IBM Mobile First 7.1 HTTP Adapter Security test

0
votes

I am working on an http adapter which use node.js web service in order to validate username and password.

Procedures authenticatePatient and authenticateDoctor are unprotected, so I will use security test in other procedures.

But, when i tried to invoke one of them the challenge handler is invoked too, despite the fact that they are unprotected, and if I delete the challenge handler it works fine !

PatientAuthRealmChallengeHandler.js

var patientAuthRealmChallengeHandler = WL.Client.createChallengeHandler("PatientAuthRealm");
patientAuthRealmChallengeHandler.isCustomResponse= function(response){

if(!response|| !response.responseJSON || response.responseText===null){
    return false;
}
if(typeof (response.responseJSON.authRequired)!== 'undefined'){
    return true;
}
else {
    return false;
   }
 }

patientAuthRealmChallengeHandler.handleChallenge = function(response){
 var authRequired = response.responseJSON.authRequired;

    if(authRequired==true){

        console.log("accées réfusé!!");
    }
 else if(authRequired==false){
        console.log(" déja authentifié ");
        patientAuthRealmChallengeHandler.submitSuccess();
    }

  }

Authentication.xml

  <procedure name="authenticatePatient" securityTest="wl_unprotected"/>
  <procedure name="authenticateDoctor"  securityTest="wl_unprotected"/>

Authentication-impl.js (just authenticatePatient function )

  function authenticatePatient(params){
  var url="/patient/authenticate";
  var response= callWS(url,params,"post");
  var size= response.patients.length;

 if(size!=0){
   userIdentity = {
            userId: params.username,
            displayName: params.username,
            attributes: {
            }
    };
    //WL.Server.setActiveUser("PatientAuthRealm", null);
    WL.Server.setActiveUser("PatientAuthRealm", userIdentity); // create session 

    return {
        authRequired: false,
        "response": response
    };
}
return onAuthRequired(null, "Invalid login credentials");
}
function onAuthRequired(headers, errorMessage){
errorMessage = errorMessage ? errorMessage : null;

return {
    authRequired: true,
    errorMessage: errorMessage
  };
   }
 function onLogout(){
  WL.Logger.debug("Logged out");
 }

authentificationConfig.xml (realms)

    <realm name="PatientAuthRealm" loginModule="PatientAuthLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator </className>
        <parameter name="login-function" value="authentication.onAuthRequired"/>
        <parameter name="logout-function" value="authentication.onLogout"/>
    </realm>

    <realm name="DoctorAuthRealm" loginModule="DoctorAuthLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator </className>
        <parameter name="login-function" value="authentication.onAuthRequired"/>
        <parameter name="logout-function" value="authentication.onLogout"/>
    </realm>

authentificationConfig.xml (LoginModule)

<loginModule name="PatientAuthLoginModule">
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>
    <loginModule name="DoctorAuthLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

authentificationConfig.xml (Security tests)

  <customSecurityTest name="authenticatePatient">
        <test isInternalUserID="true" realm="PatientAuthRealm"/>
    </customSecurityTest>
    <customSecurityTest name="authenticateDoctor">
        <test isInternalUserID="true" realm="DoctorAuthRealm"/>
    </customSecurityTest>
1
authenticationibm-mobilefirst

1 Answers

1
votes

It is important to remember that the function isCustomResponse can be called on by any http response, not just protected requests. It is the job of this function (isCustomResponse) to determined whether this specific response is relevant for this challenge handler.

From what I understand in your example, you make a request to authenticatePatient which is unprotected.
Then, authenticatePatient returns:

return {
        authRequired: false,
        "response": response
    };

This JSON object is sent to the client.

Your isCustomResponse function gets triggered (it does not check whether this was a protected request, it gets triggered for every response).

Your implementation of isCustomResponse should be smart enough to determine whether to ignore this response (return false;), or trigger the challenge handler (return true;).

For your implementation, it looks like you only check that response.responseJSON.authRequired is defined. You did not check whether its value was true or false. Which means, your code determined that this response needs to be handled by the challenge handler.

I recommend your change your implementation of isCustomResponse to check for the value of response.responseJSON.authRequired and return true only when authRequired is true.