Any activity here? Is there any discussion going on about implementing a user-role based access model?
Permission to view sitemap items, read and change item states would be really handy.
Real world examples: Tablet presenting information at first floor could be accessed with a user with limited access, avoiding people from changing stuff you don’t want to give access to for everyone walking by.
“Guest user”: Give simple access to multimedia at the livingroom and perhaps some lighting for the babysitter.
Prevent the “teenagers” in the house from switching on/off certain switches
I do provide this feature in my installation using a mircosoft web application proxy (wap) as a reverse proxy in dmz. External connections will be authorized with two-factor auth (mfa) over ssl, while internal connections are bound to domain accounts (which are bound to sitemaps). I do understand, this is pretty much overkill for an enduser, but I would never expose my smarthome hub directly to WWW (even with http-auth on it).
my.openhab is the best solution for the “normal” user, as it is also a kind of reverse proxy.
On my smartphone I am using my own app over a certificate based vpn (full blown ipsec).
So from my pov, I would not spend so much time on a sophisticated auth in OH2. Better to make my.openhab a rock solid solution for everyone (for a price). No need to think about fixed ip, ipv6, ds-lite…
For internal usage a limited sitemap should work fine.
For basic authentication stuff, we will have to look at what pax-web & karaf has to offer - but it is probably better to wait for next week, as I plan to introduce these new frameworks next week.
I’ve read that thread as well but didn’t really get a clear understanding if someone was looking into it, working on it. I’ll keep monitoring both threads. Thanks!
@Kai I took a look on authentication and the way it was done before. Configuration of jetty is a bit different than default but we may secure it with HTTP basic authentication at jetty connector level (easiest way). I will post PR with example configuration.
@splatch sounds promising as I’m securing all traffic with reverseproxy and https when going outside of the local network, adding un/pw would be just enough for my needs at least
@Kai I’ve tried to bring that up, but it turned out to be harder than expected. Jetty jaas support can not be easily plugged in, and even if, it will just cover handlers enlisted in jetty xml and will not secure backend services. I was checking up reset services and way they are published does not allow to control authentication too. For now I’m stuck.
@tobo In your case you may add basic authentication on proxy server.
Hm, this does not sound good. I had hoped that this is something already solved for Karaf solutions…
I was actually thinking that pax-web covers such features (without requiring us to directly go down to Jetty itself) - do you know what org.ops4j.pax.web/pax-web-jaas at master · ops4j/org.ops4j.pax.web · GitHub is about and if it might help?
@Kai I’ve spoken with @bcanhome about module you pointed out - it’s inherited from undertow integration and it’s not yet supported in Jetty. It is possible to couple jaas when using WAR archives and web.xml descriptors, however there is no easy way doing that externally.
Sadly the way how services are published doesn’t allow to inject custom http context with implemented security mechanism (at least I can’t find possible way). I think we need to consult that with authors of bundle providing this functionality to confirm how to do that.
Last thing which comes to my mind is usage of custom http filter registered at same path as rest resources, but this most likely would require usage of pre-existing http context created by eclipsesource jaxrs publisher.
Is authentication considered a prerequisite to the OH2 release version? There hasn’t been any activity on this thread for a few months, so has there been any progress on how this might be addressed?
Much of the discussion in the issue above is beyond my level of understanding. @Kai also suggested “to use a reverse proxy like NGINX or Apache for securing access.” I previously looked into reverse proxy, but read that issues can arise in relative paths with the app if the configuration isn’t correct.
Can someone with experience post a step by step reverse proxy server configuration example here? I think that would make myself and others more confident in testing OH2.
sorry for the late post - but until it’s all sorted within OH2 - why wouldn’t that be our best option? Oh2 has great Web responsiveness - so if we’re just “watching and actioning” our sitemap - why not?
ssl + basic auth and you’re perfect if you’re not paranoid. basic auth with encryption is used in many enterprise apps.
I’m doing nginx revers proxy currently and it works a treat.
The instructions were great and helped me a lot! Thanks for that!
I have now a secure Internet facing setup with encrypted channels and authentication in place.
