Log In
Register
Forum
Topic RSS
9:02, EEST
April 15, 2014
Offline
Hello everybody,
At the moment I’m evaluating the security capabilities of the Java SDK.
For this reason I’d like to know, how authorization and authentifcation is handled here.
As far as I know, it should be possible to say, that a user needs to “log in” in order to generate some kind of identity token.
Furthermore there sould be some kind of “rights management”, to say that an user is allowed to access a specific object.
I think this has something to do with the “access level” attribute of the object itself.
Unfortunately I’m not sure how to do these aspects of security with your JAVA SDK.
9:30, EEST
December 21, 2011
Offline
Are you considering the server or the client side?
Have you checked what the Tutorials say about this?
10:03, EEST
April 15, 2014
Offline
Hello Jouni,
Thx for you quick response. I’m referring to the the Server SDK.
I also had a look at the tutorial, but could only find that “User Validators” are mentioned.
Unfortunately i could’nt find any information about authorization. Maybe i missed something?
10:29, EEST
December 21, 2011
Offline
Yes, it’s not emphasised very much. This is mentioned in relation to the IoManagerListener (p.17):
Also you can perform user specific operations and return user specific results (e.g. for onGetUserAccessLevel()), using the ServiceContext parameter, which contains Session information, including the UserIdentity of the session.
12:41, EEST
April 15, 2014
Offline
Thx again for your help!
Now i had a look at the code, but I’m not sure, if i understood everything correctly.
Maybe you could correct me, if I am wrong:
1. As the code says, you define a user validator for the whole server
server.setUserValidator(userValidator);
2. Then you implement your own personal validator, which checks if a user is a valid user. There we have different options. The client decides which option he wants to use for authentification. The important method for this is onValidate(). Here we say, that opcua/opcua is a valid user/password combination.
public boolean onValidate(Session session, UserIdentity userIdentity)
throws StatusException {
SampleConsoleServer.println(“onValidate: userIdentity=” + userIdentity);
if (userIdentity.getType().equals(UserTokenType.UserName))
if (userIdentity.getName().equals(“opcua”)
&& userIdentity.getPassword().equals(“opcua”))
return true; }
But now I’m a little bit confused:
I used your OPC UA Java Client and the Sample Console Server. I could’t detect, where and how to type in any “login information”.
When do I have to login?
Then I had a look at the IOManagerListener.
There we have a method called onGetUserAccessLevel():
Is this method used, to say, that a specific node should not be visible for a specific token?
So that the user won’t get a specific AccessLevel?
@Override
public EnumSet onGetUserAccessLevel(
ServiceContext serviceContext, NodeId nodeId, UaVariable node) {
// The AccessLevel defines the accessibility of the Variable.Value
// attribute
// Define anonymous access
// if (serviceContext.getSession().getUserIdentity().getType()
// .equals(UserTokenType.Anonymous))
// return EnumSet.noneOf(AccessLevel.class);
if (node.getHistorizing())
return EnumSet.of(AccessLevel.CurrentRead,
AccessLevel.CurrentWrite, AccessLevel.HistoryRead);
else
return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);
}
If not, how and where can I say that only the user opcua is allowed to access the object “My Device”?
Or am I wrong, that this kind of security only applies to the “value attribute” of a variable?
13:23, EEST
December 21, 2011
Offline
You can define the user name & password in the Java Client from the ‘User’-dialog, which is accessible with the ‘User’-button at the top right of the window.
Yes, in the UserValidator, you can limit which users may connect to the server. The UserIdentity is then assigned to the Session. And the Session is available from the ServiceContext, which is available for example in onGetUserAccessLevel.
onGetUserAccessLevel is indeed used to define access to the Value attribute of the variables.
In addition, you can limit the access to the service calls in the respective listeners or overridden methods.
IoManagerListener.onReadValue, onWriteValue, etc. to limit read/write access to the value – although these will not be called if the UserAccessLevel that you provide does not allow it.
IoManagerListener.onReadNonValue, onWriteNonValue, etc. to limit read/write access to the other attributes – although the write will not be called if the UserWriteMask that you provide does not allow it.
NodeManagerListener.onBrowseNode to limit which references are provided: this enables you to make some nodes invisible in the address space for certain users.
etc.
7:27, EEST
April 15, 2014
Offline
Thanks for your information.
With your help I was able to say that you may not be anonymous to access the value attribute of a node in general.
But at the moment I’m not sure how to tell the system, that only the user opcua is allowed to access the value attribute of the mySwitch object.
Do i have to edit IOManagerListener.onGetUserAccessLevel and do something like this:
if(serviceContext.getSession().getUserIdentity().getName().equals(opcua) && node.getName().equals(“myswitch”)) {return EnumSet
.of(AccessLevel.CurrentRead, AccessLevel.CurrentWrite);}
14:15, EEST
December 21, 2011
Offline
Yes that looks quite fine. It may be best to check the Type of the UserIdentity before checking the Name, but I think it should work without that check as well, if you just note that Name can be null, if not used.
Most Users Ever Online: 518
Currently Online:
23 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
hbrackel: 135
pramanj: 86
Francesco Zambon: 81
rocket science: 77
ibrahim: 75
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
fred: 41
Member Stats:
Guest Posters: 0
Members: 683
Moderators: 16
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1467
Posts: 6259
Newest Members:
fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.com, aytule, rashadbrownrigg, christi10l, ahamad1, Flores Frederick, ellenmossModerators: Jouni Aro: 1009, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5
Administrators: admin: 1
