9:02, EEST
April 15, 2014
Hello everybody,
At the moment I’m evaluating the security capabilities of the Java SDK.
For this reason I’d like to know, how authorization and authentifcation is handled here.
As far as I know, it should be possible to say, that a user needs to “log in” in order to generate some kind of identity token.
Furthermore there sould be some kind of “rights management”, to say that an user is allowed to access a specific object.
I think this has something to do with the “access level” attribute of the object itself.
Unfortunately I’m not sure how to do these aspects of security with your JAVA SDK.
9:30, EEST
December 21, 2011
10:03, EEST
April 15, 2014
10:29, EEST
December 21, 2011
Yes, it’s not emphasised very much. This is mentioned in relation to the IoManagerListener (p.17):
Also you can perform user specific operations and return user specific results (e.g. for onGetUserAccessLevel()), using the ServiceContext parameter, which contains Session information, including the UserIdentity of the session.
12:41, EEST
April 15, 2014
Thx again for your help!
Now i had a look at the code, but I’m not sure, if i understood everything correctly.
Maybe you could correct me, if I am wrong:
1. As the code says, you define a user validator for the whole server
server.setUserValidator(userValidator);
2. Then you implement your own personal validator, which checks if a user is a valid user. There we have different options. The client decides which option he wants to use for authentification. The important method for this is onValidate(). Here we say, that opcua/opcua is a valid user/password combination.
public boolean onValidate(Session session, UserIdentity userIdentity)
throws StatusException {
SampleConsoleServer.println(“onValidate: userIdentity=” + userIdentity);
if (userIdentity.getType().equals(UserTokenType.UserName))
if (userIdentity.getName().equals(“opcua”)
&& userIdentity.getPassword().equals(“opcua”))
return true; }
But now I’m a little bit confused:
I used your OPC UA Java Client and the Sample Console Server. I could’t detect, where and how to type in any “login information”.
When do I have to login?
Then I had a look at the IOManagerListener.
There we have a method called onGetUserAccessLevel():
Is this method used, to say, that a specific node should not be visible for a specific token?
So that the user won’t get a specific AccessLevel?
@Override
public EnumSet onGetUserAccessLevel(
ServiceContext serviceContext, NodeId nodeId, UaVariable node) {
// The AccessLevel defines the accessibility of the Variable.Value
// attribute
// Define anonymous access
// if (serviceContext.getSession().getUserIdentity().getType()
// .equals(UserTokenType.Anonymous))
// return EnumSet.noneOf(AccessLevel.class);
if (node.getHistorizing())
return EnumSet.of(AccessLevel.CurrentRead,
AccessLevel.CurrentWrite, AccessLevel.HistoryRead);
else
return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);
}
If not, how and where can I say that only the user opcua is allowed to access the object “My Device”?
Or am I wrong, that this kind of security only applies to the “value attribute” of a variable?
13:23, EEST
December 21, 2011
You can define the user name & password in the Java Client from the ‘User’-dialog, which is accessible with the ‘User’-button at the top right of the window.
Yes, in the UserValidator, you can limit which users may connect to the server. The UserIdentity is then assigned to the Session. And the Session is available from the ServiceContext, which is available for example in onGetUserAccessLevel.
onGetUserAccessLevel is indeed used to define access to the Value attribute of the variables.
In addition, you can limit the access to the service calls in the respective listeners or overridden methods.
IoManagerListener.onReadValue, onWriteValue, etc. to limit read/write access to the value – although these will not be called if the UserAccessLevel that you provide does not allow it.
IoManagerListener.onReadNonValue, onWriteNonValue, etc. to limit read/write access to the other attributes – although the write will not be called if the UserWriteMask that you provide does not allow it.
NodeManagerListener.onBrowseNode to limit which references are provided: this enables you to make some nodes invisible in the address space for certain users.
etc.
7:27, EEST
April 15, 2014
Thanks for your information.
With your help I was able to say that you may not be anonymous to access the value attribute of a node in general.
But at the moment I’m not sure how to tell the system, that only the user opcua is allowed to access the value attribute of the mySwitch object.
Do i have to edit IOManagerListener.onGetUserAccessLevel and do something like this:
if(serviceContext.getSession().getUserIdentity().getName().equals(opcua) && node.getName().equals(“myswitch”)) {return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);}
Most Users Ever Online: 1919
Currently Online:
17 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 731
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
inilarythikibia, rickykennion, PromotionToold, HypromeImpupe, toneylapham544, rondawolinski7, Marypof5711, roycedelargie91, kourtneyquisenbe, ellis87832073466Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1