Topic
  • 8 replies
  • Latest Post - ‏2013-02-08T00:12:36Z by SystemAdmin
SystemAdmin
SystemAdmin
2327 Posts

Pinned topic App Authentication

‏2013-01-22T07:54:43Z |
I am studying auto-provisioning to be given new feature on 5.0.

I made a android app(no security test, signed app, included <publicSigningKey>) and uploaded that to app center. When I uploaded that, I could see "App Authentication" field on WL Console. Its value was "Enable, blocking".

After I downloaded that into my own device, I started downloaded app. I could see app blocking. When I changed the value(Enable, Servicing), It was working.

I want to pass the authentication step. Please let me know what should I do for a success of authentication.

And I am wondering about auto provisioning. I read Authentication section(20 ~ 25) on Getting started.
WL version: 5.0.5
App : Android 4.0.2
Test Device: Android smartphone

  • IdanAdar
    IdanAdar
    741 Posts

    Re: App Authentication

    ‏2013-01-23T05:46:41Z  
    Authenticity in the Information Center: http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/topic/com.ibm.worklight.help.doc/admin/c_controlling_authenticity_testing.html

    These are the steps to make the Authenticity feature work. I am basing these steps for a new application with default settings; for a custom application you may need some extra tinkering, depending how it is set up...

    1. Create a new Worklight project and application
    2. Uncomment the securityTests element in projectName\apps\appName\server\conf\authenticationConfig.xml
    3. Add the Android environment
    4. Add securityTest='customTests' to the android element in projectName\apps\appName\application-descriptor.xml
    5. Right-click on the android folder and choose Extract public signing key

    ^ Here you need to either create your own keystore, or for the sake of the example, use Google's provided keystore.
    Google's provided key is located at: C:\Users\your-user\.android\debug.keystore; the password is 'android'.

    6. Build all deploy

    ^ This will save the authenticity key in the database
    Note: if using your own keystore, you must then export the app, signed, using your keystore. This is done by right-clicking on the generated Android project >> Android Tools >> Export signed application package, followed by installing the app

    7. Launch app on device

    The authenticity check should now pass when set to "Enabled, Blocking".

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: App Authentication

    ‏2013-01-24T06:04:14Z  
    • IdanAdar
    • ‏2013-01-23T05:46:41Z
    Authenticity in the Information Center: http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/topic/com.ibm.worklight.help.doc/admin/c_controlling_authenticity_testing.html

    These are the steps to make the Authenticity feature work. I am basing these steps for a new application with default settings; for a custom application you may need some extra tinkering, depending how it is set up...

    1. Create a new Worklight project and application
    2. Uncomment the securityTests element in projectName\apps\appName\server\conf\authenticationConfig.xml
    3. Add the Android environment
    4. Add securityTest='customTests' to the android element in projectName\apps\appName\application-descriptor.xml
    5. Right-click on the android folder and choose Extract public signing key

    ^ Here you need to either create your own keystore, or for the sake of the example, use Google's provided keystore.
    Google's provided key is located at: C:\Users\your-user\.android\debug.keystore; the password is 'android'.

    6. Build all deploy

    ^ This will save the authenticity key in the database
    Note: if using your own keystore, you must then export the app, signed, using your keystore. This is done by right-clicking on the generated Android project >> Android Tools >> Export signed application package, followed by installing the app

    7. Launch app on device

    The authenticity check should now pass when set to "Enabled, Blocking".

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    I tried to do as you mentioned to me.

    But I didn't resolve yet.

    <step 1> I created new project

    <step 2> I removed comment. I ignored customSecurityTest, mobileSecurityTest and webSecurityTest elements.

    • my sample -
    <securityTests>
    <!--
    <customSecurityTest name="WorklightConsole">
    <test realm="WorklightConsole" isInternalUserID="true"/>
    </customSecurityTest>

    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testDeviceId provisioningType="none" />
    <testUser realm="myMobileLoginForm" />
    </mobileSecurityTest>

    <webSecurityTest name="webTests">
    <testUser realm="myWebLoginForm"/>
    </webSecurityTest>
    -->

    <customSecurityTest name="customTests">
    <test realm="wl_antiXSRFRealm" step="1"/>
    <test realm="wl_authenticityRealm" step="1"/>
    <test realm="wl_remoteDisableRealm" step="1"/>
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
    </customSecurityTest>
    </securityTests>
    <step 3> Added new android environment

    <step 4> I added new attribute(securityTest='customTests') to android element.
    • my sample -
    <android version="1.0" securityTest='customTests'>
    <worklightSettings include="true"/>
    <security>
    <encryptWebResources enabled="false"/>
    <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
    <publicSigningKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ... XXXXX ...MHa3e5DiK7F5An7a6WIpOyS3WwIDAQAB</publicSigningKey>
    </security>
    </android>
    <worklightServerRootURL>http://AAA.AA.AA.AA:BBBB/worklight</worklightServerRootURL>

    <step 5> I tried to do all of case.
    1) my own key
    2) google's key

    <step 6> Run as > build and deploy.

    <step 7> I did signing process(android tools > Export signed Application package)

    <step 8> I downloaded new package(signed apk) im my own device.
    But, I can't pass authentication step.
  • IdanAdar
    IdanAdar
    741 Posts

    Re: App Authentication

    ‏2013-01-24T06:17:48Z  
    I see that you have added a contxt (/worklight) to the worklightServerRootURL address;
    Are you using the Developer Edition or Consumer Edition?

    If you are using the developer edition, remove the context and try again.

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
  • ozair
    ozair
    15 Posts

    Re: App Authentication

    ‏2013-02-05T23:06:56Z  
    • IdanAdar
    • ‏2013-01-24T06:17:48Z
    I see that you have added a contxt (/worklight) to the worklightServerRootURL address;
    Are you using the Developer Edition or Consumer Edition?

    If you are using the developer edition, remove the context and try again.

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    I am also running into issues getting the authenticity check in Android to work. I followed the instructions as were posted. I am running WL 5.0.5.1 with an Android environment.

    I was able to capture the init request which was causing the failure for the application to load:

    Request

    http://host:port/worklight/apps/services/api/MyApp/android/init

    Response

    +/*-secure-.{"challenges":{"wl_authenticityRealm":{"WL-Challenge-Data":"ruo2uaf6gk9ucnqdbkql3m56rm+18.542-8.464-12.591-28.283-32.916-38.088-18.498-33.868-5.72-40.204-5.185-26.933"},"wl_antiXSRFRealm":{"WL-Instance-Id":"f8p8bdd036j8s6n941u5l10l7s"}},"WL-Authentication-Success":{"wl_anonymousUserRealm":{"userId":"21e0b33f-7783-4378-8ed7-cbd501937b51","attributes":{},"isUserAuthenticated":1,"displayName":"21e0b33f-7783-4378-8ed7-cbd501937b51"},"wl_remoteDisableRealm":{"userId":"NullLoginModule", "attributes":{}, "isUserAuthenticated":1,"displayName":"NullLoginModule"}}}*/....+
    AuthenticationConfig.xml

    <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <!-- Sample security tests
    Even if not used there will be some default webSecurityTest and mobileSecurityTest
    Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-desc
    riptor.xml as well. -->

    <securityTests>
    <mobileSecurityTest name="mobileTests">
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    <customSecurityTest name="customTests">
    <test realm="wl_antiXSRFRealm" step="1"/>
    <test realm="wl_authenticityRealm" step="1"/>
    <test realm="wl_remoteDisableRealm" step="1"/>
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
    </customSecurityTest>
    </securityTests>

    <realms>

    <!-- For websphere -->
    <realm name="WASLTPARealm" loginModule="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html"/>
    <parameter name="error-page" value="/loginError.html"/>
    </realm>
    </realms>

    <loginModules>
    <!-- For websphere -->
    <loginModule name="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
    </loginModule>
    </loginModules>

    </tns:loginConfiguration>

    Thanks

    Ozair
  • ozair
    ozair
    15 Posts

    Re: App Authentication

    ‏2013-02-05T23:11:06Z  
    • ozair
    • ‏2013-02-05T23:06:56Z
    I am also running into issues getting the authenticity check in Android to work. I followed the instructions as were posted. I am running WL 5.0.5.1 with an Android environment.

    I was able to capture the init request which was causing the failure for the application to load:

    Request

    http://host:port/worklight/apps/services/api/MyApp/android/init

    Response

    +/*-secure-.{"challenges":{"wl_authenticityRealm":{"WL-Challenge-Data":"ruo2uaf6gk9ucnqdbkql3m56rm+18.542-8.464-12.591-28.283-32.916-38.088-18.498-33.868-5.72-40.204-5.185-26.933"},"wl_antiXSRFRealm":{"WL-Instance-Id":"f8p8bdd036j8s6n941u5l10l7s"}},"WL-Authentication-Success":{"wl_anonymousUserRealm":{"userId":"21e0b33f-7783-4378-8ed7-cbd501937b51","attributes":{},"isUserAuthenticated":1,"displayName":"21e0b33f-7783-4378-8ed7-cbd501937b51"},"wl_remoteDisableRealm":{"userId":"NullLoginModule", "attributes":{}, "isUserAuthenticated":1,"displayName":"NullLoginModule"}}}*/....+
    AuthenticationConfig.xml

    <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <!-- Sample security tests
    Even if not used there will be some default webSecurityTest and mobileSecurityTest
    Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-desc
    riptor.xml as well. -->

    <securityTests>
    <mobileSecurityTest name="mobileTests">
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    <customSecurityTest name="customTests">
    <test realm="wl_antiXSRFRealm" step="1"/>
    <test realm="wl_authenticityRealm" step="1"/>
    <test realm="wl_remoteDisableRealm" step="1"/>
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
    </customSecurityTest>
    </securityTests>

    <realms>

    <!-- For websphere -->
    <realm name="WASLTPARealm" loginModule="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html"/>
    <parameter name="error-page" value="/loginError.html"/>
    </realm>
    </realms>

    <loginModules>
    <!-- For websphere -->
    <loginModule name="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
    </loginModule>
    </loginModules>

    </tns:loginConfiguration>

    Thanks

    Ozair
    One correction to authenticationConfig.xml

    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testUser realm="WASLTPARealm"/>
    </mobileSecurityTest>
  • IdanAdar
    IdanAdar
    741 Posts

    Re: App Authentication

    ‏2013-02-06T03:46:06Z  
    Please provide the full steps you have taken...

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
  • ozair
    ozair
    15 Posts

    Re: App Authentication

    ‏2013-02-06T18:34:30Z  
    • IdanAdar
    • ‏2013-02-06T03:46:06Z
    Please provide the full steps you have taken...

    Idan Adar
    QA Engineer
    IBM Worklight Mobile Platform
    Hi Idan,

    I created a sample Worklight app with an Android environment and customTests security tests, following your steps and it works :) ... however, my existing app with LTPA security enabled is not working, so am trying to understand how to debug my issue. I noticed that the Worklight console allows you specify authenticity checking for your deployed app as long as you reference an existing securityTest. I did not think I needed to use the out-of-the-box customTests. When trying to use the mobileTests below with my LTPA realm and testAppAuthenticity enabled (snippet) below, I get the following error:

    authenticationConfig.xml

    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    Error from init call

    *-secure-
    {"WL-Authentication-Failure":{"wl_authenticityRealm":{"reason":"missing shared data required for authenticity test"}}}*/

    Below are my configuration steps:
    ==================================

    Using WL 5.0.5.1 Enterprise edition with DB2 9.7

    1. Created Worklight project and app
    2. Created Worklight environment for Android and Mobile
    3. Created security test mobileTest and customTests
    4. In application-descriptor.xml, added securityTest=customTests and publicSigningKey value

    <android version="1.0" securityTest="customTests">
    <worklightSettings include="true"/>
    <security>
    <encryptWebResources enabled="false"/>
    <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
    <publicSigningKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplCGk9PRlZRPCI3hKu58TFh2r/HTTwO2+Mj64xZl6oXBYBhziA0PhMhqrk5ROW4VQm4I58FaryDY2VF0amPP2/MNeVY2N/9+Wb5xWSpjqoZxQ5Z6bgumbz0ueBOmG4ylbdTIkjt6/yEdd1wXDhaEEcCzmx9nvRloEjqakutFKxfMepzJHKPFGxIHoDVNs4sR1xJaSdeyUdBF9A9Fq6JDull/en8HRhHoe+YYwgwqG2pKln/0FB48DRMkoBcBbK/zxpk6Zs1+PjOTMYL9w34kNv24NQxoX2Lmv1qu92Ke5Yv0O6tz1pIEdihYkuxklLtxBD9RGZgpA5FOUcBN8ymWXQIDAQAB</publicSigningKey>
    </security>
    </android>

    <worklightServerRootURL>http://host:port/MyURI</worklightServerRootURL>

    5. Changed the authenticationConfig on my server (/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/installedApps/localhostCell01/MyApp_war.ear/MyApp.war/WEB-INF/classes/conf)

    <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
    <securityTests>
    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    <customSecurityTest name="customTests">
    <test realm="wl_antiXSRFRealm" step="1" />
    <test realm="wl_authenticityRealm" step="1" />
    <test realm="wl_remoteDisableRealm" step="1" />
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1" />
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2" />
    </customSecurityTest>
    </securityTests>

    <realms>
    <!-- For websphere -->
    <realm name="WASLTPARealm" loginModule="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html" />
    <parameter name="error-page" value="/loginError.html" />
    </realm>

    </realms>

    <loginModules>
    <loginModule name="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
    </loginModule>

    </loginModules>

    </tns:loginConfiguration>
  • SystemAdmin
    SystemAdmin
    2327 Posts

    Re: App Authentication

    ‏2013-02-08T00:12:36Z  
    • ozair
    • ‏2013-02-06T18:34:30Z
    Hi Idan,

    I created a sample Worklight app with an Android environment and customTests security tests, following your steps and it works :) ... however, my existing app with LTPA security enabled is not working, so am trying to understand how to debug my issue. I noticed that the Worklight console allows you specify authenticity checking for your deployed app as long as you reference an existing securityTest. I did not think I needed to use the out-of-the-box customTests. When trying to use the mobileTests below with my LTPA realm and testAppAuthenticity enabled (snippet) below, I get the following error:

    authenticationConfig.xml

    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    Error from init call

    *-secure-
    {"WL-Authentication-Failure":{"wl_authenticityRealm":{"reason":"missing shared data required for authenticity test"}}}*/

    Below are my configuration steps:
    ==================================

    Using WL 5.0.5.1 Enterprise edition with DB2 9.7

    1. Created Worklight project and app
    2. Created Worklight environment for Android and Mobile
    3. Created security test mobileTest and customTests
    4. In application-descriptor.xml, added securityTest=customTests and publicSigningKey value

    <android version="1.0" securityTest="customTests">
    <worklightSettings include="true"/>
    <security>
    <encryptWebResources enabled="false"/>
    <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
    <publicSigningKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplCGk9PRlZRPCI3hKu58TFh2r/HTTwO2+Mj64xZl6oXBYBhziA0PhMhqrk5ROW4VQm4I58FaryDY2VF0amPP2/MNeVY2N/9+Wb5xWSpjqoZxQ5Z6bgumbz0ueBOmG4ylbdTIkjt6/yEdd1wXDhaEEcCzmx9nvRloEjqakutFKxfMepzJHKPFGxIHoDVNs4sR1xJaSdeyUdBF9A9Fq6JDull/en8HRhHoe+YYwgwqG2pKln/0FB48DRMkoBcBbK/zxpk6Zs1+PjOTMYL9w34kNv24NQxoX2Lmv1qu92Ke5Yv0O6tz1pIEdihYkuxklLtxBD9RGZgpA5FOUcBN8ymWXQIDAQAB</publicSigningKey>
    </security>
    </android>

    <worklightServerRootURL>http://host:port/MyURI</worklightServerRootURL>

    5. Changed the authenticationConfig on my server (/opt/ibm/WebSphere/AppServer/profiles/AppSrv01/installedApps/localhostCell01/MyApp_war.ear/MyApp.war/WEB-INF/classes/conf)

    <tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
    <securityTests>
    <mobileSecurityTest name="mobileTests">
    <testAppAuthenticity/>
    <testUser realm="WASLTPARealm" />
    </mobileSecurityTest>

    <customSecurityTest name="customTests">
    <test realm="wl_antiXSRFRealm" step="1" />
    <test realm="wl_authenticityRealm" step="1" />
    <test realm="wl_remoteDisableRealm" step="1" />
    <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1" />
    <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2" />
    </customSecurityTest>
    </securityTests>

    <realms>
    <!-- For websphere -->
    <realm name="WASLTPARealm" loginModule="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
    <parameter name="login-page" value="/login.html" />
    <parameter name="error-page" value="/loginError.html" />
    </realm>

    </realms>

    <loginModules>
    <loginModule name="WASLTPAModule">
    <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
    </loginModule>

    </loginModules>

    </tns:loginConfiguration>
    Note: IBM forums are in the process of migrating to a new format. During migration the forums will be frozen and in read-only mode. If you wish to continue this thread discussion please post it on stackoverflow, where the Worklight team and others can respond.

    See the Forum Migration announce post for more details. Thank you.

    Barbara Hampson, Manager, IBM Worklight