Log In
Register
Topic RSS
9:43, EEST
March 31, 2022
Offline
Hi,
I am using Prosys client-server Java SDK 5.6.2
I need finer control over client connections for various reasons (monitoring, statistics, access control, rate limiting, licensing, etc.).
I am interested in intercepting *all* low-level requests such as Create Session, Activate Session, Read, Write, Browse, etc.
Inspecting the code, the best would be to have a callback in the method `handleSecureMessage` of `OpcTcpServerConnection` (line 721), where I have access to the current `ServiceRequest` as well as `SecurityToken`. Unfortunately, the API doesn’t provide access to this part of the code.
I also do not see any option in the `UaServer` API to inject any listener to handle requests on this level of granularity. Ideally, with the User token included.
Is there any option to intercept all requests, or would it be possible to build such an option in?
Thanks!
15:04, EEST
April 3, 2012
Offline
Hi,
Not exactly, as the point of an OPC UA SDK, in general, is to provide a higher-level abstraction and thus to try hiding the complex raw communication details.
10+ years ago the communication layers of OPC UA typically looked like:
+----------------------+ | TCP | +----------------------+ | UA Stack | +----------------------+ | UA SDK | +----------------------+ | UA Application | +----------------------+
Stacks were responsible to handling the raw socket connections, encoding messages to binary and then provide a raw request-response layer for the actual services. SDKs then abstract things more and provide something more use-able. What you basically say you would want would have been inside the Stack level, though ‘SecurityToken’ is not actually a “user token”, but instead details related to the opc.tcp SecureChannel.
Nowadays Stacks are basically gone extinct. Some history regarding our SDK: https://documentation.prosysop…..ck-changes .We did make a mistake 15+ years ago that the stack classes were used directly in the SDK APIs, unfortunately fixing that might be impossible at this point. But basically other than those (and some util classes), classes being in ‘com.prosysopc.ua.stack’ package and subpackage should be considered to be “SDK private API”.
That all is to say that it is not intended that you would normally handle the raw requests and doing so could break SDK’s own functionality.
That being said, we do have some options, but it does require a bit more work. We would instead recommend using things that the sampleconsoleserver example shows, those are the intended ways, though that does involve attaching numerous XXXListeners to places for access control.
Anyway, you could try the following and let us know how it goes:
Subtype UaServer, override protected createXXXServiceHandler methods. Return sub-typed XXXServiceHandlers where ‘XXX’ is either ‘Attribute’, ‘NodeManagement’ or ‘Subscription’. There exist also a SessionServiceHandler, but we recommend not to touch that one. Note that there are some methods that are final, those are historical Stack-to-SDK entry points and cannot be overridden.
However, you could override the com.prosysopc.ua.server.ServiceHandler.validateRequest(EndpointServiceRequest). It is recommended to call super first, to receive the ServiceContext that needs to be returned. You could throw ServiceException to fail the entire service. The ServiceRequest can be obtained from EndpointServiceRequest.getRequest(). However, I would be very cautious on doing any ‘rate limiting’ attempts, it is not something expected by UA Clients, they will either break or retry immediately, which would defeat the point.
The ServiceContext does tell the Session and from the Session you can get the ServerUserIdentity, which is server-side variation of the UserIdentity a client would use. The ServiceContext is a parameter in most of the recommended Listener-ways for handling authorization, it is passed along the call chain, see below.
An alternative is to look for methods such as https://documentation.prosysop…..dResponse- , and override them. These are called after the validate and then some of them will then split up more to other protected methods, then eventually they will go to YYYManagers. XXX and YYY might not be the same, but e.g. in Sessions it will go to SessionManager, which you can get normally from UaServer. It would provide info (a bit) about the sessions (UA has a Diagnostics concept). Many of YYY will have also YYYListener, here SessionManagerListener, that provides handles to react to their creation etc.
As this post is already quite long, I’ll stop here for now, but please ask more and explain more about specifics what you would want to do.
15:34, EEST
April 3, 2012
Offline
P.S.
There exists ServiceHandler.setRequestResponseListener(RequestResponseListener), which could be used for a logging-only scenario, you can get the XXXServiceHandlers from UaServer. This listener is called just before sending back the response (which should not be modified here). This is what our Simulation Server Application’s Req/Res Log tab uses. Though, seems we have not used ServiceContext here in this Listener, thus the logic relies on com.prosysopc.ua.server.SessionManager.getSession(NodeId) using the authentication token from the header (though, this is what is also used for forming the ServiceContext).
15:42, EEST
March 31, 2022
Offline
Thanks!
I absolutely agree that no direct access to the stack should be provided. What I am wishing for would be a listener injection on the UaServer level, like `UaServer.addListener(RequestTypeEnumeration type, BiConsumer callback)` or similar, where `Request` would be a new abstraction for this particular purpose, not an implementation detail from the stack.
I will try the proposed approach and let you know, but it looks promising! I just guess you meant `com.prosysopc.ua.server.ServiceHandler.validateRequest(ServiceRequest, ServerSecureChannel)` ?
Regarding the rate limiting, yes, what you say makes sense, but how can an OPC UA server then deal with misconfigured clients and prevent being taken down by an unintended DoS? Do you have any recommendations or experience? I already asked about this in particular in this old thread, but a real-world solution was not found: https://forum.prosysopc.com/fo…..or-server/
17:14, EEST
April 3, 2012
Offline
Maybe something similar to the ServiceHandler.setRequestResponseListener(RequestResponseListener) (see the P.S. from above), but only for requests and called as part of the validate. It would still be a bit hidden, but maybe a bit easier to use. We’ll have to discuss this internally.
I did mean the EndpointServiceRequest version, but as long as you have not used UaServer.getLoopbackClient() (skipping details) then validateRequest(ServiceRequest, ServerSecureChannel) is ok as well.
In practice we have not encountered that much “real world examples”. Like, the best one is our public Simulation Server instance which sometimes get “stuck” when someone makes many sessions so that the max sessions/connections limit is reached. But then again normally one has firewall rules that only accepts connections from defined sources, so not sure does even this count.
9:27, EEST
March 31, 2022
Offline
> RequestResponseListener
Sounds really good!
> In practice we have not encountered that much “real world examples”
Yes, I guess our usecase is special: we are providing access to dynamically registered devices, kinda “OPCUA as a service” thing. But anyways, “Simple things should be simple, complex things should be possible.” is also valid here 🙂
One more question: You said you don’t recommend overwriting SessionServiceHandler – for what reason? It would also be interesting for us to listen and monitor attempts to create (or activate) sessions, as those indicate the number of connections. And it would be good to use the same technique as with the other requests.
Thanks!
12:13, EEST
April 3, 2012
Offline
The RequestResponseListener is ok there as well.
The SessionServiceHandler lacks the protected xxx(ServiceContext serviceContext, XXXRequest request, XXXResponse response) methods what are in the others. It goes more directly to the SessionManager. In the others they are sort of a “last effort place” to try to implement something, but regarding sessions SDK already should be implementing it .. completely (compared to e.g. data related to a Node’s Attributes).
We do have intended ways for this as well: UaServer.getSessionManager().addListener(SessionManagerListener) see https://documentation.prosysop…..tener.html. Also, for just user-validation there is UaServer.setUserValidator(UserValidator).
We have also build ways to override the SessionManager via a subtype, similar to the handlers, though the raw ServiceRequest is not available (but the relevant parameters of it are, in the protected methods). It is also possible to use a subtyped Session.
Note that SDK already limits sessions and connections. They are separate things, though most of the time it is 1:1. By default SessionManager.getMaxSessionCount() defines max number of sessions and by default 10% more (at least +1) opc.tcp connections can be made. This so that a client can see that the server is at session limit. UaServer.setMaxOpcTcpConnections(Integer) can be used to set a different limit. Note that in the SDK (and per UA spec), non-properly-ActivateSession’d connections are dropped if at connection limit and a new one arrives. Note that there is not a way to observe the actual connections (we might build this some day).
2 Guest(s)
