Security options in OH2

Lolodomo · January 28, 2016, 8:31pm

Where are the settings to define security options in OH2 ?

danielwalters86 · January 28, 2016, 9:47pm

As far as I know it’s not implemented yet.

Lolodomo · January 28, 2016, 10:19pm

I have missed this major missing feature…

danielwalters86 · January 28, 2016, 11:36pm

Don’t forget OH2 is work in progress, it’s not production ready yet so if you need authentication or security stick to OH1.

splatch · January 30, 2016, 6:09pm

There are couple options there. Karaf (when used as OH2 runtime) by default ships security framework which may be used to control visibility of shell commands. Pax Web used to host web servlets allows to turn on HTTPs or limit visibility to goven network interface (ie lan not wan). Jetty configuration can be also customized to plug in extra options such basic http authentication.

Most basic option is usage of property file which contains user logins and passwords for both things (shell/web). It is also possible to configure JAAS login module sql database as backing store or LDAP for more advanced setups. In case of database JDBC driver must be installed.

Lolodomo · January 30, 2016, 6:29pm

Good news.
Is it possible for you to write a wiki page explaining clearly the options for the end user.
Like with OH1, I would like only an HTTPS access with login/password when I am outside my local network.

Kai · January 30, 2016, 6:30pm

The chosen solution should go hand in hand with https://github.com/eclipse/smarthome/issues/579 in the end.
I am not an expert in JAAS and other potential mechanism, but from what I have read so far, it seems that pax-web with JAAS should be just fine. HTTPS is anyhow already in place by default, we do not need to activate anything here. So all that is needed is authentication.
@splatch If you know how to do this with a property file holding the credentials, feel free to come up with a PR.
Please have a look at https://github.com/openhab/openhab/wiki/Security#authentication - it would be nice if it could be done similar to how it looks like in OH1. I am not sure though if it is possible to also achieve different behavior based on the netmask (no authentication from the local network, but from remote).

Lolodomo · January 30, 2016, 6:41pm

I found a keystore in one directory of OH2. What is its role ? What is the password to update it ?

Kai · January 30, 2016, 8:30pm

It stores the generated SSL certificate. Why would you want to edit it?