i have a problem and i wanted to ask you if you know a good way to solve this problem:
i setup my OH server and build my UIs (classicUI and habPanel) but my problem is, everyone how gets on the OH server IP can e.g. turn on lights,… or even more worse, can delete my config (accessing the paperUI) … this is a little bit stupid so i want to protect this. the only way i found while searching the internet is to setup a proxy server. but the problem is, i would prefere a kind of “view only” mode for e.g. my habPanel so that i can show my UI on the tablet but the user cannot do anything with the items etc… do you know a way of doing this?
in a other topic a user told me that it would be possible to setup a proxy for each ui (paperUI, habpanel,classicui,…) … i have trained myself the first time working with proxy server on the OH tutorial … but this only show how to setup a proxy directly to the OH server path. can anyone give me tips/help/tutorials where i can learn how to setup a proxy for each ui?
or if you know an other maybe better way to solve the problem described above, please let my know. i am not a profi.
If you did not find it, others won’t too
thank you. this is a first step. but only a … very simple step i thought about editing the source code of the html file(s) of the habPanel but i cant find the source on my server (raspberry) does anyone knows the location of the html file(s) ?
There is a group actively working to implement user access control that will address this. However, don’t expect it to be ready anytime soon. If you want something soon, the proxy server is probably the way to go.
hmm okay, so does anyone has experiences with editing (rewirting) the html file the proxy serves? i think about changing this files, a little bit like “man-in-the-middle” … do you think this is possible?
You don’t need to change the files, just create a sitemap that only displays things, and set the proxy to block access to other sitemaps, paperUI etc.
How would this be achieved?
I am very much in favour of visibility options (and read only options) depending on users, would be a great little feature.
It would depend on the proxy software, but you would want to block any URL/URI that has ‘/paperui/’ and a wildcard after the / so its not just blocking a parent dir.
Since OH acts as a webserver, and listens on it’s own port, any parsing of URLs would have to happen inside the OH system, IMHO.
Maybe I am missing some obvious functionality.
While a valid point its configured to run openHAB, changing how it works could cause other grief. Most would have a proxy system in their DMZ.
Another option would be to SSH into a system and Tunnel to the openHAB system on 8080; while this wouldn’t restrict access to the various URLs it would cause authentication to occur before reaching openHAB.
hmm okay, thank you. is it possible to setup the Proxy to serve several Sitemaps? Depending on the Username/password combination that was entered? I think if this is possible it would be a simple way to handle the uis for guests, admin, and so on…
is this possible? and if yes, how? can i get help/tips?
Thinking about this earlier, it may be possible in a future upgrade to give each user their own sitemap, simply have sub-folders in the sitemap named according to the username (email address), and force users (even on local machines) to provide authentication.
This would also solve the read-only problem as people with read-only access would simply have a string item displaying a state in their own sitemaps, instead of a switch or slider.
I have long thought the security of the OH system needs upgrading, especially since many users have multiple persons with their wifi keys. I would never have a door lock for example on any OH system since anyone knowing my wifi key could simply log onto OH in a browser and unlock the door.
Just my 2-cents.
yes, i do agree. security/authentication is a fundamental part of a solution like OH… when i started working with OH i couldn’t believe that there are no real security/authentication mechanism included… i really hope that this comes in near future.
but for now maybe the way of creating a proxy for each sitemap/user combination may be the fastest way of doing a little bit of authentication? any one tips? is this possible?