi Ralph,

    I see that you posted this a few weeks ago. Are you still having the issue?

    If so, a couple of pointers. First, have a look at this post for the 5.0.0.3 config file updates:

    https://www.ibm.com/developerworks/forums/thread.jspa?threadID=456051&tstart=0

    Second, be sure to make the changes to authenticationConfig.xml and worklight.properties in the
    deployed worklight.war file on the Liberty server. In other words, update those files in the
    WEB-INF/classes/conf/ directory inside the worklight.war here:

    /opt/IBM/Worklight/server/wlp/usr/servers/worklightServer/apps/worklight.war

    Hope that helps. Reply back if you still have questions or problems.

    Thanks,
    Bill
  • SystemAdmin
    SystemAdmin
    300 Posts

    Re: Worklight Console authentication on WAS Liberty Profile

    ‏2012-11-04T21:48:40Z  
    • bdodd
    • ‏2012-10-29T16:13:25Z
    Hi Ralph,

    I see that you posted this a few weeks ago. Are you still having the issue?

    If so, a couple of pointers. First, have a look at this post for the 5.0.0.3 config file updates:

    https://www.ibm.com/developerworks/forums/thread.jspa?threadID=456051&tstart=0

    Second, be sure to make the changes to authenticationConfig.xml and worklight.properties in the
    deployed worklight.war file on the Liberty server. In other words, update those files in the
    WEB-INF/classes/conf/ directory inside the worklight.war here:

    /opt/IBM/Worklight/server/wlp/usr/servers/worklightServer/apps/worklight.war

    Hope that helps. Reply back if you still have questions or problems.

    Thanks,
    Bill
    Thanks a ton Bill. Sorry not to reply sooner. I had this in the back burner, but I finally got to it today. Totally worked.

    I was editing the files in the /opt/IBM/Worklight/WorklightServer/worklight.war. Not the ones you pointed out.

    I also had not seen that post with the new language for the authenticationConfig.xml file.

    Lastly, I was not properly building the war file back up. I was under the impression that the server would build it automatically once you restarted it.

    However, now it is working perfectly.

    Ralph Pina