I am struggling to get ldap authentication using openDS to work. I am using Worklight Studio 6.2 and Apache DS 2.0 as the ldap browser.
The project is supposed to call a login page, and then submit the username and password for authentication to ldap.
I get the following error in the firefox console:
POST http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check [HTTP/1.1 200 OK 253ms]
undefined entity j_security_check:134
And in eclipse in the worklight console:
[WARNING ] FWLSE0138W: LdapLoginModule authentication failed. Reason 'javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
[WARNING ] FWLSE0239W: Authentication failure in realm 'LDAPRealm': login fail [project LDAPTest]
I thought that the issue would be either my connection string or my challange handler. But I suspect that since my errror is invalid credentials that it must be my connection string in the authenticationconfig.xml.
I have tried several methods including some of the posts here such as :
Worklight LDAP authentication using ApacheDS Worklight LDAP authentication using ApacheDS 2.0
and there others. I followed the IBM LDAP sample to set this up and I have checked to make sure that I have the same structure.
Any help figuring this out would be much appreciated. Also if you think I should check my LDAP config, I can post that too I followed a tutorial from openDS wiki. I was able to connect to it using apache browser studio and softera LDAP administrator.
My project is as follows:-
index.html:
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<title>LDAPTest</title>
<meta name="viewport"
content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=0">
<!--
<link rel="shortcut icon" href="images/favicon.png">
<link rel="apple-touch-icon" href="images/apple-touch-icon.png">
-->
<link rel="stylesheet" href="css/main.css">
<script>window.$ = window.jQuery = WLJQ;</script>
</head>
<body style="display: none;">
<div id="header">
<h1>SigmaLDAP Login Module</h1>
</div>
<div id="wrapper">
<div id="AppDiv">
<input type="button" class="appButton"
value="Call protected adapter proc" onclick="getSecretData()" /> <input
type="button" class="appButton" value="Logout"
onclick="WL.Client.logout('LDAPRealm',{onSuccess: WL.Client.reloadApp})" />
<p id="resultDiv"></p>
</div>
<div id="AuthDiv" style="display: none">
<div id="loginForm">
<input type="text" id="usernameInputField"
placeholder="Enter username" /> <br /> <input type="password"
placeholder="Enter password" id="passwordInputField" /> <br /> <input
type="button" class="formButton" id="loginButton" value="Login" />
<input type="button" class="formButton" id="cancelButton"
value="Cancel" />
</div>
</div>
</div>
<script src="js/initOptions.js"></script>
<script src="js/main.js"></script>
<script src="js/messages.js"></script>
<script src="js/LDAPRealmChallenger.js"></script>
</body>
</html>
Main.js
function wlCommonInit(){
}
function getSecretData(){
WL.Logger.info('invoking the adpater');
var invocationData = {
adapter: "LDAPter",
procedure: "getSecretData",
parameters: []
};
WL.Client.invokeProcedure(invocationData, {
onSuccess: getSecretData_Callback,
onFailure: getSecretData_Callback,
timeout: 2000
});
}
function getSecretData_Callback(response){
$("#resultDiv").css("padding", "10px");
$("#resultDiv").html(new Date() + "<hr/>");
$("#resultDiv").append("Secret data :: " + response.invocationResult.secretData + "<hr/>");
$("#resultDiv").append("Response :: " + JSON.stringify(response));
}
My Challenger.js
var LDAPRealmChallengeHandler = WL.Client.createChallengeHandler("LDAPRealm");
LDAPRealmChallengeHandler.isCustomResponse = function(response) {
if (!response || !response.responseText) {
WL.Logger.info('failed to authenticate');
}
var idx = response.responseText.indexOf("j_security_check");
if (idx >= 0){
WL.Logger.info("Authenticated");
return true;
}
return false;
};
LDAPRealmChallengeHandler.handleChallenge = function(response){
$('#AppDiv').hide();
$('#AuthDiv').show();
$('#passwordInputField').val('');
};
$('#loginButton').bind('click', function () {
var reqURL = '/j_security_check';
var options = {};
options.parameters = {
j_username : $('#usernameInputField').val(),
j_password : $('#passwordInputField').val()
};
options.headers = {};
LDAPRealmChallengeHandler.submitLoginForm(reqURL, options, LDAPRealmChallengeHandler.submitLoginFormCallback);
});
$('#cancelButton').bind('click', function () {
$('#AppDiv').show();
$('#AuthDiv').hide();
LDAPRealmChallengeHandler.submitFailure();
});
LDAPRealmChallengeHandler.submitLoginFormCallback = function(response) {
var isLoginFormResponse = LDAPRealmChallengeHandler.isCustomResponse(response);
if (isLoginFormResponse){
LDAPRealmChallengeHandler.handleChallenge(response);
} else {
$('#AppDiv').show();
$('#AuthDiv').hide();
LDAPRealmChallengeHandler.submitSuccess();
}
};
My adpater: the js file
function getSecretData(){
console.log("getting you secrets mofos");
return {secretData: 1234};
}
The xml file:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<wl:adapter name="LDAPter"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.worklight.com/integration"
xmlns:http="http://www.worklight.com/integration/http">
<displayName>LDAPter</displayName>
<description>LDAPter</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>none</domain>
<port>80</port>
</connectionPolicy>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
</connectivity>
<procedure name="getSecretData" securityTest="LDAPSecurityTest" />
</wl:adapter>
The authenticationConfig.xml:
<?xml version="1.0" encoding="UTF-8"?>
<tns:loginConfiguration xmlns:tns="http://www.worklight.com/auth/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Licensed Materials - Property of IBM 5725-I43 (C) Copyright IBM Corp.
2006, 2013. All Rights Reserved. US Government Users Restricted Rights -
Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp. -->
<staticResources>
<!-- <resource id="logUploadServlet" securityTest="LogUploadServlet"> <urlPatterns>/apps/services/loguploader*</urlPatterns>
</resource> -->
<resource id="subscribeServlet" securityTest="SubscribeServlet">
<urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
</resource>
</staticResources>
<!-- Sample security tests Even if not used there will be some default webSecurityTest
and mobileSecurityTest Attention: If you are adding an app authenticity realm
to a security test, you must also update the application-descriptor.xml.
Please refer to the user documentation on application authenticity for environment
specific guidelines. -->
<securityTests>
<customSecurityTest name="LDAPSecurityTest">
<test isInternalUserID="true" realm="LDAPRealm" />
</customSecurityTest>
<!-- <mobileSecurityTest name="mobileTests"> <testAppAuthenticity/> <testDeviceId
provisioningType="none" /> <testUser realm="myMobileLoginForm" /> <testDirectUpdate
mode="perSession" /> </mobileSecurityTest> <webSecurityTest name="webTests">
<testUser realm="myWebLoginForm"/> </webSecurityTest> <customSecurityTest
name="customTests"> <test realm="wl_antiXSRFRealm" step="1"/> <test realm="wl_authenticityRealm"
step="1"/> <test realm="wl_remoteDisableRealm" step="1"/> <test realm="wl_directUpdateRealm"
mode="perSession" step="1"/> <test realm="wl_anonymousUserRealm" isInternalUserID="true"
step="1"/> <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true"
step="2"/> </customSecurityTest> <customSecurityTest name="LogUploadServlet">
<test realm="wl_anonymousUserRealm" step="1"/> <test realm="LogUploadServlet"
isInternalUserID="true"/> </customSecurityTest> -->
<customSecurityTest name="SubscribeServlet">
<test realm="SubscribeServlet" isInternalUserID="true" />
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="LDAPLoginModule" name="LDAPRealm">
<className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
<onLoginUrl>/console</onLoginUrl>
</realm>
<realm name="SubscribeServlet" loginModule="rejectAll">
<className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm>
<!-- For client logger -->
<!-- <realm name="LogUploadServlet" loginModule="StrongDummy"> <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
</realm -->
<!-- For websphere -->
<!-- realm name="WASLTPARealm" loginModule="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/> <parameter name="error-page"
value="/loginError.html"/> </realm -->
<!-- For User Certificate Authentication -->
<!-- realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule">
<className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className>
<parameter name="dependent-user-auth-realm" value="WASLTPARealm" /> <parameter
name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI"
/> <parameter name="embedded-pki-bridge-ca-p12-file-path" value="/opt/ssl_ca/ca.p12"/>
<parameter name="embedded-pki-bridge-ca-p12-password" value="capassword"
/> </realm -->
<!-- For Trusteer Fraud Detection -->
<!-- Requires acquiring Trusteer SDK -->
<!-- realm name="wl_basicTrusteerFraudDetectionRealm" loginModule="trusteerFraudDetectionLogin">
<className>com.worklight.core.auth.ext.TrusteerAuthenticator</className>
<parameter name="rooted-device" value="block"/> <parameter name="device-with-malware"
value="block"/> <parameter name="rooted-hiders" value="block"/> <parameter
name="unsecured-wifi" value="alert"/> <parameter name="outdated-configuration"
value="alert"/> </realm -->
</realms>
<loginModules>
<loginModule name="LDAPLoginModule">
<className>com.worklight.core.auth.ext.LdapLoginModule</className>
<parameter name="ldapProviderUrl" value="ldap://localhost:389/dc=sigma,dc=com" />
<parameter name="ldapTimeoutMs" value="2000"/>
<parameter name="ldapSecurityAuthentication" value="simple"/>
<parameter name="validationType" value="searchPattern"/>
<parameter name="ldapSecurityPrincipalPattern" value="uid={username},ou=users,dc=sigma,dc=com"/>
<parameter name="ldapSearchFilterPattern" value="(uid={username})"/>
<parameter name="ldapSearchBase" value="ou=users,dc=sigma,dc=com"/>
</loginModule>
<loginModule name="StrongDummy">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule>
<loginModule name="requireLogin">
<className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
</loginModule>
<loginModule name="rejectAll">
<className>com.worklight.core.auth.ext.RejectingLoginModule</className>
</loginModule>
<!-- Required for Trusteer - wl_basicTrusteerFraudDetectionRealm -->
<!-- loginModule name="trusteerFraudDetectionLogin"> <className>com.worklight.core.auth.ext.TrusteerLoginModule</className>
</loginModule -->
<!-- For websphere -->
<!-- loginModule name="WASLTPAModule"> <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
</loginModule -->
<!-- Login module for User Certificate Authentication -->
<!-- <loginModule name="WLUserCertificateLoginModule"> <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className>
</loginModule> -->
<!-- For enabling SSO with no-provisioning device authentication -->
<!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule> -->
<!-- For enabling SSO with auto-provisioning device authentication -->
<!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceAutoProvisioningLoginModule">
<className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
</loginModule> -->
</loginModules>
</tns:loginConfiguration>
The response from the j_security_check
Request URL: http://x.x.x.x:10080/LDAPTest/apps/services/j_security_check
Request Method: POST
Status Code: HTTP/1.1 200 OK
Request Headers 12:47:00.000
x-wl-app-version: 1.0
x-wl-analytics-tracking-id: a948e425-1ace-a28b-3d27-11bac5ba3de3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Referer: http://10.2.38.14:10080/LDAPTest/apps/services/preview/LDAPTest/common/0/default/index.html
Pragma: no-cache
Host: 10.2.38.14:10080
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 37
Connection: keep-alive
Cache-Control: no-cache
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Accept: text/javascript, text/html, application/xml, text/xml, */*
Sent Cookie
WL_PERSISTENT_COOKIE: b24de65a-9c5a-4f58-97d7-348e92c78034
testcookie: oreo
LtpaToken2: rZBXVP4XKLnpvJpLFrp3UArtZGrcsGAXr4jGDTBurns9Ej5Nrx1s4/yWsDJJN6xfWkxWh1/3bBruHvL9twdae1qVcE2/D/0GfMwd1pVLbpowclNLFtqKBonEXxV6TlFIVaKgKz62SHR2to3Az/vbTjF+ZH8V1QnAdGi6dC8mk+wympju0P/4hLKWHseN9Sty2UM94cL2Cd+vcBGhJ5QVF211RIwQTXuGeQl+WMTg6B8Kfjlvly4sanyVr5va2AW38752VNEWtdnsrTHcayO/lAG1SyebFEKtaTVZhOPBkml5m6AojEGlDbcUjjof6e9H
JSESSIONID: 0000QTvrT7OBSgjn7OJG9XPMtIE:b45f2ac7-fb59-4da4-b233-f8bc81b81cf0
Response Headers Δ315ms
X-Powered-By: Servlet/3.0
Transfer-Encoding: chunked
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Expires: -1
Date: Mon, 10 Nov 2014 11:47:00 GMT
Content-Language: en-US
And the firefox console also returns undefined entity for j_sescurity_check and a line number 134, which in the snippet below is the last line before the dic. The code it points to is as follows:
body onload="isPopup(); setFocus();">
<div id="authenticatorLoginFormWrapper">
<h1>IBM</h1>
<h2>IBM Worklight</h2>
<form method="post" action="j_security_check">
<p id="error">Please check the credentials</p>
<label for="j_username">User name:</label>
<input type="text" id="j_username" name="j_username" placeholder="User name" />
<br />
<label for="j_password">Password:</label>
<input type="password" id="j_password" name="j_password" placeholder="Password" />
<br />
<input type="submit" id="login" name="login" value="Log In" />
</form>
<p id="copyright">© 2006, 2012 IBM Corporation. <a href="#" target="_blank">Trademark</a></p>
</div>