API Security settings applications?


I’ve been with oh for a short time and I wonder what these settings are worth and how should I have them configured if I want to have the maximum possible security and also want to have different users (logged in) within oh.


The default is sufficient.

What is the default? I have been playing and I want to restrict the calls of the rest api without being a logged in user. But I also have widgets that feed from the api (I think)

Unfortunately this statement doesn’t carry much meaning. What do you mean by maximum possible security? After all, the most secure system in the world is powered off and buried in concrete at the bottom of the ocean. No one can hack into that. It’s also not terribly useful.

OK, now this is something that can be addressed. The description for that last option addresses this. Turn it off and “disabling this option will enforce authorization.” So disable the Implicit User Role and nothing can access the REST API without authenticating.

Once authenticated, if that user has the admin role then that user has unfettered access to the entire REST API. If they have a users role that user can only access the Items end points (I think, maybe one or two other end points too).

If you are talking about MainUI Widgets then everything that MainUI does and shows is through the REST API. If you are talking about some widget or software you wrote yourself then that widget will need to be modified to authenticate with openHAB. One of the easier ways to authenticate is Basic Authentication which is why that option is there to turn on. But there is also a way to generate an authentication token

I try to explain better, what I would like is to try that the REST API is not public for everyone that is within my network. That is, try to put some type of authentication (or what is possible / recommended) to restrict access to gets, puts, deletes …

The problem I get is that I don’t know why if I deactivate that option, all users and roles that I have (admins, users, other roles …) do not see the values in widgests or layouts …
I want those values to be seen but I would like to have deactivated that option that you are telling me (Implicit user role)



At the moment, it is not very clear to me what basic authentication is and if it exists to enable third-party connections. I don’t know, I’m a bit confused.
Regarding the widgets, they are the ones that I show in the image and they are the ones that openhab brings. They are within layouts that I have created and not on the main page as such. As I mentioned above, I would like the values to be displayed with the implicit user role option disabled.

Thank you very much for your time and dedication. A strong greeting.

Basic Authentication is a standard way for web pages to request and receive username and passwords embedded as a header field in the HTTP request. It is an old and not terribly secure way to to authentication if not done really well so most of the world has moved off of Basic Authentication. That’s why it’s not turned on by default.

However, Basic Authentication is simple and still used by a lot of older software and small embedded devices and the like.

If the browser pops up a separate dialog that looks like

that page is using basic auth.

If it brings up a separate login page it is not using basic auth.

Walk us through exactly how you are logging in to OH and what the settings are. Assuming Basic Auth is turned off and Implicit User Role is turned off navigate http://<address of openHAB>:8080. All you should be able to do or see is login. Nothing else should be displayed.

Without logging in now try to load http://<address of openHAB>:8080/developer/api-explorer. Nothing should be displayed.

Now log in as a user with an admin role. You should now have access to everything. Log out and log in with a user with the users role (there are only two roles). The administrative parts of the page should not be there and if you try to access them with a direct URL it will not show anything.

That widget is showing some data though. It shows that the REST API for persistence queries is working or else it wouldn’t be able to generate that trend line. And that trend line indicates it’s been awhile since that Item has updated. That shows that something is working. If you are certain that those Items have values (look in events.log) then there might be a bug with the SSE feed or the like.

One final thing. Make sure to log out and refresh the page every time you make a change to the security settings. It’d probably be a good idea to clear the cache too.

First of all, thank you for your time and dedication.

All of this is correct and works as I hope. Thanks for the explanation.

When I disable the implicit user option. My values do not arrive. In the Event Monitor I do not receive anything (but in the events.log yes…the data), it may be an SSE problem that you mention but I have no idea what this is or what may have caused it. What I do to make it fail is uncheck the implicit user option, if I leave it activated it works and the values are shown.

I wouldn’t bet on that.

Well, I suppose a scuba diver with a hack saw might be able to take a shot at it. :wink:


I tried to clear cache and the message persists. Maybe It is the moment to forget it.