Closed GoogleCodeExporter closed 9 years ago
As openHAB uses the Jetty Webserver for the UI, I think the simplest and safest
solution is to configure Jetty to require an authenticated user. I haven't yet
looked into the details on how to do this myself, so please refer to the Jetty
documentation, which should hopefully help on this matter - and remember to
post feedback about your findings!
Original comment by kai.openhab
on 15 Jul 2011 at 8:38
Found a pretty nice solution here using Jetty -
http://docs.codehaus.org/display/JETTY/How%20to%20Configure%20Security%20with%20
Embedded%20Jetty
Look at the "Programmatic security constraints (no web.xml)". There is a
properties file with listed users, passwords and roles in format <username>:
<password>[,<rolename> ...], called "etc/realm.properties".
My idea is to use the sitemap notion instead of the roles notion. For example
instead of "admin", "moderator", "user" the role names to be the sitemap names,
i.e. "demo", "livingroom_tablet", "john_phone". The method
constraint.setRoles(String[] getSitemaps()) gathers the sitemaps and sets roles
with the same names.
This way the user only have to specify in the etc/realm.properties file some
user names in the following manner:
john: pass123,john_phone (only access to "john_phone" sitemap)
steve: pass321,demo,livingroom_tablet (steve has rights to access both "demo"
and "livingroom_tablet" sitemaps)
Maybe "etc/realm.properties" is better to be renamed to
"configurations/users.cfg" to make more sense?
There have to be a way to disable user authentication per sitemap. Maybe when
there is no such "role" (or sitemap) specified in the "etc/realm.properties".
For example:
john: pass123,john_phone (only access to "john_phone" sitemap)
steve: pass321,demo (steve has rights to access only "demo" sitemap)
// "livingroom_tablet" sitemap is not found, so it is unsecured by default
Let me know what you think about this?
Original comment by mishoboss
on 16 Jul 2011 at 12:23
Sounds good to me and yes, the etc/realm.properties could be moved and renamed
to something more helpful.
As I am just working on the REST interface, I wonder how this can be combined
in a good way. As you can send commands to items through REST, this should be
secured as well. And future UIs should also make use of the REST API to send
commands (not coming anymore with their own servlet as the current UI).
Will have to think of a good concept as soon as I find the time for that.
Further ideas are always welcome :-)
Original comment by kai.openhab
on 18 Jul 2011 at 9:31
Yes, I came to this issue too. As openHAB is designed to be UI independent (not
only web-based UIs), this solution is going to be partly working, which is not
acceptable. However since all the communication is going to be through REST, a
very similar securing method could be implemented over the REST interface. Of
course there have to be implemented a login form in every UI and not rely on
the browser login popup.
As you said the items are going to be directly accessible through REST and need
to be secured too. I think this could enforce changing a little bit the REST
API you published yesterday. The URI has to contain something identifying a
user or his role/rights.
Another issue I think is that openHAB have to force the customer to "register"
at least one user for this method to works.
However I'm not an experienced REST expert and there may be better methods
implementing ACL with REST :-)
Original comment by mishoboss
on 19 Jul 2011 at 9:26
> However I'm not an experienced REST expert and there may be better methods
implementing ACL with REST :-)
Yes, the good thing about REST is that you can rely on all existing HTTP
headers that handle authentication - so you do not have to build credential
properties into your API.
Here is how one can use HTTP Basic Authentication with Jersey on Jetty:
http://stackoverflow.com/questions/5114272/jax-rs-and-custom-authorization
Original comment by kai.openhab
on 19 Jul 2011 at 9:49
Original comment by teichsta
on 13 Dec 2011 at 1:11
checked in a new branch 0.9.0-security which implements BASIC-Authentication
for openHAB.
Since we are using OSGi HTTP Service most of the examples does not fit into our
environment. There is an issue
https://bugs.eclipse.org/bugs/show_bug.cgi?id=347102 (Support or document how
to use JAAS with the OSGi HttpService) which already deals with that problem
(or at least plans to do that).
I incorporated a solution where the PropertyFileLoginModule gets involved.
Username and Password are stored in a file called login.properties. Since i use
Standard-JAAS-LoginModules all existing (or own) modules could be used as well.
Original comment by teichsta
on 13 Dec 2011 at 2:49
I have merged the code to default, thanks a lot for it!
I have reopened the issue, just to remember that we need a wiki page to
describe this feature.
Original comment by kai.openhab
on 15 Dec 2011 at 9:18
Is this working for the REST interface too?
Original comment by mishoboss
on 16 Dec 2011 at 2:08
yes
Original comment by teichsta
on 16 Dec 2011 at 2:09
Could you give me a little bit more info about how to use it. I work on a
Sencha UI now and this is going to be useful.
Original comment by mishoboss
on 17 Dec 2011 at 2:37
yes :-) i created a new wiki-page
http://code.google.com/p/openhab/wiki/Security ... does that answer you
question regarding security?
Original comment by teichsta
on 18 Dec 2011 at 8:44
wiki page created
Original comment by teichsta
on 18 Dec 2011 at 8:45
Original issue reported on code.google.com by
mishoboss
on 15 Jul 2011 at 8:46