在尝试测试我的Worklight LTPA sso配置时,我无法登录到我的应用程序。但是,我可以通过LTPA登录受保护的工作灯控制台(不提示输入用户名/密码),因此我知道LTPA令牌已经过正确验证。
当我使用worklight控制台访问受保护的应用程序时,我从common / init和common / login调用中得到500个错误,因为我正受到worklight服务器的质疑。
这是在worklight 6.1.0.2上。我在这里附上了worklight服务器响应的wireshark跟踪:
Unauthorized
X-Powered-By: Servlet/3.0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
WWW-Authenticate: WL-Composite-Challenge
Content-Type: application/json; charset=UTF-8
Cache-Control: no-cache, no-store, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 96
Content-Language: en-US
Connection: Close
Date: Fri, 05 Jun 2015 21:23:48 GMT
/*-secure-
{"challenges":{"wl_antiXSRFRealm":{"WL-Instance-Id":"kp3k4l8812ubp1d3ir6oeub9t2"}}}*/
这是我的authenticationConfig.xml
<staticResources>
<resource id="worklightConsole" securityTest="CustomAdapter-securityTest">
<urlPatterns>/console*</urlPatterns>
</resource>
</staticResources>
<securityTests>
<customSecurityTest name="CustomAdapter-securityTest">
<test isInternalUserID="true" realm="CustomAuthenticationRealm"/>
</customSecurityTest>
</securityTests>
<realms>
<realm loginModule="CustomLoginModule" name="CustomAuthenticationRealm">
<className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
<parameter name="login-page" value="/login.html"/>
<parameter name="error-page" value="/loginError.html"/>
<parameter name="cookie-name" value="LtpaToken2"/>
</realm>
</realms>
<loginModules>
<loginModule name="CustomLoginModule">
<className>com.worklight.core.auth.ext.WebSphereLoginModule
</className>
<parameter name="httponly-cookie" value="true" />
<parameter name="cookie-name" value="LtpaToken2" />
</loginModule>
</loginModules>
如果你需要它,这里是发送到Worklight common / init的请求的wireshark(为了安全起见我的LTPAToken已被删除)
POST /AnywhereWorkManager/apps/services/api/WorkExecution/common/init HTTP/1.1
accept: text/javascript, text/html, application/xml, text/xml, */*
accept-language: en-US
connection: close
content-length: 65
content-type: application/x-www-form-urlencoded; charset=UTF-8
host: <the internal host>
referer: https://<the external host>/AnywhereWorkManager/apps/services/preview/WorkExecution/common/0/default/index.html
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
via: HTTP/1.1 <the external host>
x-wl-app-version: 1.0
origin: https://<the external host>
iv_server_name: reverseproxy-webseald-<the external host>
x-wl-platform-version: 6.1.0.01.20140311-2356
x-requested-with: XMLHttpRequest
Cookie: LtpaToken2=<mytoken>; JSESSIONID=<mysessionid>; testcookie=oreo
skin=&skinLoaderChecksum=&isAjaxRequest=true&x=0.8017935899551958
答案 0 :(得分:0)
webseal交界处有一个设置我必须设置为webseal 忽略401并将其传递给用户。从这里记录的worklight sso指南..
http://www-01.ibm.com/support/docview.wss?uid=swg24034222
HTTP基本身份验证标头:忽略( - b忽略)选项是必需的 容纳之间的附加设备认证握手交换 Worklight客户端和服务器。 IBM Security Access Manager处理401错误和 将此返回给客户端,这会阻止在应用程序中进一步处理。指某东西的用途 HTTP基本身份验证标头:忽略解决401错误处理。
Include会话cookie(-k)选项会导致WebSEAL转发用户会话 cookie到联结的服务器。这允许检索WebSEAL会话cookie 来自请求标头,可用于为联结系统提供SSO 在Worklight Adapters中访问。