We are trying to develop session management on IBMWorklight server. Following are our needs from session management system-
- Session should be created once every user logs in using his credentials (username/password).
- This session should be able to store session data of that particular user i.e. say session should save his credentials so that he need not to pass those again for accessing other services.
- Session timeout should happen after certain time.
Our progress
Created a realm in authenticationConfig:
<realm name="SimpleAuthRealm" loginModule="SimpleAuthLoginModule"> <className>com.worklight.integration.auth.AdapterAuthenticator</className> <parameter name="login-function" value="SimpleAuthAdapter.onAuthRequired" /> <parameter name="logout-function" value="SimpleAuthAdapter.onLogout" /> </realm>Created Login module in authenticationConfig:
<loginModule name="SimpleAuthLoginModule"> <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className> </loginModule>Created security test:
<customSecurityTest name="SimpleAuthAdapterTest"> <test realm="SimpleAuthRealm" isInternalUserID="true"/> </customSecurityTest>We have created a adapter with two procedure in it. Following is adapter.xml file
<procedure name="requestForData" securityTest="SimpleAuthAdapterTest" /> <procedure name="requestForOtherData" securityTest="SimpleAuthAdapterTest" />Following is adapter implementation file:
function onAuthRequired(headers, errorMessage) { WL.Logger.info("onAuthRequired(headers, errorMessage)----> START"); WL.Logger.info("headers: " + JSON.stringify(headers)); WL.Logger.info("errorMessage: " + errorMessage); errorMessage = errorMessage ? errorMessage : null; WL.Logger.info("onAuthRequired(headers, errorMessage)----> STOP"); return { authRequired : true, errorMessage : errorMessage }; } function submitAuthentication(username, password) { WL.Logger.info("submitAuthentication(username, password)----> START"); WL.Logger.info("username: " + username); WL.Logger.info("password: " + password); if (username === "worklight" && password === "worklight") { WL.Logger.info("Login successfull"); var userIdentity = { userId : username, displayName : username, }; WL.Server.setActiveUser("SimpleAuthRealm", userIdentity); var response = { authRequired : false, errorMessage : "" }; WL.Logger.info("submitAuthentication(username, password)----> STOP"); WL.Logger.info("response: " + JSON.stringify(response)); return response; } var response = { authRequired : true, errorMessage : "Invalid login credentials" }; WL.Logger.info("submitAuthentication(username, password)----> STOP"); WL.Logger.info("response: " + JSON.stringify(response)); return response; } function onLogout() { WL.Logger.info("onLogout()---->START"); WL.Server.setActiveUser("SimpleAuthRealm", null); //WL.Client.logout('SimpleAuthRealm'); WL.Logger.info("onLogout()---->STOP"); }We have created dummy UI which includes login page and home page. Login button click will call submitAuthentication() service and migrates to home page. Home page consist of two buttons one to call requestForData() service and other for requestForOtherData() service.
Issues we are facing:
- This flow demands first to call protected service e.g. requestForData and in response worklight server will throw challenge which we will clear by providing user's credential. We require other way round, we want to provide the user's credentials and start the session so that all the services protected by that realm(security test) should be accessible.
- Once we clear challenge for first service we are able to call other service without providing user credentials, but while calling next service we are not passing any identification of calling client, this makes us believe that the session which is established in first service call challenge is for all/ any the user not not user specific. We need very very user specific session.
Please comment on if this is a good idea to maintain session on worklight middleware server as we are working on banking mobile application. Please suggest solutions on above...
