CODEWITHSUNDEEP
ibm-mobilefirstworklight-securitymobilefirst-server
Etienne N
Etienne N

Reputation: 31

MFP 7.1 issue with ChallengeHandler when expirationInSeconds is reached

I was testing device SSO and wanted to see what happens when the session has expired on the server side. Therefore I have added a expirationInSeconds to my LoginModule and now once the timeout has been reached I have an inconsistent state on the client side. Here is how my authenticationConfig.xml looks like:

 <securityTests>
    <mobileSecurityTest name="SecurityTestSSO">
        <testDeviceId provisioningType="none"/>
        <testUser realm="SSORealm" sso="true"/>
    </mobileSecurityTest>

    <customSecurityTest name="AuthSecurityTestSSO">
        <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID="true" step="1" />
        <test realm="SSORealm" isInternalUserID="true" step="2" />
    </customSecurityTest>       

</securityTests> 

<realms>
    <realm name="SSORealm" loginModule="MySSO">
        <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
    </realm>
</realms>

<loginModules>
    <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule" expirationInSeconds="20">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>
</loginModules>

my app is protected through the mobileSecurityTests "SecurityTestSSO" and my adapter procedure through the customSecurityTest "AuthSecurityTestSSO". Everything works fine until I reach the 20 seconds: at that time, the challengeHandler doesn't receive a correct form, but some sort of redirect, and therefore is never launching my login page again. What I see in the logcat is the following sequence of calls, 3 times in a row:

Sending request http://macetienne.home:10080/FormBasedAuth/adapters/AuthAdapter/getSecretData

Sending request http://macetienne.home:10080/FormBasedAuth/authorization/v1/authorization?response_type=code&client_id=e889109d89b4c5895a179ba1d1da8431696739ad&redirect_uri=http%3A%2F%2Fmfpredirecturi&scope=wl_deviceNoProvisioningRealm%20SSORealm&isAjaxRequest=true&x=0.4789802050217986

Sending request http://macetienne.home:10080/FormBasedAuth/authorization/v1/token

Any hint on how to manage an expired token? Shouldn't it be automatic? Note: I'm using IBM MobileFirst Platform Studio 7.1.0.00-20151130-1648

Thanks!

Upvotes: 0

Views: 232

Answers (1)

Etienne N
Etienne N

Reputation: 31

Thanks to Idan, I have been able to find a consistent state by aligning the LoginModule expiration time and the server session expiration time. So if I add the following line in worklight.properties:

serverSessionTimeout=1

(it's a number of minutes) And the following in authenticationConfig.xml:

loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule" expirationInSeconds="60"

Then after 1 minute of inactivity when I try to send a request I have again a login page that pops up.

Upvotes: 1

Related Questions