Classic UI: LAN authentication issue

I’ve just upgraded from 1.7.1 (custom installation) to 1.8.2 (apt-get) on RPi3 (jessie). I’m using EXTERNAL authentication with a LAN netmask. I have the same security:netmask set in my openhab.cfg. However, the Classic UI is now asking for authentication even for the local network. The login completes correctly if I enter credentials. Also, MyOpenHAB works.

Any ideas about what could be causing the problem or how to debug it? I’ve tried setting the “org.openhab.io.net.http” logging level to DEBUG but I’m not seeing any related information in the log file.

Apparently other people have had the same problem: https://github.com/openhab/openhab/issues/3781

Of course, as soon as I post this I start seeing some related information the log file. :slight_smile:

2016-04-03 15:31:37.243 [TRACE] [.io.net.http.SecureHttpContext] - http request is originated by '2601:41:0:39b0:d69a:20ff:fefa:e4d2' which is identified as 'external'
2016-04-03 15:31:37.246 [DEBUG] [.io.net.http.SecureHttpContext] - checking ip is in range took 4ms 

Based on those log messages, it looks like this may be an issue with checking an IPv6 address against a IPv4 netmask ( SecureHttpContext . isExternalIp). Is there a workaround for this? It appears the OH IpAddressMatcher implementation only works with IPv4 addresses and masks.

Apparently the issue is caused when the browser decides to send an IPv6 address for a specified hostname. In my case, the openHAB hostname is resolved using mDNS and is resolved to an IPv6 address. If I specify the IPv4 address numerically, then the authentication is bypassed. This isn’t an ideal solution, but it’s better than needing to enter credentials every time I request the page from my LAN.

Hopefully, this will help others who have encountered this problem. I’ll update the related issue.

After more investigation, I found that the security:netmask configuration has an undocumented feature that allows multiple netmasks to be defined (IPv4 and/or IPv6). I used that feature to specify both an IPv4 and IPv6 netmask for my LAN to bypass authentication. I also updated the wiki.

I initially set up an ipv6 mask based on the address I was seeing in the openHAB log (see previous posting). However, I had some problems with that later so I disabled ipv6 on my RPi since I don’t really need it for my LAN.