Skip to content
This repository has been archived by the owner on May 17, 2021. It is now read-only.

Security

Kai edited this page Oct 20, 2013 · 9 revisions

Documentation of openHAB's security features

Introduction

To secure the communication with openHAB there are currently two mechanisms in place

  • HTTPS
  • Authentication

Authentication is implemented by {{{SecureHttpContext}}} which in turn implements {{{HttpContext}}}. This {{{SecureHttpContext}}} is registered with the OSGi !HttpService and provides the security hook {{{handleSecurity}}}. At least all authentication requests are delegated to the {{{javax.security.auth.login.LoginContext.LoginContext}}} which is the entry point to JAAS (http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service) !LoginModules.

The {{{SecureHttpContext}}} is currently used by the {{{WebAppServlet}}} and the {{{CmdServlet}}} which constitutes the default iPhone UI as well as the {{{RESTApplication}}} which provides the REST functionality.

HTTPS

openHAB supports HTTPS out of the box. Just point your browser to

{{{https://127.0.0.1:8443/openhab.app?sitemap=demo#}}}

and the HTTP communication will be encrypted by SSL. If one would like to add his own certificates please refer to http://wiki.eclipse.org/Jetty/Howto/Configure_SSL for more information.

Authentication

In order to activate Authentication one has to add the following parameters to the openHAB start command line

  • {{{-Djava.security.auth.login.config=./etc/login.conf}}} - the configuration file of the JAAS !LoginModules

By default the command line references the file {{{/etc/login.conf}}} which in turn configures a !PropertyFileLoginModule that references the user configuration file {{{login.properties}}}. One should use all available !LoginModule implementation here as well (see http://wiki.eclipse.org/Jetty/Tutorial/JAAS for further information).

The default configuration for login credentials for openHAB is the file {{{/configuration/users.cfg}}}. In this file, you can put a simple list of "user=pwd" pairs, which will then be used for the authentication. Note that you could optionally add roles after a comma, but there is currently no support for different roles in openHAB.

Security Options

The security options can be configured through {{{openhab.cfg}}}. One can choose between

  • {{{ON}}} - security is enabled generally
  • {{{OFF}}} - security is disabled generally
  • {{{EXTERNAL}}} - security is switched on for external requests (e.g. originating from the Internet) only

To distinguish between internal and external addresses one may configure a net mask in {{{openhab.cfg}}}. Every ip-address which is in range of this net mask will be treated as internal address must not be authorized though.

Installation


User Interfaces


Community

(link to openHAB forum)

Development



Misc


Samples

A good source of inspiration and tips from users gathered over the years. Be aware that things may have changed since they were written and some examples might not work correctly.

Please update the wiki if you do come across any out of date information.

Use case examples

Collections of Rules on a single page

Single Rules

Scripts


Release Notes

Clone this wiki locally