IBM Worklight : Multiple Realm in security test not working as expected

1
votes

I am having a problem in checking security test for adapter based authentication with Multiple Realm. I have the following configuration in authenticationConfig.xml

    <customSecurityTest name="RealmAdapter-securityTest">
        <test isInternalUserID="true" realm="RealmAdapterRealm" step="1" mode="perRequest" />
        <test  realm="RealmAdapterRealm2" step="2" mode="perRequest"/>

    </customSecurityTest>
</securityTests>


    <realm name="RealmAdapterRealm" loginModule="MultipleRealmLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator</className>
        <parameter name="login-function" value="RealmAdapter.doLogin" />
        <parameter name="logout-function" value="RealmAdapter.onLogout" />
    </realm>
    <realm name="RealmAdapterRealm2" loginModule="MultipleRealmLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator</className>
        <parameter name="login-function" value="RealmAdapter.getText" />


    </realm>


    <loginModule name="MultipleRealmLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

The problem is only first realm is getting called ! In my Login-Function of my of RealmAdapterRealm post successful login, I am setting user session object and returning authrequired to false. But my second realm is not getting called . If I change second realm(RealmAdapterRealm2) with step=1 and first realm(RealmAdapterRealm) to step=2, then also first realm is working .i.e RealmAdapterRealm2 is working and RealmAdapterRealm is never getting called. Please help me to achieve this as I am a newbie for IBM Worklight

1
ibm-mobilefirstworklight-adapters
How does mode="perSession" matters here? these attributes do exist else my adapter wouldn't have been deployed!. Moreover if I remove this attribute also it doesn't work. - Nitin Mesta
@nsm What version of Worklight are you running on? - Chevy Hungerford
@ChevyHungerford I am using IBM Mobile First platform foundation 6.3 (developer edition) - Nitin Mesta
Sorry for the late response, at a conference. Is there any server log output that you can show us? - Chevy Hungerford
@Chevy : I have not put any server log. But when I debug the app on client side ,in the challenge handler .js file there are 2 handlers each for one realm in the authConfig. So which ever is realm defined first in the authConfig, challenge handler of that particular realm is only getting called! 2nd challenge handler is never called. Don't know what I am missing. - Nitin Mesta

1 Answers

2
votes

The problem is that you're using the same login module for both realms. Login module is the entity that maintains user identity. Once you're authenticated in RealmAdapterRealm the MultipleRealmLoginModule creates user identity. Then auth framework is checking whether you're already authenticated in RealmAdapterRealm2. This check means going to login module defined in RealmAdapterRealm2 and asking whether it has a user identity created. And since you're using MultipleRealmLoginModule for both realms - once you've authenticated with one of the realms both will have user identity.

The solution is to have separate login modules per realm. Clone MultipleRealmLoginModule to MultipleRealmLoginModule2 and use it in RealmAdapterRealm2.