From 46b5c2b3c0bb014befc6792af98e033537c87e20 Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Sun, 11 Oct 2020 11:54:25 +0200 Subject: [PATCH 1/7] Allow basic authentication to authorize API access Closes #1699. Note, this opens a minor security issue that allows an attacker to brute force passwords by making calls to the API - contrary to the authorization page, the credentials parsing for the REST API is stateless & doesn't have a lock mechanism to lock user accounts after too many failed login attempts. Signed-off-by: Yannick Schaus --- .../io/rest/auth/internal/AuthFilter.java | 33 +++++++++- .../auth/internal/UserSecurityContext.java | 65 +++++++++++++++++++ 2 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java index ab020ab18e4..b0c4a6ece22 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java @@ -13,6 +13,7 @@ package org.openhab.core.io.rest.auth.internal; import java.io.IOException; +import java.util.Base64; import javax.annotation.Priority; import javax.security.sasl.AuthenticationException; @@ -26,6 +27,9 @@ import javax.ws.rs.ext.Provider; import org.openhab.core.auth.Authentication; +import org.openhab.core.auth.User; +import org.openhab.core.auth.UserRegistry; +import org.openhab.core.auth.UsernamePasswordCredentials; import org.openhab.core.io.rest.JSONResponse; import org.openhab.core.io.rest.RESTConstants; import org.osgi.service.component.annotations.Component; @@ -35,10 +39,11 @@ import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsExtension; /** - * This filter is responsible for parsing a token provided with a request, and hydrating a {@link SecurityContext} from - * the claims contained in the token. + * This filter is responsible for parsing credentials provided with a request, and hydrating a {@link SecurityContext} + * from these credentials if they are valid. * * @author Yannick Schaus - initial contribution + * @author Yannick Schaus - Allow basic authentication */ @PreMatching @Component @@ -52,6 +57,9 @@ public class AuthFilter implements ContainerRequestFilter { @Reference private JwtHelper jwtHelper; + @Reference + private UserRegistry userRegistry; + @Override public void filter(ContainerRequestContext requestContext) throws IOException { try { @@ -63,6 +71,25 @@ public void filter(ContainerRequestContext requestContext) throws IOException { Authentication auth = jwtHelper.verifyAndParseJwtAccessToken(authParts[1]); requestContext.setSecurityContext(new JwtSecurityContext(auth)); return; + } else if ("Basic".equals(authParts[0])) { + try { + String[] decodedCredentials = new String(Base64.getDecoder().decode(authParts[1]), "UTF-8") + .split(":"); + if (decodedCredentials.length != 2) { + throw new AuthenticationException("Invalid Basic authentication credential format"); + } + UsernamePasswordCredentials credentials = new UsernamePasswordCredentials( + decodedCredentials[0], decodedCredentials[1]); + Authentication auth = userRegistry.authenticate(credentials); + User user = userRegistry.get(auth.getUsername()); + if (user == null) { + throw new org.openhab.core.auth.AuthenticationException("User not found in registry"); + } + requestContext.setSecurityContext(new UserSecurityContext(user, "Basic")); + return; + } catch (org.openhab.core.auth.AuthenticationException e) { + throw new AuthenticationException("Invalid user name or password"); + } } } } @@ -74,7 +101,7 @@ public void filter(ContainerRequestContext requestContext) throws IOException { return; } } catch (AuthenticationException e) { - requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid token")); + requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials")); } } } diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java new file mode 100644 index 00000000000..cd9cb74fc99 --- /dev/null +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/UserSecurityContext.java @@ -0,0 +1,65 @@ +/** + * Copyright (c) 2010-2020 Contributors to the openHAB project + * + * See the NOTICE file(s) distributed with this work for additional + * information. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0 + * + * SPDX-License-Identifier: EPL-2.0 + */ +package org.openhab.core.io.rest.auth.internal; + +import java.security.Principal; + +import javax.ws.rs.core.SecurityContext; + +import org.eclipse.jdt.annotation.NonNullByDefault; +import org.eclipse.jdt.annotation.Nullable; +import org.openhab.core.auth.User; + +/** + * This {@link SecurityContext} contains information about a user, roles and authorizations granted to a client + * from a {@link User} instance. + * + * @author Yannick Schaus - initial contribution + */ +@NonNullByDefault +public class UserSecurityContext implements SecurityContext { + + private User user; + private String authenticationScheme; + + /** + * Constructs a security context from an instance of {@link User} + * + * @param user the user + * @param authenticationScheme the scheme that was used to authenticate the user, e.g. "Basic" + */ + public UserSecurityContext(User user, String authenticationScheme) { + this.user = user; + this.authenticationScheme = authenticationScheme; + } + + @Override + public Principal getUserPrincipal() { + return user; + } + + @Override + public boolean isUserInRole(@Nullable String role) { + return user.getRoles().contains(role); + } + + @Override + public boolean isSecure() { + return true; + } + + @Override + public String getAuthenticationScheme() { + return authenticationScheme; + } +} From df00d2bc05ce33fecf7626f8e62e75e4ddf3dbf5 Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Fri, 16 Oct 2020 23:27:05 +0200 Subject: [PATCH 2/7] Add configurable service/config description Introduce a new AnonymousUserSecurityContext for unauthenticated users that should be allowed the "user" role according to service configuration. Signed-off-by: Yannick Schaus --- .../AnonymousUserSecurityContext.java | 50 +++++++++++++++++++ .../io/rest/auth/internal/AuthFilter.java | 46 ++++++++++++++++- .../RolesAllowedDynamicFeatureImpl.java | 20 +++----- .../main/resources/OH-INF/config/config.xml | 22 ++++++++ 4 files changed, 124 insertions(+), 14 deletions(-) create mode 100644 bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AnonymousUserSecurityContext.java create mode 100644 bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AnonymousUserSecurityContext.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AnonymousUserSecurityContext.java new file mode 100644 index 00000000000..40d9a0becbc --- /dev/null +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AnonymousUserSecurityContext.java @@ -0,0 +1,50 @@ +/** + * Copyright (c) 2010-2020 Contributors to the openHAB project + * + * See the NOTICE file(s) distributed with this work for additional + * information. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License 2.0 which is available at + * http://www.eclipse.org/legal/epl-2.0 + * + * SPDX-License-Identifier: EPL-2.0 + */ +package org.openhab.core.io.rest.auth.internal; + +import java.security.Principal; + +import javax.ws.rs.core.SecurityContext; + +import org.eclipse.jdt.annotation.NonNullByDefault; +import org.eclipse.jdt.annotation.Nullable; +import org.openhab.core.auth.Role; + +/** + * This {@link SecurityContext} can be used to give anonymous users (i.e. unauthenticated requests) the "user" role. + * + * @author Yannick Schaus - initial contribution + */ +@NonNullByDefault +public class AnonymousUserSecurityContext implements SecurityContext { + + @Override + public @Nullable Principal getUserPrincipal() { + return null; + } + + @Override + public boolean isUserInRole(@Nullable String role) { + return role == null || Role.USER.equals(role); + } + + @Override + public boolean isSecure() { + return false; + } + + @Override + public @Nullable String getAuthenticationScheme() { + return null; + } +} diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java index b0c4a6ece22..ec5b098a6cf 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java @@ -14,6 +14,7 @@ import java.io.IOException; import java.util.Base64; +import java.util.Map; import javax.annotation.Priority; import javax.security.sasl.AuthenticationException; @@ -26,17 +27,24 @@ import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.eclipse.jdt.annotation.Nullable; import org.openhab.core.auth.Authentication; import org.openhab.core.auth.User; import org.openhab.core.auth.UserRegistry; import org.openhab.core.auth.UsernamePasswordCredentials; +import org.openhab.core.config.core.ConfigurableService; import org.openhab.core.io.rest.JSONResponse; import org.openhab.core.io.rest.RESTConstants; +import org.osgi.framework.Constants; +import org.osgi.service.component.annotations.Activate; import org.osgi.service.component.annotations.Component; +import org.osgi.service.component.annotations.Modified; import org.osgi.service.component.annotations.Reference; import org.osgi.service.jaxrs.whiteboard.JaxrsWhiteboardConstants; import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsApplicationSelect; import org.osgi.service.jaxrs.whiteboard.propertytypes.JaxrsExtension; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * This filter is responsible for parsing credentials provided with a request, and hydrating a {@link SecurityContext} @@ -46,20 +54,45 @@ * @author Yannick Schaus - Allow basic authentication */ @PreMatching -@Component +@Component(configurationPid = "org.openhab.restauth", property = Constants.SERVICE_PID + "=org.openhab.restauth") +@ConfigurableService(category = "system", label = "API Security", description_uri = AuthFilter.CONFIG_URI) @JaxrsExtension @JaxrsApplicationSelect("(" + JaxrsWhiteboardConstants.JAX_RS_NAME + "=" + RESTConstants.JAX_RS_NAME + ")") @Priority(Priorities.AUTHENTICATION) @Provider public class AuthFilter implements ContainerRequestFilter { + private final Logger logger = LoggerFactory.getLogger(AuthFilter.class); + private static final String ALT_AUTH_HEADER = "X-OPENHAB-TOKEN"; + protected static final String CONFIG_URI = "system:restauth"; + private static final String CONFIG_ALLOW_BASIC_AUTH = "allowBasicAuth"; + private static final String CONFIG_NO_UNAUTHENTICATED_USER_ROLE = "noUnauthenticatedUserRole"; + + private boolean allowBasicAuth = false; + private boolean noUnauthenticatedUserRole = false; + @Reference private JwtHelper jwtHelper; @Reference private UserRegistry userRegistry; + @Activate + protected void activate(Map config) { + modified(config); + } + + @Modified + protected void modified(@Nullable Map properties) { + if (properties != null) { + Object value = properties.get(CONFIG_ALLOW_BASIC_AUTH); + allowBasicAuth = value != null && "true".equals(value.toString()); + value = properties.get(CONFIG_NO_UNAUTHENTICATED_USER_ROLE); + noUnauthenticatedUserRole = value != null && "true".equals(value.toString()); + } + } + @Override public void filter(ContainerRequestContext requestContext) throws IOException { try { @@ -72,6 +105,9 @@ public void filter(ContainerRequestContext requestContext) throws IOException { requestContext.setSecurityContext(new JwtSecurityContext(auth)); return; } else if ("Basic".equals(authParts[0])) { + if (!allowBasicAuth) { + throw new AuthenticationException("Basic authentication is not allowed"); + } try { String[] decodedCredentials = new String(Base64.getDecoder().decode(authParts[1]), "UTF-8") .split(":"); @@ -88,7 +124,7 @@ public void filter(ContainerRequestContext requestContext) throws IOException { requestContext.setSecurityContext(new UserSecurityContext(user, "Basic")); return; } catch (org.openhab.core.auth.AuthenticationException e) { - throw new AuthenticationException("Invalid user name or password"); + throw new AuthenticationException("Invalid Basic authentication credentials", e); } } } @@ -100,7 +136,13 @@ public void filter(ContainerRequestContext requestContext) throws IOException { requestContext.setSecurityContext(new JwtSecurityContext(auth)); return; } + + if (!noUnauthenticatedUserRole) { + requestContext.setSecurityContext(new AnonymousUserSecurityContext()); + } + } catch (AuthenticationException e) { + logger.warn("Unauthorized API request: {}", e.getMessage()); requestContext.abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Invalid credentials")); } } diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/RolesAllowedDynamicFeatureImpl.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/RolesAllowedDynamicFeatureImpl.java index 9fdd62dc03a..c8bfc44a532 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/RolesAllowedDynamicFeatureImpl.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/RolesAllowedDynamicFeatureImpl.java @@ -31,7 +31,6 @@ import javax.ws.rs.core.Response.Status; import javax.ws.rs.ext.Provider; -import org.openhab.core.auth.Role; import org.openhab.core.io.rest.JSONResponse; import org.openhab.core.io.rest.RESTConstants; import org.osgi.service.component.annotations.Component; @@ -115,15 +114,7 @@ private static class RolesAllowedRequestFilter implements ContainerRequestFilter @Override public void filter(final ContainerRequestContext requestContext) throws IOException { if (!denyAll) { - // TODO: temporarily, until the complete authorization story is implemented, we consider operations - // allowed for user roles to be permitted unrestricted (even to unauthenticated users) - if (Arrays.asList(rolesAllowed).contains(Role.USER)) { - return; - } - - if (rolesAllowed.length > 0 && !isAuthenticated(requestContext)) { - requestContext.abortWith( - JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "User is not authenticated")); + if (rolesAllowed.length == 0) { return; } @@ -134,8 +125,13 @@ public void filter(final ContainerRequestContext requestContext) throws IOExcept } } - requestContext.abortWith(JSONResponse.createErrorResponse(Status.FORBIDDEN, - "User is authenticated but doesn't have access to this resource")); + if (!isAuthenticated(requestContext)) { + requestContext + .abortWith(JSONResponse.createErrorResponse(Status.UNAUTHORIZED, "Authentication required")); + return; + } + + requestContext.abortWith(JSONResponse.createErrorResponse(Status.FORBIDDEN, "Access denied")); } private static boolean isAuthenticated(final ContainerRequestContext requestContext) { diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml new file mode 100644 index 00000000000..446af2b8101 --- /dev/null +++ b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml @@ -0,0 +1,22 @@ + + + + + + + Allow the use of Basic authentication to access protected API resources. + + + true + + By default, operations requiring the "user" role are available when unauthenticated. Enabling this + option will require authentication for these operations. Warning: this will cause clients which don't + support + authorization to break. + + + + From c862a8ac1fe7a8d3d5e089545117c2b2ae6fa949 Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Sun, 18 Oct 2020 18:29:42 +0200 Subject: [PATCH 3/7] Rename config option, case insensitive scheme matching Signed-off-by: Yannick Schaus --- .../openhab/core/io/rest/auth/internal/AuthFilter.java | 8 ++++---- .../src/main/resources/OH-INF/config/config.xml | 9 ++++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java index ec5b098a6cf..711db137928 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java @@ -67,7 +67,7 @@ public class AuthFilter implements ContainerRequestFilter { protected static final String CONFIG_URI = "system:restauth"; private static final String CONFIG_ALLOW_BASIC_AUTH = "allowBasicAuth"; - private static final String CONFIG_NO_UNAUTHENTICATED_USER_ROLE = "noUnauthenticatedUserRole"; + private static final String CONFIG_NO_IMPLICIT_USER_ROLE = "noImplicitUserRole"; private boolean allowBasicAuth = false; private boolean noUnauthenticatedUserRole = false; @@ -88,7 +88,7 @@ protected void modified(@Nullable Map properties) { if (properties != null) { Object value = properties.get(CONFIG_ALLOW_BASIC_AUTH); allowBasicAuth = value != null && "true".equals(value.toString()); - value = properties.get(CONFIG_NO_UNAUTHENTICATED_USER_ROLE); + value = properties.get(CONFIG_NO_IMPLICIT_USER_ROLE); noUnauthenticatedUserRole = value != null && "true".equals(value.toString()); } } @@ -100,11 +100,11 @@ public void filter(ContainerRequestContext requestContext) throws IOException { if (authHeader != null) { String[] authParts = authHeader.split(" "); if (authParts.length == 2) { - if ("Bearer".equals(authParts[0])) { + if ("Bearer".equalsIgnoreCase(authParts[0])) { Authentication auth = jwtHelper.verifyAndParseJwtAccessToken(authParts[1]); requestContext.setSecurityContext(new JwtSecurityContext(auth)); return; - } else if ("Basic".equals(authParts[0])) { + } else if ("Basic".equalsIgnoreCase(authParts[0])) { if (!allowBasicAuth) { throw new AuthenticationException("Basic authentication is not allowed"); } diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml index 446af2b8101..1ebeadc6208 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml +++ b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml @@ -7,11 +7,14 @@ - Allow the use of Basic authentication to access protected API resources. + false + Allow the use of Basic authentication to access protected API resources, in addition to access tokens + and API tokens. - + true - + + false By default, operations requiring the "user" role are available when unauthenticated. Enabling this option will require authentication for these operations. Warning: this will cause clients which don't support From 18818fe613955a1764cba9a4acec39bb8b2e5767 Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Sun, 18 Oct 2020 18:30:57 +0200 Subject: [PATCH 4/7] Update bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml Signed-off-by: Yannick Schaus Co-authored-by: Kai Kreuzer --- .../src/main/resources/OH-INF/config/config.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml index 1ebeadc6208..4c964fcb8d4 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml +++ b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml @@ -16,9 +16,8 @@ false By default, operations requiring the "user" role are available when unauthenticated. Enabling this - option will require authentication for these operations. Warning: this will cause clients which don't - support - authorization to break. + option will require authentication for these operations. Warning: This causes clients that do not + support authentication to break. From 58f891027d6860f4f5beff1172fc74f703ad915f Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Sun, 18 Oct 2020 19:07:55 +0200 Subject: [PATCH 5/7] Rename option to "implicitUserRole", enabled by default Signed-off-by: Yannick Schaus --- .../core/io/rest/auth/internal/AuthFilter.java | 10 +++++----- .../src/main/resources/OH-INF/config/config.xml | 13 +++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java index 711db137928..9c856dc630e 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java @@ -67,10 +67,10 @@ public class AuthFilter implements ContainerRequestFilter { protected static final String CONFIG_URI = "system:restauth"; private static final String CONFIG_ALLOW_BASIC_AUTH = "allowBasicAuth"; - private static final String CONFIG_NO_IMPLICIT_USER_ROLE = "noImplicitUserRole"; + private static final String CONFIG_IMPLICIT_USER_ROLE = "implicitUserRole"; private boolean allowBasicAuth = false; - private boolean noUnauthenticatedUserRole = false; + private boolean implicitUserRole = true; @Reference private JwtHelper jwtHelper; @@ -88,8 +88,8 @@ protected void modified(@Nullable Map properties) { if (properties != null) { Object value = properties.get(CONFIG_ALLOW_BASIC_AUTH); allowBasicAuth = value != null && "true".equals(value.toString()); - value = properties.get(CONFIG_NO_IMPLICIT_USER_ROLE); - noUnauthenticatedUserRole = value != null && "true".equals(value.toString()); + value = properties.get(CONFIG_IMPLICIT_USER_ROLE); + implicitUserRole = value != null && "false".equals(value.toString()); } } @@ -137,7 +137,7 @@ public void filter(ContainerRequestContext requestContext) throws IOException { return; } - if (!noUnauthenticatedUserRole) { + if (implicitUserRole) { requestContext.setSecurityContext(new AnonymousUserSecurityContext()); } diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml index 4c964fcb8d4..10d7e552632 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml +++ b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml @@ -11,13 +11,14 @@ Allow the use of Basic authentication to access protected API resources, in addition to access tokens and API tokens. - + true - - false - By default, operations requiring the "user" role are available when unauthenticated. Enabling this - option will require authentication for these operations. Warning: This causes clients that do not - support authentication to break. + + true + By default, operations requiring the "user" role are available when unauthenticated. Disabling this + option will enforce authorization for these operations. Warning: this will cause clients which don't + support + authorization to break. From 348677d2ccf7003d0c57fb9de760220f5dfd9c68 Mon Sep 17 00:00:00 2001 From: Yannick Schaus Date: Sun, 18 Oct 2020 19:17:21 +0200 Subject: [PATCH 6/7] Fix implicitUserRole value setting logic Signed-off-by: Yannick Schaus --- .../java/org/openhab/core/io/rest/auth/internal/AuthFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java index 9c856dc630e..c89b468dff7 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java +++ b/bundles/org.openhab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/AuthFilter.java @@ -89,7 +89,7 @@ protected void modified(@Nullable Map properties) { Object value = properties.get(CONFIG_ALLOW_BASIC_AUTH); allowBasicAuth = value != null && "true".equals(value.toString()); value = properties.get(CONFIG_IMPLICIT_USER_ROLE); - implicitUserRole = value != null && "false".equals(value.toString()); + implicitUserRole = value == null || !"false".equals(value.toString()); } } From 0c9d04494645b41b45b09048d439c35c182f7fae Mon Sep 17 00:00:00 2001 From: Kai Kreuzer Date: Sun, 18 Oct 2020 20:59:15 +0200 Subject: [PATCH 7/7] Update bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml --- .../src/main/resources/OH-INF/config/config.xml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml index 10d7e552632..78c63d86fd8 100644 --- a/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml +++ b/bundles/org.openhab.core.io.rest.auth/src/main/resources/OH-INF/config/config.xml @@ -16,9 +16,8 @@ true By default, operations requiring the "user" role are available when unauthenticated. Disabling this - option will enforce authorization for these operations. Warning: this will cause clients which don't - support - authorization to break. + option will enforce authorization for these operations. Warning: This causes clients that do not + support authentication to break.