1. 首頁
  2. 問答
  3. MFP 8.0中的授權承載過多

MFP 8.0中的授權承載過多

2016-11-28 97 views
1

我已按照https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/中提供的步驟保護外部資源,https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/application-development/resource-request/javascript/通過Cordova進行調用。MFP 8.0中的授權承載過多

我向同一個REST方法發出了2個請求,這個方法受範圍「aovLogin」的保護。

似乎每個呼叫都會生成一個新的承載令牌,這需要4個額外的呼叫到MFP。

此外,第一次調用某個方法時,它會進行多次額外的調用(它始終會轉到http 401,然後是403,然後是200,從而在中間對MFP進行額外調用)。如果我有一個非常細化的API,它會進行大量額外的調用。

我已經看到,服務器API有一個承載緩存和範圍配置爲有效10分鐘。

爲什麼客戶端發送如此多的授權請求?

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 

HTTP/1.1 401 Unauthorized 

---------- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"","client_id":"3deccec7-3f18-4ee2-8464-de90a7c64685"} 

HTTP/1.1 400 Bad Request 
{"errorCode":"INVALID_CLIENT_ID","errorMsg":"Invalid client ID."} 

------ 

POST /mfp/api/registration/v1/self HTTP/1.1 
{"signedRegistrationData":{"header":"XXXXX","payload":"XXXXX","signature":"XXXXX"}} 

HTTP/1.1 201 Created 

----- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 200 OK 
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322130967}}} 

-------- 

GET /mfp/api/az/v1/authorization?response_type=code&scope=&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.1757133661526875 HTTP/1.1 

HTTP/1.1 302 Found 

------ 

POST /mfp/api/az/v1/token HTTP/1.1 
XXXXX 

HTTP/1.1 200 OK 
{"access_token":"XXXXX","token_type":"Bearer","expires_in":3599,"scope":""} 

--- 

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer XXXXX 
{"idDelegation":"0801"} 

HTTP/1.1 403 Forbidden 

--- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 401 Unauthorized 
{"successes":{"clockSynchronization":{"serverTimeStamp":1480322131320}},"challenges":{"aovLogin":{"remainingAttempts":5,"errorMsg":null}}} 

--- 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 
{"challengeResponse":{"aovLogin":{"username":"XXXXX","tokenSEA":"XXXXX"}},"scope":"aovLogin","client_id":"84c45e4a-b75d-4125-ab9a-98f390d5bd3a"} 

HTTP/1.1 200 OK 
{"successes":{"aovLogin":{"user":{"id":"XXXXX","displayName":"XXXXX","authenticatedAt":1480322139874,"authenticatedBy":"aovLogin","attributes":{"tokenSEA":"XXXXX"}}},"clockSynchronization":{"serverTimeStamp":1480322139874}}} 


-------- 

GET /mfp/api/az/v1/authorization?response_type=code&scope=aovLogin&client_id=84c45e4a-b75d-4125-ab9a-98f390d5bd3a&redirect_uri=http://mfpredirecturi&isAjaxRequest=true&x=0.5223292209780417 HTTP/1.1 

HTTP/1.1 302 Found 

--- 

POST /mfp/api/az/v1/token HTTP/1.1 
XXXXX 

HTTP/1.1 200 OK 


{"access_token":"XXXXX","token_type":"Bearer","expires_in":599,"scope":"aovLogin"} 


--- 

POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6Ijg0YzQ1ZTRhLWI3NWQtNDEyNS1hYjlhLTk4ZjM5MGQ1YmQzYSIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzIyNzM5ODc0LCJzY29wZSI6ImFvdkxvZ2luIn0.jGJAhZaV6NFHZKj-LKBmJ6Gqb7ZrZX20xDKEPkNtORZ1tanLo8MSklY2HogK-wKs7APIuWESLSsskrwR9p0EnrmHgUYZf3BPY9HDUSBojUN9-vd_I9kavcg34Hes1KTvYG4Wi-9XbZQ2T1-SbHhn-mqsToeLIGBGkzsugwQG9tIKG3Qr0BixDIfuhxux4Gdo30HCyn9SB5ZaY5wdxaD2_kJjnJih_SsAuuXRNAXEO_PgExnZ6Mr1qyqyOfwc3k9jmgRpuEQigYYRYOP-Tvs_i59IVYOdpsQ70gi-Ky09orx5Jy3hVJv-J45Dx7FHdR3ZPTn7pYW7IRmRo4CZ2COoCg 

HTTP/1.1 200 OK 
..... 

--- CALL AGAIN, new bearer is generated 

POST /mfp/api/az/v1/introspection HTTP/1.1 

POST /mfp/api/preauth/v1/preauthorize HTTP/1.1 

GET /mfp/api/az/v1/authorization?XXX HTTP/1.1 

POST /mfp/api/az/v1/token HTTP/1.1 


POST /com.costaisa.app.api/api/mfprest/delegation/detail/private HTTP/1.1 
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsImtpZCI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsIm4iOiJBTTBEZDd4QWR2NkgteWdMN3I4cUNMZEUtM0kya2s0NXpnWnREZF9xczhmdm5ZZmRpcVRTVjRfMnQ2T0dHOENWNUNlNDFQTXBJd21MNDEwWDlJWm52aHhvWWlGY01TYU9lSXFvZS1ySkEwdVp1dzJySGhYWjNXVkNlS2V6UlZjQ09Zc1FOLW1RSzBtZno1XzNvLWV2MFVZd1hrU093QkJsMUVocUl3VkR3T2llZzJKTUdsMEVYc1BaZmtOWkktSFU0b01paS1Uck5MelJXa01tTHZtMDloTDV6b3NVTkExNXZlQ0twaDJXcG1TbTJTNjFuRGhIN2dMRW95bURuVEVqUFk1QW9oMmluSS0zNlJHWVZNVVViTzQ2Q3JOVVl1SW9iT2lYbEx6QklodUlDcGZWZHhUX3g3c3RLWDVDOUJmTVRCNEdrT0hQNWNVdjdOejFkRGhJUHU4PSJ9fQ.eyJpc3MiOiJjb20uaWJtLm1mcCIsInN1YiI6IjM1NDcyYWNhLWVlNmItNGNhZi04OGQ2LWQxY2ExNjQ0NzM4NyIsImF1ZCI6ImNvbS5pYm0ubWZwIiwiZXhwIjoxNDgwMzM5OTU0NjE2LCJzY29wZSI6ImFvdkxvZ2luIn0.JSm3nrW6BD5i66GossHYM4-6GqQfC-ZSH5P-X4M9mws2jBNvCkFKgv_XbRAb3km-0NMZz3FHsrY_0h0dx7fpJYiR9CIjaY-PFw75zdKbyEpzbhAX7OjZtYOtZblKEYLkT8mH-0mLc6VE_YBPFd2q55HMmECCLirAAdWwzMGgEzL02OKTd1GVuJyjqjlxeOJypFglaHezuByd6eGVMFJvnfDX3h_o6k8sWcv-g7UFa8jtcMNZpbzFOYG9Q2nGQ-oYIt17QyF4CVKPMN4anMwRRQ_2cjuvg-1ZuU450hxBX3u09wBxJ21mQklgg72t7fdLKgT7EIPmQlPP3wrX9qzy7A 

HTTP/1.1 200 OK

更新:

  • 的HTTP 401個403電話對外部資源和serveral的呼叫MFP可以,如果範圍在WLResourceRequest發送避免
  • 它會產生一個新的令牌調用一個使用絕對URL的外部資源,但也使用相對URL調用標準受保護適配器

調用受保護適配器的示例:

var resourceRequest = new WLResourceRequest(
    "/adapters/AOS42_AOV_API/resource/protectedResource", 
    WLResourceRequest.GET, 
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses 
); 

resourceRequest.send().then(
    function (response) { 
     alert("response ok protectedResource " + response.responseText); 
    }, 
    function (response) { 
     alert("response ko protectedResource " + response.responseText); 
    } 
);

樣品調用外部資源:

var resourceRequest = new WLResourceRequest(
    "https://someurl.com/someApp/protectedResource", 
    WLResourceRequest.GET, 
    {'scope' : 'aovLogin'} // it avoids 401 and 403 responses 
);

更新2:

我們所做的更改:與其說受保護的外部資源,接收HTTP 401,然後發送的挑戰,現在我們在之前調用WLAuthorizationManager.login。

在Android中,它在每次調用之前繼續呼叫MFP 3次,但現在服務器返回相同的承載令牌。

調用相同的Cordova應用程序調用相同的Rest API受MFP保護並在MFP中使用相同的安全適配器的Rest API在iOS中工作得非常好。 獲得承載後,我們只能看到對外部API的調用。

來源

2016-11-28 Sergio Otero Lopez

+0

你是說你的第二個電話,即使它發生在不到10分鐘內,生成一個新的令牌? –

+0

還提到了外部資源。如果您使用常規內部資源(適配器),您是否看到相同的行爲? –

+0

是的,它獲得一個新的承載(4個呼叫到MFP),然後每次調用外部資源。我已經捕獲了HTTP請求,並且服務器至少在10分鐘內接受相同的令牌。我測試了一個受保護的適配器,它的工作原理是一樣的我已經用這個信息更新了這個問題 –

回答

1

這個bug已經在剛發佈的MobileFirst Foundation 8.0的iFix中解決了。內部版本號爲8.0.0.0-IF20170125-0919。請登錄到IBM Fix Central以下載iFix。

相關的APAR是:
PI74988多個授權調用都是MADE請在Android應用

EACH REST調用由於您使用的科爾多瓦,相信更新科爾多瓦 - 插件-MFP插件@ 8.0 .2017012210應該就夠了。

來源

2017-01-31 06:53:53

相關問題

 相關問題