This page last changed on Jan 23, 2014 by janver.
I just discovered the openremote REST api and also it's lack of security
Have any security features (such as a basic authentication) been built in to the REST api? And if so how do I enable it.
Does openremote have other open doors I should know about.
I suppose you're talking about controller API.
Standard HTTP(S) security applies and you can manage authentication/authorization in your container (usually tomcat).
If you look in web.xml, there is a commented out section at the end with some pointers.
Posted by ebariaux at Jan 23, 2014 10:39
Yes thanks I was talking about the Controller 2.0 HTTP/REST/XML API as described here: http://www.openremote.org/display/docs/Controller+2.0+HTTP-REST-XML
I was a bit surprised that no authentication was required since the GUI does require login, this may cause users in having a false sense of security.
Users who never use the API propably would never know that their controls are fully exposed to the internet.
Perhaps it would be better to disable it by default.
Posted by janver at Jan 23, 2014 10:59
"Users who never use the API propably would never know that their controls are fully exposed to the internet."
Unless they aren't running any firewall, or for some reason put their OR installation on a DMZ, they shouldn't be exposed to the internet at all?
The only way I can access my OR instance is by being on the LAN, or VPN'ing in (which puts me on the LAN).
Philips Hue allows you to setup an API key which you need in the URL, otherwise it doesn't work. It may be possible for OR to do something similar. I'd be a bit cautious of amending the web.xml security in case I killed the normal client access
Posted by ptruman at Jan 24, 2014 09:30
DMZ is not required to make the server available from the internet, a simple port forwarding rule on the router is sufficient.
A major convenience for home automation for me would be the ability to control devices when I'm not at home.
Anyway openremote users/integrators should be more explicitly warned that by default the system doesn't provide any restriction.
Another question: Why does the openremote app require login? For security reasons?
Since all is open anyway why not drop the login completely.
Posted by janver at Jan 24, 2014 09:46
True, a port forward would suffice, but (personally) I'm reluctant to put anything facing the internet that isn't bolted down, and treat everything as insecure.
I want remote access as well, as may clients, but if I do an installation for someone, given it would typically be on a server device, I will employ the same methods I have on my own installation - OpenVPN with certs. Also, depending on what you're controlling, you may already have remote access (LightWave & Hue for example do this 'natively', although that does put OpenRemote state tracking out of shape).
Granted it takes a bit of additional effort to setup, and an additional (in my case Android) client to bring up a connection when remote, but it's (a) much more secure than a user/password based system and (b) allows me to generate (with client consent) a "support" certificate so I can also access/support their underlying systems (i.e. I could amend their design/UI etc via the OR website, but I can't upgrade the underlying Java server without that access).
Also, my version of the Android OR client doesn't ask for a username/password, just the URL to the controller? (this is the one from the Android store)
But, still won't hurt to add a bit of additional security, or a "best use case" model which highlights the risks
Posted by ptruman at Jan 24, 2014 10:10
Peter, I agree with what you say but as you say installing, configuring, ... a VPN server and then making sure it's all configured correctly on all the client devices does add a lot of work. Also if someone changes their phone you will propably have to reconfigure it (unless your clients are tech-savvy).
The server running openremote may not have the juice to run a performant VPN server next to it so it may increase the hardware, running and maintenance cost.
My ideal setup would just run openremote on an SSL webserver but then I would have to trust the security implementation of openremote.
edit: This may sound a bit paranoid but in many cases not all users of a LAN can/should be trusted. An implementation of openremote on a company network would not only require authentication but also SSL otherwise anyone with a network sniffer could easily get your password. So I will most defenately have to tinker with the web.xml to get it all secure...
Posted by janver at Jan 24, 2014 10:30
Depends what you include in your common toolset, or as a common deployment.
Given "free reign", an HP Microserver, running OpenMediaVault (4, not 5) and then install the OpenVPN plugin on it via the GUI. Walk through the wizard to generate certificates. Download autogenerated client .zip package from server. Install OpenVPN client on Android handset. Copy zip file to phone, point OpenVPN client at zip file/folder, job complete.
Barring the install of OpenMediaVault (which can take a while) the time to get OpenVPN running was about 5 minutes and a quick port forward to allow connections. (assuming a client may have a decent router (rather than a hideous ISP supplied thing with no capability)
OpenMediaVault also has a DLNA plugin (no transcoding though) so they can use it as a media hub for a SmartTV/PS3 etc. And it's all free, barring your costed time. Also I say v4 not 5 as (unless it's just been released) the OpenVPN plugin hasn't been ported to v5 yet.
And the Microservers typically run at 1.5Ghz or above, and mine runs Asterisk (IPT), CUPS (printing, inc. Google cloudprint), OpenVPN, DLNA, FTP, CIFS/Samba, and the VPN doesn't stress it. Full ClamAV filesystem scans bother it a little bit
Obviously it depends on your time and inclination on the easiest way to support yourself/a client in the most secure manner. I don't have an issue doing further support (if they change phones) or stating what the limitations are. If they wanted lower security, they'd get made to sign a form stating they accept the potential risk
Posted by ptruman at Jan 24, 2014 10:50
Peter, That is indeed a nice setup but how about running openremote on a raspberry pi.
I'm guessing your Microserver consumes 100 to 200 W VS a rasberry pi 2W
I don't know where you live but in Belgium that's a big difference on the energy bill.
For the media functionality I would get a synology, you could also install openremote on the synology (if you buy the right one) but then it would never spin down and a syno consumes about 60 w when running so it pays to use a raspberry pi next to the syno.
Posted by janver at Jan 24, 2014 11:02
So any volunteers for a comprehensive "Security HowTo" instruction?
Posted by pz1 at Jan 24, 2014 11:30
If I ever get it running as it should I would love to write a HowTo but Openremote is a hobby project for me and I have limited time to spend on it (wife, 2 kids, rabbit and a bunch of fishes also want attention from time to time .
I would be very interested in such a HowTo.
Personally I'm less interested in the VPN solution (because I have a VPN already on my synology, I just need to configure it).
What I want to do is install it on a Raspberry pi with an Apache webserver, this allows me to easily use webmin/virtualmin for the servers management.
A good manual to install webmin/virtualmin on a raspberry pi can be found here: http://geekanddummy.com/how-to-raspberry-pi-tutorial-part-3-web-file-hosting-with-webmin-virtualmin/
With virtualmin it's super easy to create apache ssl sites where we could run openremote.
So all I need basically is a good guide to make the openremote tomcat talk to apache.
Anyway I think someone with in depth knowledge of openremote would be best placed to write such a guide and since I have never looked at the source code it wouldn't be me (for now).
Posted by janver at Jan 24, 2014 11:50
My microserver is between 15 and 25W so it's not as bad as 100W I've yet to experiment with Pi.
Posted by ptruman at Jan 24, 2014 11:53
I may have a look (and tarball my working installation first) and see if there is a simple cut/paste change people can make to get user/pass security for rest.
Can't comment on the HTTPS piece however, which would be needed to encrypt the GET string - as that's a bit of apache fiddling I've yet to get around to.
It does need to be something common that anyone could do with a 'basic' install - as we'll never be able to support 'every option' (HTTPS, SSL, VPN, different platforms etc)
Posted by ptruman at Jan 24, 2014 11:56
All what needs to be supported is HTTPS (HTTPS is simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol Wikipedia.).
VPN doesn't really require support since a lot of info is available online. Different platforms don't really have to be supported either if you would choose the Webmin/virtualmin path. There is a lot of info available online how to install virtualmin on all types of platforms.
Support/Howto/Manual for Apache2 would be great and sufficient.
Posted by janver at Jan 24, 2014 12:17
Why does the openremote app require login? For security reasons?
What app are you referring to ?
I would take it that it's the controller home page you're talking about.
The login/password there are used to synchronize your design with the on-line designer, sitting in the could, which always require authentication.
The consoles should only ask you a username/password if it hits a protected URL on the controller (though there are some glitches there and it might fail sometimes instead of asking).
Posted by ebariaux at Jan 27, 2014 10:47
Yes you are right the console also works if I don't put a user and password in their fields.
So if I understand you correctly if I configure the web.xml authentication the username and password in these fields will be used?
About the failures, Does it fail often? Is there a workaround to avoid the failures.
Posted by janver at Jan 27, 2014 11:11
Yes, username/password will be used.
About the failures, I don't really know. It's just that some "paths through the application" seem to make it not ask for username/password. If you enter the information in the settings directly when defining the controller, that should be OK I think.
Posted by ebariaux at Jan 28, 2014 11:28
what is the actual state of this problem ?
Is my controller opened for everyone in my lan or wan if I open my firewall ? Sync is deactivated.
I get a basic authentication failure for the rest services, cause I defined tomcat users.
I can't understand why my controller login page has to be online for everyone...
vpn is not a solution if working on a raspberrypi platform.
Posted by klaus1 at Apr 16, 2015 11:38