Invoking a secure adapter using Adapter Invocation Service in IBM Worklight

0
votes

We have an HTTP adapter with a couple of secure procedures declared as follows: 

<wl:adapter name="PushAdapter" ...
  .
  .
<procedure name="submitNotification" securityTest="AdapterSecurityTest"/>
<procedure name="submitNotificationMass" securityTest="AdapterSecurityTest"/>

Security test is performed using adapter based authentication as below:

 <securityTests>
    <mobileSecurityTest name="AdapterSecurityTest">
        <testUser realm="MyRealm"/>
        <testDeviceId provisioningType="none"/>
    </mobileSecurityTest>
</securityTests> 

<realms>
    <realm name="MyRealm" loginModule="NonValidatingLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator</className>
        <parameter name="login-function">AuthenticationAdapter.onAuthRequired</parameter>
        <parameter name="logout-function">AuthenticationAdapter.onLogout</parameter>
    </realm>
</realms>

We need to be able to invoke the adapter procedures in HTTP using the adapter invocation service. Using the invocation service, the invocation URL should be as below: 

http://<server>:<port>/<Context>/invoke?adapter=PushAdapter&procedure=submitNotification&parameters=[userId, notification text to be sent]

The invocation works as expected when the procedure security test is set to 'wl_unprotected'. But if the security test is used, the invocation returns the below response: 

/*-secure-{"WL-Authentication-Failure":{"wl_remoteDisableRealm":{"reason":"Login Failed"}}}*/

The question is, how can we authenticate using the invocation service? We tried setting the authorization HTTP header with now luck.

Thank you

1
ibm-mobilefirstworklight-adapters
Why do you want to authenticate the adapter via invocation URL when u enable Mobile security test? - Karikalan
We have a use case where we want a backend system to initiate sending Push notifications to the app users by invoking an adapter procedure using the adapter invocation service, we do not want the URL sending the notification to be unsecured and public to anyone. - Hisham

1 Answers

2
votes

I have followed the procedure's to implement with the help Adapter based Authentication from Worklight 6.2 Samples.

Step 1: Add the following value's in header, based your environment actuals

 x-wl-app-details:{"applicationDetails":{"platformVersion":"6.2.0.00.20140613-0730","nativeVersion":""}}

 x-wl-app-version:1.0

Request: http://x.x.x.x:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/init

Response:

/*-secure- {"challenges":{"wl_antiXSRFRealm":{"WL-Instance-Id":"gi1cqaqd3p89763l1amoklsq3u"}}}*/

Step 2:

Add the WL-Instance-Id: gi1cqaqd3p89763l1amoklsq3u in the header which was the part of previous response

Request: http://xx.xx.xx.xx:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/query?adapter=SingleStepAuthAdapter&procedure=submitAuthentication&parameters=['worklight','worklight']

Response:

/*-secure-
{"isSuccessful":true,"WL-Authentication-Success":{"SingleStepAuthRealm":{"userId":"worklight","isUserAuthenticated":1,"attributes":{"foo":"bar"},"displayName":"worklight"},"wl_antiXSRFRealm":{"userId":"j136h3aus2v1vlbjr860mmossc","attributes":{},"isUserAuthenticated":1,"displayName":"j136h3aus2v1vlbjr860mmossc"},"wl_anonymousUserRealm":{"userId":"747809a4-3574-4958-a55a-f084b2c9f02c","attributes":{},"isUserAuthenticated":1,"displayName":"747809a4-3574-4958-a55a-f084b2c9f02c"}},"authRequired":false}*/

Step 3:

Add Authorization header and the value from previous response

"SingleStepAuthRealm":{"userId":"worklight","isUserAuthenticated":1,"attributes":{"foo":"bar"},"displayName":"worklight"}

Request: http://xx.xx.xx.xx:10080/AdapterBasedAuth/apps/services/api/SingleStepAuth/common/query?adapter=SingleStepAuthAdapter&procedure=getSecretData

Response:

 /*-secure-
{"isSuccessful":true,"secretData":"A very very very very secret data"}*/

To know more about this process follow this IBM Community Blog.

I believe this what you are looking for.