IBM Worklight - How to enable App Authenticity in a native iOS app?

问题

We have a iOS and Android Hybrid App Environment in which we have App Authenticity successfully running (drop down available to control the feature) using:

<mobileSecurityTest name="app">
    <testAppAuthenticity/> 
    <testUser realm="wl_anonymousUserRealm"/>
    <testDeviceId provisioningType="none" />
</mobileSecurityTest>

We added a "iOS Native API" project to our Worklight project that we use for our native iOS client development in XCode 5. We are successfully able to connect to the WL server and call all our existing adapter procedures in our different adapters.

For this native API project, we now would like to enable App Authenticity as well. When we use the same MobileSecurityTest as in the hybrid app in the application descriptor of the native API project we can deploy it to our WL server and the App Authenticity feature is enabled (drop down available to control the feature) at the iOS Native API entry in the console.

On the native iOS app/project we set:

bundle ID is exactly the same as in the hybrid project and the same as in the Apple Developer portal
Key Chain is enabled in the project and also set to worklight.group (as in the hybrid XCode project)

we are not able to get a successful authentication running when we want to connect to WL server. We see that the DeviceAuthManager tries to get the UUID from the device, but then the server returns an error response:

2013-09-24 08:58:35.530 App[32535:c07] DeviceAuthManager:getWorklightUniqueDeviceId --> returning UUID from the keychain
2013-09-24 08:58:35.564 App[32535:c07] 
 isCustomResponse
2013-09-24 08:58:35.564 App[32535:c07] this is it: Status: 403
InvocationResult: (null)
InvocationContext: {
    delegate = "<MyConnectionListener: 0x7d73ec0>";
}
Response text: /*-secure-
{"WL-Authentication-Failure":{"wl_authenticityRealm":{"reason":"com.ibm.json.java.JSONObject cannot be cast to java.lang.String"}}}*/
2013-09-24 08:58:35.564 App[32535:c07] [ERROR] Worklight: -[WLRequest requestFailed:]:309::Status code='403' error='(null)'
2013-09-24 08:58:35.565 App[32535:c07] [ERROR] Worklight: -[WLClient onInitRequestFailure:userInfo:]:410::

We did try this with and without a registered ChallengeHandler that just prints the response. The same results, just that we can see the error response printed in the isCustomResponse method if we have the ChallengeHandler.

Also, a Worklight dialog is shown automatically that says "Error: An error was encountered while processing the request from the application (CLOSE)".

We can see that in 6.0 there is the worklight.plist value:

<key>wlUid</key>
<string>wY/mbnwKTDDYQUvuQCdSgg==</string>

is that also necessary in 5.0.6? Our plist file there does not have that.

When we change the environment value in the worklight.plist file from iOSnative to our app name (or something else) we get a response Response text:

{"errorCode":"UNEXPECTED_ERROR","errorMsg":null}

so I assume this value iOSnative is a fixed value that has to be there?

Sept 30th: WL 6.0.0.1 Update

In WL 6.0.0.1 it seems to not show the same bug when we used it with a Studio 6.0.0 generated iOSApi Environment deployed to a Consumer Server on Tomcat.

Now we are getting an:

Invocation Failure: Status: 403
InvocationResult: {
    "WL-Authentication-Failure" =     {
        "wl_authenticityRealm" =         {
            reason = "forbidden state";
        };
    };
}

when we have Enabled, blocking and we can connect and call Adapters when we change to Enabled, servicing. (which was not possible with the 5.0.6 bug before)

Now we assume we need to somehow setup our iOS Certificates or Signatures that we use to sign the app for the iOS Simulator and for the iOS Devices (Developer and Distribution Certificates) on the Wl server, so that the WL Server allows a connection?

Could someone help us with the steps that we need to take to setup an iOS native App Authenticity in our XCode 5 project to successfully connect to the server and after that call our adapters with Enabled, blocking.

We did add worklight.group to the turned-on Keychain Sharing capability of the iOS app.
We copied all Wl iOSAPI files including the plist file with the wlUid into the iOS app xCode5 project?
As mentioned above, it works with Enabled-Servicing and with Disabled AppAuthenticity fine.

回答1:

For App Authenticity to function in a native iOS application using the Worklight Native API for iOS, the steps are the same as in a Hybrid application on the Eclipse side: