0

I'm trying to develop a custom login form using Worklight customSecurityTest, based on SingleStepAuthAdapter application sample.

Basically, I've noticed that the login function used in the SingleStepAuthAdapater is always called after that user try to access to a secured function (after that, on login action, secured data are sent to the user), but if i try to call the submitAuthentication function directly, before any attempt to access to a secured function (i have inverted the "login page" with the "get secured data" page), i got the following error/lo on firebug:

enter image description here

The two POST calls are the same function raised two times by Worklight on login action (submitAuthentication function inside the SingleStepAuthAdapter called by singleStepAuthRealmChallengeHandler.submitAdapterAuthentication(invocationData, {})) and the error is related to the fact that authentication is requested twice: probably when the authentication request is performed, this function is issued twice after that the submitSuccess() function is called inside the handleChallenge (in fact, the issue doesn't occurs when i delete the submitSuccess invokation, but WL framework is not notified and, for example the isUserAuthenticated function return false, until the access to a secured resource is performed).

How can fix this behavior? What are the best practices to develop a simple login-form using worklight that allow authentication before any access to a proteced resource? I have found some workarounds (such as perform a fake data request before perform the submitAuthentication, but i hope that you can suggest me a better solution).

I've consulted the infocenter and the getting started modules, but probably due to my fault I'm not able to found any useful information

brillantef
  • 134
  • 8
  • this post might answer your question - http://stackoverflow.com/questions/16997804/worklight-wl-server-setactiveuser-cannt-modify-illegal-state-cannot-chang – Anton Mar 18 '14 at 20:17
  • what worked for me, since i had an app that you had to login to use, was to set a security check on the app itself(application-descriptor.xml) – tik27 Mar 18 '14 at 21:52
  • 1
    @Anton, the post refers to the same error message, but the context is different, since in my case occurs the first time that user try to login. Login fails because of setActiveUser is triggered twice: first time when the adapter function that authenticate the user is called by challengehandler.submitAdapterAuthentication, second time when submitSuccess is invoked to notify authentication. Probably there is something wrong in this flow, but seems that I'm following the WL specification. – brillantef Mar 19 '14 at 08:15
  • @tik27 Can you please explain what is the value adding the security check inside the application-descriptor.xml? Basically I'm not able to understand this: if I have a secured adapter function and an unsecured one that authenticate the user, is possible to call the unsecured before any attempts of accessing a secured one? I think that this could be my problem... – brillantef Mar 19 '14 at 08:15

1 Answers1

2

A common practice is to have an initial blank page or view for your app.

In WLCommonInit, either access a protected resource (that is what getsecretdata is all about), or call WL.Client.login(). Another option (suggested by @tk27) is to secure the app in the application descriptor and set connect on login to true. This will trigger authentication when the app starts.

Your challenge handler should display a login prompt dialog, and when the authentication successfully completes, transition to the first real page of your app.

This way, authentication is still done in response to a challenge from the WL Server (as it must be) but you don't see anything but a blank page to a login prompt until the login is successful.

David Dhuyveter
  • 1,416
  • 9
  • 17