Worklight antXSFRealm login failure after authenticating against Data Power

Question

I changed recently the authentication mecanism to Data power LTPA authentication. The auth it self works fine but when attempting to access the first adapter after login (my request contains an LTPA token Cookie), it fails with this message : "wl_antiXSRFRealm":{"reason":"Login Failed"}

the wl_antiXSRFRealm is returning a userId on the /init call Do I miss something ?

Environment details : Worklight 6.0.0.2 Running on common preview environment.

Authentication configuration :

<realm loginModule="WASLTPAModule" name="DataPowerRealm">

        <className>com.worklight.core.auth.ext.WebSphereFormBasedAuthenticator</className>
        <parameter name="login-page" value="/login.html" />
        <parameter name="error-page" value="/loginError.html" />
    </realm>

    <loginModule name="WASLTPAModule">
        <className>com.worklight.core.auth.ext.WebSphereLoginModule</className>
        <parameter name="httponly-cookie" value="true" />
        <parameter name="cookie-name" value="LtpaToken2" />
    </loginModule>


    <securityTests>
    <customSecurityTest name="ldapSecTest">
        <test realm="DataPowerRealm" step="1" />
        <test isInternalUserID="true" realm="LdapAdapterRealm" step="2" />
    </customSecurityTest>

    <customSecurityTest name="DataPowerAuth">
        <test realm="DataPowerRealm" step="1" isInternalUserID="true" />
    </customSecurityTest>


</securityTests>

UPDATE : Below the response from the server

Remote Address:10.2.163.199:445
Request URL:http://10.2.163.199:445/worklight/apps/services/api/SmartServices/common/query
Request Method:POST
Status Code:403 Forbidden
Request Headersview source
Accept:text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding:gzip,deflate
Accept-Language:en-US
Connection:keep-alive
Content-Length:197
Content-type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:LtpaToken2=uu9ac1LdsZ6afuLZ5Bzb8Eh29wGRa8SZ67Mp8oX5k+3Q5Vy3YkNpb69XeHDjkYRQRLFu2HQ9YMMfvNtPCyD67CvsUejRju5M2WH77YxQhMwWGxVGL6etLiQJm/1zILpyqiXBT9ubpjlLC5M2ogvklFmkboHxrEVhS2WYTcuBVmlQMyHNvWPYQ85GC+F70V/7MMvoyVCslD4nvYQgnEQl/NdKAVtb4HjUylIkUpYzERW9mvQe7DXM6uez7U2TM9Z6wIykTWL+flmzp48QM7RsTUW71F3DJ9+odoqdOfKOvv0/0/TAcx7k5p50FpItnRLSXAkckSoRAVgEm2BRzWq6RJwAjJhLQkz88dtPzJhrP2U=; WL_PERSISTENT_COOKIE=3ea0b226-fe49-4675-ac80-8c6f2d370f26; forms.MobileGateway_HTMLFormLoginAAA.session=8DDBA0B2B0722B28C41750077EBDE8E1265752C4PHNlc3Npb24tY29va2llPjxjb29raWUtbmFtZT5mb3Jtcy5Nb2JpbGVHYXRld2F5X0hUTUxGb3JtTG9naW5BQUEuc2Vzc2lvbjwvY29va2llLW5hbWU+PGNyZWF0ZWQ+MjAxNC0xMS0yMFQxMjo0NTo1OFo8L2NyZWF0ZWQ+PHJlZnJlc2hlZD4yMDE0LTExLTIwVDEyOjQ1OjU4WjwvcmVmcmVzaGVkPjxtaWdyYXRpb24vPjxrZXk+QkZGMjlCNjMyQ0E0NUEwRDQ3NEMwRjcxQkIzMDM3RUFEM0JFNDU5RTwva2V5Pjwvc2Vzc2lvbi1jb29raWU+; JSESSIONID=00000cRvoMiUcoF0mcO_CJv4M11:-1; testcookie=oreo; LtpaToken=me/P4T9tNq2EckeC/NxQsTedAT+ugUHGjtoPE4gMz2l9eaHlbIX44J2guaaTjfCJIjWBjaPX8jeQRMbSEQXk0qFrDzqT9NvJlEMEbz7qXq/zhbyE1oV5fA1f2gRJGbk+y3tILSf1fDvKtUrZVrXwhk9ARTi0vzAOIV9sVfDKMb++6ULhmwQLOumaQMrWWAyJP4Y44MzxK5o/xr4XaEwJQRaqj32np72Qws3zwkmqK1hAo2rjDRXb/WTvisFxA7IdMBrvHkjGTCtCyDUhd/nFXSKg1j17ylpz544wEGh2Y5UJTBEhjj5vr91FeCrPUTw6lbWzwXJk54Do8xD8vkggPqc24gzdZT9EUa+0vl213m6hl1LGdfj3aKbwS0BddeXhZ5sEB+DAJP5Vx0/w9nH2hbI/Vjo4zC0ZvZIfCK65rK0FthxKKOQC580Ta1+1LxXbOFoUwntDAE0odbw1IG4zx5DMCPuNzXB81nP0MZnLiBcQH9zU7Rp6EdIZ5UJoCnwSe54CxlRf3fIwk3VUZmCfeIE2eoUTCnTDvghAF3peG1fuNW6yE8v0X6fpkse3bamEnlNP/Exkjb+sdSK9xTWkPg1qcM43bYL0FNeSzlA8K71moxLcfounXaf47AhwoRrbdMYcx1KMUxjD/FDwmX2r6I/A4KrkwA2ay53P2AeQVbA=
Host:10.2.163.199:445
Origin:http://10.2.163.199:445
Referer:http://10.2.163.199:445/worklight/apps/services/preview/SmartServices/common/0/default/login.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36
WL-Instance-Id:hd5rku2a9ioc4f5m6oorc6frm0
X-Requested-With:XMLHttpRequest
x-wl-app-version:1.0
x-wl-platform-version:6.0.0
Form Dataview sourceview URL encoded
adapter:SecureDashBoardAdapter
procedure:autoLogin
parameters:["","",true]
__wl_deviceCtxVersion:-1
__wl_deviceCtxSession:78983441416487555728
isAjaxRequest:true
x:0.620181588223204
Response Headersview source
Cache-Control:no-cache, no-store, must-revalidate
Connection:Keep-Alive
Content-Language:en-US
Content-Type:application/json; charset=UTF-8
Date:Thu, 20 Nov 2014 12:51:53 GMT
Expires:Sat, 26 Jul 1997 05:00:00 GMT
P3P:policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Transfer-Encoding:chunked
X-Backside-Transport:FAIL FAIL
X-Client-IP:10.10.30.152
X-Powered-By:Servlet/3.0

Answer 1

I have opened a PMR and we got to know the reason of the issue. Actually there is a conflict between a WL thread and a Websphere thread which leads to this issue. One way to resolve it is to put explicit security test for each procedure which is called once logged in. Otherwise, installing a newer version of WL will resolve the issue.

Answer 2

From the response data, your Worklight server response code is 403, that's not correct. This service will be response 401 if LTPAToken not correct or 200 success. I guess your datapower has wrong configuration and set the HTTP 403.

Request URL:http://10.2.163.199:445/worklight/apps/services/api/SmartServices/common/query
Request Method:POST
**Status Code:403 Forbidden**

Here are some steps for your to debug this error.

1) check your DataPower+Worklight topology, make sure DataPower and Worklight server use the same user registry, better to be a LDAP server. 2) check whether your DataPower rule blocks the response of Worklight or not, HTTP status 403 should not set by Worklight server 3) run wireshark tool on Worklight server to capture the HTTP network traffic, check HTTP header and response header correct or not 4) capture network traffic on DataPower by DataPower tool ( the capture data can be opened by wireshark too.)