Enabling security on worklight server 6.1 console

0
votes

Trying to setup security on a 6.1 worklight server (Full WAS 8.5.5)

Getting error:

SRVE0232E: Internal Server Error. 
Exception Message: [com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.]


com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.


IBM WebSphere Application Server

I have edited the following files before deploying the new WAR file...

worklight.properties:

#######################################################################################################################
#   Protecting the Worklight Console
#######################################################################################################################
# You can protect the Worklight Console by defining user credentials required to access it.
# In addition to defining these two properties, you should also configure the authenticationConfig.xml file,
# located under <Worklight Root Directory>\server\conf.
console.username=consoleadmin
console.password=consolepassword

Authenticationconfig.xml:

    <!-- Uncomment the next element to protect the worklight console and the first section in securityTests below. -->
     <staticResources>
        <resource id="worklightConsole" securityTest="WorklightConsole">
            <urlPatterns>/console*</urlPatterns>
         </resource> 

        <resource id="subscribeServlet" securityTest="SubscribeServlet">
            <urlPatterns>/subscribeSMS*;/receiveSMS*</urlPatterns>
        </resource>
    </staticResources> 

   <!--  Sample security tests  
         Even if not used there will be some default webSecurityTest and mobileSecurityTest 
         Attention: if using <testAppAuthenticity/> test below ,<publicSigningKey> element must be added to application-descriptor.xml as well. -->   

     <securityTests>

        <customSecurityTest name="WorklightConsole">
            <test realm="WorklightConsole" isInternalUserID="true"/>
        </customSecurityTest>
        <!--
        <mobileSecurityTest name="mobileTests">
            <testAppAuthenticity/> 
            <testDeviceId provisioningType="none" />
            <testUser realm="myMobileLoginForm" />
        </mobileSecurityTest>

        <webSecurityTest name="webTests">
            <testUser realm="myWebLoginForm"/>
        </webSecurityTest>

        <customSecurityTest name="customTests">
            <test realm="wl_antiXSRFRealm" step="1"/>
            <test realm="wl_authenticityRealm" step="1"/>
            <test realm="wl_remoteDisableRealm" step="1"/>
            <test realm="wl_anonymousUserRealm" isInternalUserID="true" step="1"/>
            <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="2"/>
        </customSecurityTest>
        -->
        <customSecurityTest name="SubscribeServlet">
            <test realm="SubscribeServlet" isInternalUserID="true"/>
        </customSecurityTest>       

    </securityTests>
1
ibm-mobilefirstworklight-server
Looks like you are trying to access session from unprotected page. Check in the admin console in Security > Global security > Web and SIP security > General settings if you have Use available authentication data when an unprotected URI is accessed checkbox checked.Gas
Should be noted this is not the way to protect Worklight Console in production environments (that is, outside of the development server): www-01.ibm.com/support/knowledgecenter/SSZH4A_6.1.0/… ---- Use LDAP.Idan Adar
@gas - That check box is already tickedfalter
@IdanAdar - Can you point me to the help page detailing securing the worklight console for Prod without LDAP please?falter
The same link I posted above...Idan Adar

1 Answers