IBM Worklight v5.0.5 - Encrypted Offline Cache not working in Android or iOS

1
votes

While debugging, we observe following behavior:

1) When trying to get encryption key from server then error on both (iOS or Android) platform

response [https://xxxx.xxxx.com:443/worklight/apps/services/random] success: Exception thrown by application class 'com.ibm.ws.webcontainer.session.impl.HttpSessionContextImpl.checkSecurity():685'
  SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:NewRealm/CN=test user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.

2) When trying to read a stored value error on android is [Logcat]

Android Message: Uncaught 9 at file:///data/data/com.xxxx.xxxxapp/files/www/default/wlclient/js/encryptedcache.js:63 Where try to call WL.EncryptedCache.read

Worklight version used is 5.0.5 Consumer Edition (with Oracle 11i) on
Windows 2008 R2
WebSphere Liberty profile

Worklight server is sitting behind IBM Datapower XI52. All SSL calls to the server are going via DP.

Authenticator - WebSphereFormBasedAuthenticator & LoginModule - WASLTPAModule

2
ibm-mobilefirstoffline-cachingencryption
Can we get some code snippetstik27

2 Answers

1
votes

The following is not really an answer, since I'm not familiar with authentication (LTPA, FormBasedAuth, Data Power, etc.)... just a couple of comments that could help you debug/isolate the issue.

Looks like a problem with authentication:

A user authenticated as anonymous has attempted to access a session owned by user:NewRealm/CN=test user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.

Not with the Encrypted Offline Cache (EOC).

EOC will try to get a random token calling the following function:

WL.EncryptedCache.secureRandom(function (data) {
   console.log(data);
});

It should output something like this:

response [/apps/services/random] success: 9053bdcfd902aac3dfb59a9874c9cf55223b7d17
9053bdcfd902aac3dfb59a9874c9cf55223b7d17

You can view the functions source code typing the following in a JS console:

WL.EncryptedCache.secureRandom

If you're using Google Chrome developer tools there's a checkbox for Log XMLHttpRequests when you click on the gear icon > General > Console.

You can also try to request the URL directly. Assuming the host is localhost, port is 10080 and project name is wlproj:

http://localhost:10080/wlproj/apps/services/random
9053bdcfd902aac3dfb59a9874c9cf55223b7d17

You can view HTTP traffic with Wireshark or Charles Proxy.

I imagine this will fix the EOC issue for you, if you don't mind generating the random token locally (less security, AFAIK):

WL.EncryptedCache.secureRandom = function(callback){callback(Math.random()+"")}

For example:

image

Notice it never goes to the server, everything is done locally.

0
votes

A user authenticated as anonymous has attempted to access a session owned by user:NewRealm/CN=test user,OU=Temporary Users,OU=Acc,DC=xxxx,DC=com.

This usually means that there is a conflict with the session sent by the user (the session cookie) belongs to a user (in this case), but the LTPA token sent as a cookie was not sent or was not valid. There could be a few causes of this. This best way is to do a trace between datapower and the worklight server to make sure an LTPA token is even being sent to the worklight server. If it is, verify all of the LTPA requirements are met (synchronized time, same private key on both machines).