IBM Mobile First 7.1 HTTP Adapter Security test

Question

I am working on an http adapter which use node.js web service in order to validate username and password.

Procedures authenticatePatient and authenticateDoctor are unprotected, so I will use security test in other procedures.

But, when i tried to invoke one of them the challenge handler is invoked too, despite the fact that they are unprotected, and if I delete the challenge handler it works fine !

PatientAuthRealmChallengeHandler.js

var patientAuthRealmChallengeHandler = WL.Client.createChallengeHandler("PatientAuthRealm");
patientAuthRealmChallengeHandler.isCustomResponse= function(response){

if(!response|| !response.responseJSON || response.responseText===null){
    return false;
}
if(typeof (response.responseJSON.authRequired)!== 'undefined'){
    return true;
}
else {
    return false;
   }
 }

patientAuthRealmChallengeHandler.handleChallenge = function(response){
 var authRequired = response.responseJSON.authRequired;

    if(authRequired==true){

        console.log("accées réfusé!!");
    }
 else if(authRequired==false){
        console.log(" déja authentifié ");
        patientAuthRealmChallengeHandler.submitSuccess();
    }

  }

Authentication.xml

  <procedure name="authenticatePatient" securityTest="wl_unprotected"/>
  <procedure name="authenticateDoctor"  securityTest="wl_unprotected"/>

Authentication-impl.js (just authenticatePatient function )

  function authenticatePatient(params){
  var url="/patient/authenticate";
  var response= callWS(url,params,"post");
  var size= response.patients.length;

 if(size!=0){
   userIdentity = {
            userId: params.username,
            displayName: params.username,
            attributes: {
            }
    };
    //WL.Server.setActiveUser("PatientAuthRealm", null);
    WL.Server.setActiveUser("PatientAuthRealm", userIdentity); // create session 

    return {
        authRequired: false,
        "response": response
    };
}
return onAuthRequired(null, "Invalid login credentials");
}
function onAuthRequired(headers, errorMessage){
errorMessage = errorMessage ? errorMessage : null;

return {
    authRequired: true,
    errorMessage: errorMessage
  };
   }
 function onLogout(){
  WL.Logger.debug("Logged out");
 }

authentificationConfig.xml (realms)

    <realm name="PatientAuthRealm" loginModule="PatientAuthLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator </className>
        <parameter name="login-function" value="authentication.onAuthRequired"/>
        <parameter name="logout-function" value="authentication.onLogout"/>
    </realm>

    <realm name="DoctorAuthRealm" loginModule="DoctorAuthLoginModule">
        <className>com.worklight.integration.auth.AdapterAuthenticator </className>
        <parameter name="login-function" value="authentication.onAuthRequired"/>
        <parameter name="logout-function" value="authentication.onLogout"/>
    </realm>

authentificationConfig.xml (LoginModule)

<loginModule name="PatientAuthLoginModule">
            <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>
    <loginModule name="DoctorAuthLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

authentificationConfig.xml (Security tests)

  <customSecurityTest name="authenticatePatient">
        <test isInternalUserID="true" realm="PatientAuthRealm"/>
    </customSecurityTest>
    <customSecurityTest name="authenticateDoctor">
        <test isInternalUserID="true" realm="DoctorAuthRealm"/>
    </customSecurityTest>

Answer 1

It is important to remember that the function isCustomResponse can be called on by any http response, not just protected requests. It is the job of this function ( isCustomResponse ) to determined whether this specific response is relevant for this challenge handler.

From what I understand in your example, you make a request to authenticatePatient which is unprotected.
Then, authenticatePatient returns:

return {
        authRequired: false,
        "response": response
    };

This JSON object is sent to the client.

Your isCustomResponse function gets triggered (it does not check whether this was a protected request, it gets triggered for every response).

Your implementation of isCustomResponse should be smart enough to determine whether to ignore this response ( return false; ), or trigger the challenge handler ( return true; ).

For your implementation, it looks like you only check that response.responseJSON.authRequired is defined. You did not check whether its value was true or false . Which means, your code determined that this response needs to be handled by the challenge handler.

I recommend your change your implementation of isCustomResponse to check for the value of response.responseJSON.authRequired and return true only when authRequired is true .