0

I migrate a 5.0.0.3 worklight application deployed on a 5.0.0.3 worklight server to Worklight studio 5.0.6 and the deployment done on IPAS.

Deployment is successful on IPAS and I try now to execute my android application from my tablet.

I have some issues with the authentication:

In Application Descriptor, I protected the android application in the application-descriptor.xml with a securityTest.

I defined realms, securityTest and loginModules in authenticationConfig.xml. I use a FormBasedAuthenticator and a NonValidatingLoginModule.

All work well for my challengeHandler except when I do a challengeHandler.submitSuccess(). Here, on the server console I have the following error:

com.worklight.core.auth.ext.AuthenticityLoginModule login FWLSE0127E: Authenticity check failed.

SecurityTest I use is: CustomerCentricClientApp-strong-mobile-securityTest. Here is my AuthenticationConfig.xml file:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>


<securityTests>
    <webSecurityTest name="CustomerCentricClientApp-web-securityTest">
        <testUser realm="PushClientAppRealm"/>
    </webSecurityTest>

    <mobileSecurityTest name="CustomerCentricClientApp-strong-mobile-securityTest">
        <testAppAuthenticity/> 
        <testUser realm="PushClientAppRealm"/>
        <testDeviceId provisioningType="none"/>
    </mobileSecurityTest>
</securityTests>

<realms>        
    <realm loginModule="PushAppClientLoginModule" name="PushClientAppRealm">
        <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
    </realm>

    <realm loginModule="requireLogin" name="WorklightConsole">
        <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
        <onLoginUrl>/console</onLoginUrl>
    </realm>
</realms>

<loginModules>
    <loginModule name="PushAppClientLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

    <loginModule name="requireLogin">
        <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
    </loginModule>
</loginModules>

Here is an extract of my application-descriptor:

<android securityTest="CustomerCentricClientApp-strong-mobile-securityTest" version="1.0">
    <worklightSettings include="true"/>
    <pushSender key="xxx" senderId="xx"/>
    <security>
        <encryptWebResources enabled="false"/>
        <testWebResourcesChecksum enabled="false" ignoreFileExtensions="png, jpg, jpeg, gif, mp4, mp3"/>
        <publicSigningKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsW8rocRoAK0PElY5DpyN0wkg2CAVA7Ub8KSFDjBwofoWiA7AAD1hlcJJPCRznfFQ8nQEQ7jJAhpuOvmKxvVcRfj7shJ3JZP0yAvh0Lte8DSQ0MASXwfyehmJe9l/KiY5KWM6sDk+4oxcDJ2j2U+mBivR9+msdTaqIOFPP+PBteQIDAQAB</publicSigningKey>
    </security>
</android>
Richard JP Le Guen
  • 28,364
  • 7
  • 89
  • 119
Sophie
  • 23
  • 3

1 Answers1

0

Make sure <testAppAuthenticity/> is part of your custom securityTest.

In addition to adding the authenticity test above, you need to also:

  1. Specify a public signing key in application-descriptor.xml (add it using the "Extract public signing key" in the Android environment's context menu)
  2. Sign and export your .apk (I assume we're talking Android here) using the same keystore used for generating the public signing key above

Note that this is only relevant in the Consumer or Enterprise editions of Worklight, where the Authenticity feature exist. If this is not your case, I suggest removing this securityTest.

Idan Adar
  • 44,156
  • 13
  • 50
  • 89
  • Here is my authenticationConfig.xml file: – Sophie Apr 09 '13 at 11:40
  • I think that I need this securityTest because I use push notification adapters. I add an extract of Application-descriptor.xml in my question. – Sophie Apr 09 '13 at 12:01
  • No, this security test has no relation to Push Notifications. – Idan Adar Apr 09 '13 at 12:02
  • ok. But my server is based on the IPAS pattern ... then I think that it is a Consumer or Enterprise editions of Worklight. – Sophie Apr 09 '13 at 12:08
  • If you don't know authenticity, I suggest removing it. In any case, now that you've added what that was missing, try again. Again, to speed things up and get you up and running, if you don't need authenticity, remove it. – Idan Adar Apr 09 '13 at 12:09
  • I didn't sign my apk ... How can i do that ? – Sophie Apr 09 '13 at 12:10
  • Do you intend on installing on a device? Your problem was while previewing... After you build your project you need to right-click the Android project and choose Android Tools, there you have the option to export a signed application package. Use the same keystore you used for creating the public signing key. DON'T use (for either the public key or apk signing) the android debug keystore. Use one of your own. This is the .apk you need to install on a device. – Idan Adar Apr 09 '13 at 12:12
  • Then I must look how to use my own keystore. Is there any documentation on that ? – Sophie Apr 09 '13 at 12:32
  • Not a Worklight question: http://stackoverflow.com/questions/6849558/android-what-is-a-keystore-file-and-what-is-it-used-for – Idan Adar Apr 09 '13 at 12:34