1. 首页
  2. 问答
  3. MFP 8.0中的授权承载过多

MFP 8.0中的授权承载过多

2016-11-28 99 views
1

我已按照https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/中提供的步骤保护外部资源,https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/application-development/resource-request/javascript/通过Cordova进行调用。MFP 8.0中的授权承载过多

我向同一个REST方法发出了2个请求,这个方法受范围“aovLogin”的保护。

似乎每个呼叫都会生成一个新的承载令牌,这需要4个额外的呼叫到MFP。

此外,第一次调用某个方法时,它会进行多次额外的调用(它始终会转到http 401,然后是403,然后是200,从而在中间对MFP进行额外调用)。如果我有一个非常细化的API,它会进行大量额外的调用。

我已经看到,服务器API有一个承载缓存和范围配置为有效10分钟。

为什么客户端发送如此多的授权请求?

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 

HTTP/1.1 401 Unauthorized 

---------- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"","client_id":"3deccec7-3f18-4ee2-8464-de90a7c64685"} 

HTTP/1.1 400 Bad Request 
{"errorCode":"INVALID_CLIENT_ID","errorMsg":"Invalid client ID."} 

------ 

POST /mfp/api/registration/v1/self HTTP/1.1 
{"signedRegistrationData":{"header":"XXXXX","payload":"XXXXX","signature":"XXXXX"}} 

HTTP/1.1 201 Created 

----- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 200 OK 
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322130967}}} 

-------- 

GET /mfp/api/az/v1/authorization?response_type=code&scope=&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.1757133661526875 HTTP/1.1 

HTTP/1.1 302 Found 

------ 

POST /mfp/api/az/v1/token HTTP/1.1 
XXXXX 

HTTP/1.1 200 OK 
{"access_token":"XXXXX","token_type":"Bearer","expires_in":3599,"scope":""} 

--- 

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer XXXXX 
{"idDelegation":"0801"} 

HTTP/1.1 403 Forbidden 

--- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 401 Unauthorized 
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322131320}},"challenges":{"aovLogin":{"remainingAttempts":5,"errorMsg":null}}} 

--- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"challengeResponse":{"aovLogin":{"username":"XXXXX","tokenSEA":"XXXXX"}},"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 200 OK 
{"successes":{"aovLogin":{"user":{"id":"XXXXX","displayName":"XXXXX","authenticatedAt":1480322139874,"authenticatedBy":"aovLogin","attributes":{"tokenSEA":"XXXXX"}}},"clockSynchronization":{"serverTimeStamp":1480322139874}}} 


-------- 

GET /mfp/api/az/v1/authorization?response_type=code&scope=aovLogin&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.5223292209780417 HTTP/1.1 

HTTP/1.1 302 Found 

--- 

POST /mfp/api/az/v1/token HTTP/1.1 
XXXXX 

HTTP/1.1 200 OK 


{"access_token":"XXXXX","token_type":"Bearer","expires_in":599,"scope":"aovLogin"} 


--- 

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzIyNzM5ODc0LCJzY29wZSI6ImFvdkxvZ2luIn0.jGJAhZaV6NFHZKj-LKBmJ6Gqb7ZrZX20xDKEPkNtORZ1tanLo8MSklY2HogK-wKs7APIuWESLSsskrwR9p0EnrmHgUYZf3BPY9HDUSBojUN9-vd_I9kavcg34Hes1KTvYG4Wi-9XbZQ2T1-SbHhn-mqsToeLIGBGkzsugwQG9tIKG3Qr0BixDIfuhxux4Gdo30HCyn9SB5ZaY5wdxaD2_kJjnJih_SsAuuXRNAXEO_PgExnZ6Mr1qyqyOfwc3k9jmgRpuEQigYYRYOP-Tvs_i59IVYOdpsQ70gi-Ky09orx5Jy3hVJv-J45Dx7FHdR3ZPTn7pYW7IRmRo4CZ2COoCg 

HTTP/1.1 200 OK 
..... 

--- CALL AGAIN, new bearer is generated 

POST /mfp/api/az/v1/introspection HTTP/1.1 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 

GET /mfp/api/az/v1/authorization?XXX HTTP/1.1 

POST /mfp/api/az/v1/token HTTP/1.1 


POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzM5OTU0NjE2LCJzY29wZSI6ImFvdkxvZ2luIn0.JSm3nrW6BD5i66GossHYM4-6GqQfC-ZSH5P-X4M9mws2jBNvCkFKgv_XbRAb3km-0NMZz3FHsrY_0h0dx7fpJYiR9CIjaY-PFw75zdKbyEpzbhAX7OjZtYOtZblKEYLkT8mH-0mLc6VE_YBPFd2q55HMmECCLirAAdWwzMGgEzL02OKTd1GVuJyjqjlxeOJypFglaHezuByd6eGVMFJvnfDX3h_o6k8sWcv-g7UFa8jtcMNZpbzFOYG9Q2nGQ-oYIt17QyF4CVKPMN4anMwRRQ_2cjuvg-1ZuU450hxBX3u09wBxJ21mQklgg72t7fdLKgT7EIPmQlPP3wrX9qzy7A 

HTTP/1.1 200 OK

更新:

  • 的HTTP 401个403电话对外部资源和serveral的呼叫MFP可以,如果范围在WLResourceRequest发送避免
  • 它会产生一个新的令牌调用一个使用绝对URL的外部资源,但也使用相对URL调用标准受保护适配器

调用受保护适配器的示例:

var resourceRequest = new WLResourceRequest(
    "/adapters/AOS42_AOV_API/resource/protectedResource", 
    WLResourceRequest.GET, 
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses 
); 

resourceRequest.send().then(
    function (response) { 
     alert("response ok protectedResource " + response.responseText); 
    }, 
    function (response) { 
     alert("response ko protectedResource " + response.responseText); 
    } 
);

样品调用外部资源:

var resourceRequest = new WLResourceRequest(
    "https://someurl.com/someApp/protectedResource", 
    WLResourceRequest.GET, 
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses 
);

更新2:

我们所做的更改:与其说受保护的外部资源,接收HTTP 401,然后发送的挑战,现在我们在之前调用WLAuthorizationManager.login。

在Android中,它在每次调用之前继续呼叫MFP 3次,但现在服务器返回相同的承载令牌。

调用相同的Cordova应用程序调用相同的Rest API受MFP保护并在MFP中使用相同的安全适配器的Rest API在iOS中工作得非常好。 获得承载后,我们只能看到对外部API的调用。

来源

2016-11-28 Sergio Otero Lopez

+0

你是说你的第二个电话,即使它发生在不到10分钟内,生成一个新的令牌? –

+0

还提到了外部资源。如果您使用常规内部资源(适配器),您是否看到相同的行为? –

+0

是的,它获得一个新的承载(4个呼叫到MFP),然后每次调用外部资源。我已经捕获了HTTP请求,并且服务器至少在10分钟内接受相同的令牌。我测试了一个受保护的适配器,它的工作原理是一样的我已经用这个信息更新了这个问题 –

回答

1

这个bug已经在刚发布的MobileFirst Foundation 8.0的iFix中解决了。内部版本号为8.0.0.0-IF20170125-0919。请登录到IBM Fix Central以下载iFix。

相关的APAR是:
PI74988多个授权调用都是MADE请在Android应用

EACH REST调用由于您使用的科尔多瓦,相信更新科尔多瓦 - 插件-MFP插件@ 8.0 .2017012210应该就够了。

来源

2017-01-31 06:53:53

相关问题

 相关问题