GatewayChallengeHandler:在升级到MobileFirst v.8.0后没有调用handleChallenge()

时间:2017-02-08 03:17:15

标签: ios swift ibm-mobilefirst

我们有一个生产iOS应用程序,目前在MFP 7.0下运行。我正在升级到MFP 8.0。

在现有版本中,我们将ChallengeHander扩展为ISAMChallengeHandler来处理ISAM网关登录请求。对于v8.0,我更改了ISAMChallengeHandler以扩展GatewayChallengeHandler。这涉及将isCustomResponse()更改为canHandleResponse()并删除对submitFailure()的调用。

新版本未按预期运行。当我使用WLClient.getInstance()。invokeProcedure(...)调用适配器时,网关返回登录屏幕,正确调用ISAMChallengeHandler.canHandleResponse()并返回true。但handleChallenge()永远不会被调用。

相反,似乎再次尝试对适配器的HTTP请求,导致另一次调用canHandleResponse()。这种情况连续7次发生,没有任何尝试调用handleChallenge()。然后发生WLResourceRequest的错误,WLDelegate获取onFailure()回调。

导致此行为的原因是什么?应用程序的逻辑没有从7.0版本更改。是否不再支持invokeProcedure()?我在wlConnectWithDelegate()和WLProcedureInvocationData()上得到了Xcode弃用警告,但没有得到invokeProcedure()(这没有意义)。

HTTP重试总是发生七次。以下是显示此内容的应用程序的日志条目。我删除了“响应内容”行以获得可读性。 LoginManager是使用LoginListener作为WLDelegate调用invokeProcedure()的类。

2017-02-07 20:41:41.613 sitecompliance[50592:4035152] <AppDelegate> App starting: Optional("1.0") Optional("309.2")
2017-02-07 20:41:41.619 sitecompliance[50592:4035152] <AppDelegate> deviceDate (UTC): 2017-02-08 02:41:41 +0000
2017-02-07 20:41:41.620 sitecompliance[50592:4035152] <AppDelegate> deviceDate (localtime): Feb 7, 2017, 8:41:41 PM
2017-02-07 20:41:41.669 sitecompliance[50592:4035152] <LoginManager.connectAndLogin>
2017-02-07 20:41:42.386 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning FALSE
2017-02-07 20:41:43.595 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning FALSE
2017-02-07 20:41:43.595 sitecompliance[50592:4035152] <ConnectListener.onSuccess> connectionSuccess
2017-02-07 20:41:43.596 sitecompliance[50592:4035152] <LoginManager.connectionSuccess>
2017-02-07 20:41:43.599 sitecompliance[50592:4035152] <LoginManager.authenticate> Invoking Worker/getWorker
2017-02-07 20:41:44.469 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.470 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:44.584 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.585 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:44.682 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.682 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:44.782 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.782 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:44.878 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.878 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:44.973 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:44.974 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:45.075 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> Found "/pkmslogin.form"
2017-02-07 20:41:45.076 sitecompliance[50592:4035152] <ISAMChallengeHandler.canHandleResponse> returning TRUE
2017-02-07 20:41:45.076 sitecompliance[50592:4035152] [ERROR] [WORKLIGHT] -[WLResourceRequest requestFailed:error:] in WLResourceRequest.m:695 :: WL_OAUTH
2017-02-07 20:41:45.094 sitecompliance[50592:4035152] <LoginListener.onFailure> Cannot retrieve a valid authorization header for header. Check resource and authorization server configuration.
2017-02-07 20:41:45.095 sitecompliance[50592:4035152] <LoginViewController.loginFailure> System error.

以下是ISAMChallenger处理程序的开头,显示了canHandleResponse()和handleChallenge()方法:

class ISAMChallengeHandler: GatewayChallengeHandler
{
    let baseURL: String!

    override init(){
        baseURL = "\(getBaseURL()!)"
        super.init(gatewayName: "HeaderAuthRealm")
    }

    override func canHandleResponse(response: WLResponse!) -> Bool
    {
        if response != nil {
            if response.responseText != nil {
                if response.responseText.rangeOfString("PKMS Administration: Expired Password") != nil {
                    MQALogger.log("<ISAMChallengeHandler.canHandleResponse> Found \"PKMS Administration: Expired Password\"")
                    MQALogger.log("<ISAMChallengeHandler.canHandleResponse> returning TRUE")
                    return true
                }
                if response.responseText.rangeOfString("/pkmslogin.form") != nil {
                    MQALogger.log("<ISAMChallengeHandler.canHandleResponse> Found \"/pkmslogin.form\"")
                    MQALogger.log("<ISAMChallengeHandler.canHandleResponse> returning TRUE")
                    return true
                }

            }
        }
        MQALogger.log("<ISAMChallengeHandler.canHandleResponse> returning FALSE")
        return false
    }

    override func handleChallenge(response: WLResponse!)
    {
        //HPDIA0200W Authentication failed. You have used an invalid user name, password or client certificate.
        let failedLogin = response.responseText.rangeOfString("HPDIA0200W") != nil
        let passwordExpired = response.responseText.rangeOfString("PKMS Administration: Expired Password") != nil
        let worker = Worker.getWorker()

        if worker.authDataSet && !failedLogin && !passwordExpired
        {
            MQALogger.log("<ISAMChallengeHandler.handleChallenge> Sending stored login data to ISAM")
            submitISAMAuthData()
        }
        else
        {
            MQALogger.log("<ISAMChallengeHandler.handleChallenge> A login screen form should appear")
            if failedLogin {
                needCredentials("Please check your credentials.")
            } else if passwordExpired {
                worker.password = nil
                saveObjects()
                notify("Password expired",
                    myMessage: "Change on ServiceArizona secure gateway, then sign into app again.", vc: nil)
                    { self.showLoginView() }
            } else {
                needCredentials(nil)
            }
        }
    }

2 个答案:

答案 0 :(得分:1)

设计已在8.0中进行了更改,LTPA是目前通过ISAM验证移动优先资源的方法。用于处理自定义挑战的类是GatewayChallengeHandler(),它在您的示例中正确使用。

应使用canHandle()处理捕获网络发送的质询的功能。我看到,在您的示例中,canHandleResponse()正在使用中。我想这可能是你的代码中没有调用handleChallenge()的原因。

请查看上面评论中附带的新链接以获取示例代码。

答案 1 :(得分:0)

我们的架构在ISAM / WebSeal服务器和MFP服务器前面都有一个代理服务器。代理将每个MFP请求指向一个或另一个,具体取决于它是否需要由WebSeal授权。这适用于MFP 7,但不适用于MFP 8.

我们发现,如果我们设置所有 MFP流量来通过ISAM,那么GatewayChallengeHandler可以正常工作,但这不是我们环境的有效解决方案。

一点代理日志调查发现,在canHandleResponse()返回但调用handleChallenge()之前,MFP 8 API会向服务器发送“预认证”HTTP请求。从文档或API日志记录中不清楚这一点。代理将该预认证请求直接发送到MFP服务器(而不是ISAM)。

当我们添加代理规则以将所有预先验证请求(/mfp/api/preauth/*)发送到ISAM时,GatewayChallengeHandler问题得到修复,我们可以将我们的非安全MFP请求直接发送到MFP服务器。 / p>

相关问题
最新问题