unknown challenge arrived, cannot process realm wl_deviceNoProvisioningRealm challenge

505 views Asked by At

I'm facing the following issue after I deploy my Worklight (v6.2.0.01) application in the Enterprise Worklight server. The issue manifests only for the mobile web app environment.

Worth noting that the same application in the same environment, runs fine in the local development server (also based on Worklight 6.2.0.01).

Console Error:

[Error] unknown challenge arrived, cannot process realm wl_deviceNoProvisioningRealm challenge.
    __log (worklight.js, line 4879)
    (anonymous function) (worklight.js, line 5237)
    executeChallenge (worklight.js, line 8783)
    checkResponseForChallenges (worklight.js, line 8692)
    onWlFailure (worklight.js, line 3411)
    (anonymous function) (worklight.js, line 950)
    respondToReadyState (worklight.js, line 1172)
    onStateChange (worklight.js, line 1105)
    (anonymous function) (worklight.js, line 950)

Screen Error:

an error was encountered while processing the request from the application.

authenticationConfig.xml:

    <!-- Licensed Materials - Property of IBM
         5725-I43 (C) Copyright IBM Corp. 2006, 2013. All Rights Reserved.
         US Government Users Restricted Rights - Use, duplication or
         disclosure restricted by GSA ADP Schedule Contract with IBM Corp. -->  

 <staticResources>
    <resource id="subscribeServlet" securityTest="SubscribeServlet">
        <urlPatterns>/subscribeSMS*;/receiveSMS*;/ussd*</urlPatterns>
    </resource>

</staticResources> 
 <securityTests>
    <mobileSecurityTest name="SampleApp">
        <testDeviceId provisioningType="none" />
        <testUser realm="SampleAppRealm" />
        <testDirectUpdate mode="perSession" />
    </mobileSecurityTest>

    <customSecurityTest name="SubscribeServlet">
        <test realm="SubscribeServlet" isInternalUserID="true"/>
    </customSecurityTest>           

</securityTests> 

<realms>
    <realm loginModule="SampleAppLoginModule" name="SampleAppRealm">
        <className>com.worklight.integration.auth.AdapterAuthenticator</className>
        <parameter name="login-function" value="AuthenticationAdapter.onAuthRequired" />
        <parameter name="logout-function" value="AuthenticationAdapter.onLogout" />
    </realm>

    <!-- <realm name="SampleAppRealm" loginModule="StrongDummy">
        <className>com.worklight.core.auth.ext.FormBasedAuthenticator</className>
    </realm> -->

    <realm name="SubscribeServlet" loginModule="rejectAll">
        <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>          
    </realm>

    <!-- For client logger -->
    <!-- <realm name="LogUploadServlet" loginModule="StrongDummy">
        <className>com.worklight.core.auth.ext.HeaderAuthenticator</className>
    </realm -->

    <!-- For websphere -->
    <!-- realm name="WASLTPARealm" loginModule="WASLTPAModule">
        <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
        <parameter name="login-page" value="/login.html"/>
        <parameter name="error-page" value="/loginError.html"/>
    </realm -->

    <!-- For User Certificate Authentication -->
    <!-- realm name="wl_userCertificateAuthRealm" loginModule="WLUserCertificateLoginModule">
        <className>com.worklight.core.auth.ext.UserCertificateAuthenticator</className>
        <parameter name="dependent-user-auth-realm" value="WASLTPARealm" />
        <parameter name="pki-bridge-class" value="com.worklight.core.auth.ext.UserCertificateEmbeddedPKI" />
        <parameter name="embedded-pki-bridge-ca-p12-file-path" value="/opt/ssl_ca/ca.p12"/> 
        <parameter name="embedded-pki-bridge-ca-p12-password" value="capassword" />
    </realm -->

    <!-- For Trusteer Fraud Detection -->
    <!-- Requires acquiring Trusteer SDK --> 
    <!-- realm name="wl_basicTrusteerFraudDetectionRealm" loginModule="trusteerFraudDetectionLogin">
        <className>com.worklight.core.auth.ext.TrusteerAuthenticator</className>
        <parameter name="rooted-device" value="block"/>
        <parameter name="device-with-malware" value="block"/>
        <parameter name="rooted-hiders" value="block"/>
        <parameter name="unsecured-wifi" value="alert"/>
        <parameter name="outdated-configuration" value="alert"/>
    </realm -->

</realms>

<loginModules>
    <loginModule name="SampleAppModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

    <!-- <loginModule name="StrongDummy">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule>

    <loginModule name="requireLogin">
        <className>com.worklight.core.auth.ext.SingleIdentityLoginModule</className>
    </loginModule> -->

    <loginModule name="rejectAll">
        <className>com.worklight.core.auth.ext.RejectingLoginModule</className>
    </loginModule>

    <!-- Required for Trusteer - wl_basicTrusteerFraudDetectionRealm -->        
    <!-- loginModule name="trusteerFraudDetectionLogin">
        <className>com.worklight.core.auth.ext.TrusteerLoginModule</className>
    </loginModule-->

    <!-- For websphere -->
    <!-- loginModule name="WASLTPAModule">
        <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
    </loginModule -->

    <!-- Login module for User Certificate Authentication -->
    <!-- <loginModule name="WLUserCertificateLoginModule">
        <className>com.worklight.core.auth.ext.UserCertificateLoginModule</className>
    </loginModule> -->


    <!-- For enabling SSO with no-provisioning device authentication -->
    <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceNoProvisioningLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule> -->


    <!-- For enabling SSO with auto-provisioning device authentication -->
    <!-- <loginModule name="MySSO" ssoDeviceLoginModule="WLDeviceAutoProvisioningLoginModule">
        <className>com.worklight.core.auth.ext.NonValidatingLoginModule</className>
    </loginModule> -->
</loginModules>

2

There are 2 answers

0
Idan Adar On

You've mentioned that your application is used in the mobile web app environment. In this environment the app is served from the Worklight Server and displayed using the OS's mobile browser application (mobile Safari, mobile Chrome, etc...).

The wl_deviceNoProvisioningRealm test mentioned in the error you get is meant to be used only in hybrid and/or native applications - not in mobile web applications.

In your case, you are using the pre-defined mobileSecurityTest. This pre-defined security test checks by default for wl_deviceNoProvisioningRealm.

While it is not clear to me why you're getting this error the way you describe, what I think you should do is to:

  • Either use the pre-defined webSecurityTest instead, as it does not include wl_deviceNoProvisioningRealm and is fitting for web environments, such as the one for your app...

  • Or create a custom security test.

    If you choose to create a custom security test, for example "myMobileWebAppEnv", make sure it will not contain the wl_deviceNoProvisioningRealm test. Then, in application-descriptor.xml you will need to apply it specifically for the mobile web app environment element.

Read more about security tests, here: Understanding predefined Worklight authentication realms and security tests

0
Sami On

The issue was related to the IBM, where after raising a PMR, they provided us with an update for Eclipse containing the fix and extra 32 fixes.