Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Authorization and Authentification with Java SDK
April 15, 2014
9:02, EEST
Avatar
hyperdanny
Member
Members
Forum Posts: 5
Member Since:
April 15, 2014
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hello everybody,

At the moment I’m evaluating the security capabilities of the Java SDK.
For this reason I’d like to know, how authorization and authentifcation is handled here.

As far as I know, it should be possible to say, that a user needs to “log in” in order to generate some kind of identity token.
Furthermore there sould be some kind of “rights management”, to say that an user is allowed to access a specific object.
I think this has something to do with the “access level” attribute of the object itself.

Unfortunately I’m not sure how to do these aspects of security with your JAVA SDK.

April 15, 2014
9:30, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
2sp_Permalink sp_Print

Are you considering the server or the client side?

Have you checked what the Tutorials say about this?

April 15, 2014
10:03, EEST
Avatar
hyperdanny
Member
Members
Forum Posts: 5
Member Since:
April 15, 2014
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Hello Jouni,

Thx for you quick response. I’m referring to the the Server SDK.
I also had a look at the tutorial, but could only find that “User Validators” are mentioned.

Unfortunately i could’nt find any information about authorization. Maybe i missed something?

April 15, 2014
10:29, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
4sp_Permalink sp_Print

Yes, it’s not emphasised very much. This is mentioned in relation to the IoManagerListener (p.17):

Also you can perform user specific operations and return user specific results (e.g. for onGetUserAccessLevel()), using the ServiceContext parameter, which contains Session information, including the UserIdentity of the session.

April 15, 2014
12:41, EEST
Avatar
hyperdanny
Member
Members
Forum Posts: 5
Member Since:
April 15, 2014
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

Thx again for your help!

Now i had a look at the code, but I’m not sure, if i understood everything correctly.
Maybe you could correct me, if I am wrong:

1. As the code says, you define a user validator for the whole server
server.setUserValidator(userValidator);

2. Then you implement your own personal validator, which checks if a user is a valid user. There we have different options. The client decides which option he wants to use for authentification. The important method for this is onValidate(). Here we say, that opcua/opcua is a valid user/password combination.

public boolean onValidate(Session session, UserIdentity userIdentity)
throws StatusException {
SampleConsoleServer.println(“onValidate: userIdentity=” + userIdentity);
if (userIdentity.getType().equals(UserTokenType.UserName))
if (userIdentity.getName().equals(“opcua”)
&& userIdentity.getPassword().equals(“opcua”))
return true; }

But now I’m a little bit confused:

I used your OPC UA Java Client and the Sample Console Server. I could’t detect, where and how to type in any “login information”.
When do I have to login?

Then I had a look at the IOManagerListener.
There we have a method called onGetUserAccessLevel():

Is this method used, to say, that a specific node should not be visible for a specific token?
So that the user won’t get a specific AccessLevel?

@Override
public EnumSet onGetUserAccessLevel(
ServiceContext serviceContext, NodeId nodeId, UaVariable node) {
// The AccessLevel defines the accessibility of the Variable.Value
// attribute

// Define anonymous access
// if (serviceContext.getSession().getUserIdentity().getType()
// .equals(UserTokenType.Anonymous))
// return EnumSet.noneOf(AccessLevel.class);
if (node.getHistorizing())
return EnumSet.of(AccessLevel.CurrentRead,
AccessLevel.CurrentWrite, AccessLevel.HistoryRead);
else
return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);
}

If not, how and where can I say that only the user opcua is allowed to access the object “My Device”?

Or am I wrong, that this kind of security only applies to the “value attribute” of a variable?

April 15, 2014
13:23, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
6sp_Permalink sp_Print

You can define the user name & password in the Java Client from the ‘User’-dialog, which is accessible with the ‘User’-button at the top right of the window.

Yes, in the UserValidator, you can limit which users may connect to the server. The UserIdentity is then assigned to the Session. And the Session is available from the ServiceContext, which is available for example in onGetUserAccessLevel.

onGetUserAccessLevel is indeed used to define access to the Value attribute of the variables.

In addition, you can limit the access to the service calls in the respective listeners or overridden methods.

IoManagerListener.onReadValue, onWriteValue, etc. to limit read/write access to the value – although these will not be called if the UserAccessLevel that you provide does not allow it.

IoManagerListener.onReadNonValue, onWriteNonValue, etc. to limit read/write access to the other attributes – although the write will not be called if the UserWriteMask that you provide does not allow it.

NodeManagerListener.onBrowseNode to limit which references are provided: this enables you to make some nodes invisible in the address space for certain users.

etc.

April 16, 2014
7:27, EEST
Avatar
hyperdanny
Member
Members
Forum Posts: 5
Member Since:
April 15, 2014
sp_UserOfflineSmall Offline
Go to Top
7sp_Permalink sp_Print

Thanks for your information.
With your help I was able to say that you may not be anonymous to access the value attribute of a node in general.
But at the moment I’m not sure how to tell the system, that only the user opcua is allowed to access the value attribute of the mySwitch object.

Do i have to edit IOManagerListener.onGetUserAccessLevel and do something like this:

if(serviceContext.getSession().getUserIdentity().getName().equals(opcua) && node.getName().equals(“myswitch”)) {return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);}

April 16, 2014
14:15, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
8sp_Permalink sp_Print

Yes that looks quite fine. It may be best to check the Type of the UserIdentity before checking the Name, but I think it should work without that check as well, if you just note that Name can be null, if not used.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
22 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 738

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1524

Posts: 6451

Newest Members:

jonathonmcintyre, fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1