Custom Authorizer for Bootstrap server #1359
Comments
|
Hi and welcome, The current way to manage if a device is authorize to start a bootstrap session is handled by The javadoc says : /**
* Manages life cycle of a bootstrap process.
* <p>
* This class is responsible to accept or refuse to start new {@link BootstrapSession}, then to provide request to send.
* It also decide when session should continue, finished or failed.
*
* @see DefaultBootstrapSessionManager
* @see BootstrapSession
*/
public interface BootstrapSessionManager {
....
/**
* Starts a bootstrapping session for an endpoint. In particular, this is responsible for authorizing the endpoint
* if applicable.
*
* @param request the bootstrap request which initiates the session.
* @param clientIdentity the {@link Identity} of the client.
*
* @return a BootstrapSession, possibly authorized.
*/
public BootstrapSession begin(BootstrapRequest request, Identity clientIdentity);See default implementation @Override
public BootstrapSession begin(BootstrapRequest request, Identity clientIdentity) {
boolean authorized;
if (bsSecurityStore != null && securityChecker != null) {
Iterator<SecurityInfo> securityInfos = bsSecurityStore.getAllByEndpoint(request.getEndpointName());
authorized = securityChecker.checkSecurityInfos(request.getEndpointName(), clientIdentity, securityInfos);
} else {
authorized = true;
}
DefaultBootstrapSession session = new DefaultBootstrapSession(request, clientIdentity, authorized);
LOG.trace("Bootstrap session started : {}", session);
return session;
}Could it match your use case ? The rational behind this is that often the class responsible to authorize the device will maybe need to store custom data in |
|
My colleagues from project have asked me to implement interface BootstrapAuthorizer, so we could write custom authorizers, similarly to how it was done here: public interface Authorizer {
/**
* Return the registration if this request should be handled by the LWM2M Server. When <code>null</code> is returned
* the LWM2M server will stop to handle this request and will respond with a {@link ResponseCode#FORBIDDEN} or
* {@link ResponseCode#BAD_REQUEST}.
* <p>
* Some Application Data could be attached to the Registration using :
*
* <pre>
* return new Registration.Builder(registration).applicationData(myAppData).build();
* </pre>
*
* @param request the request received
* @param registration the registration linked to the received request.<br>
* For register request this is the registration which will be created<br>
* For update request this is the registration before the update was done.
* @param senderIdentity the {@link Identity} used to send the request.
*
* @return the registration if this request is authorized or <code>null</code> it is not authorized.
*/
Registration isAuthorized(UplinkRequest<?> request, Registration registration, Identity senderIdentity);
}and then /**
* A default {@link Authorizer} implementation
*
* It checks in {@link SecurityStore} if there is a corresponding {@link SecurityInfo} for this registration endpoint.
* If there is a {@link SecurityInfo} it check the identity is correct, else it checks if the LWM2M client use an
* unsecure connection.
*/
public class DefaultAuthorizer implements Authorizer {
private SecurityStore securityStore;
private SecurityChecker securityChecker;
public DefaultAuthorizer(SecurityStore store) {
this(store, new SecurityChecker());
}
public DefaultAuthorizer(SecurityStore store, SecurityChecker checker) {
securityStore = store;
securityChecker = checker;
}
@Override
public Registration isAuthorized(UplinkRequest<?> request, Registration registration, Identity senderIdentity) {
// do we have security information for this client?
SecurityInfo expectedSecurityInfo = null;
if (securityStore != null)
expectedSecurityInfo = securityStore.getByEndpoint(registration.getEndpoint());
if (securityChecker.checkSecurityInfo(registration.getEndpoint(), senderIdentity, expectedSecurityInfo)) {
return registration;
} else {
return null;
}
}
}So instead of hard coding your authorizer in BootstrapSession begin() we could make our own authorizers. We would be gratefull if you could aprove this change |
I understand you but I try to base my choices on technical reason, not just making your colleagues happy 😁 I tried to achieve this without code modification. LeshanBootstrapServerBuilder builder = new LeshanBootstrapServerBuilder();
final BootstrapSecurityStore securityStore = new YourSecurityStoreIfNeeded();
final SecurityChecker securityChecker = new SecurityChecker();
builder.setSessionManager(new DefaultBootstrapSessionManager(securityStore, new InMemoryBootstrapConfigStore()) {
@Override
public BootstrapSession begin(BootstrapRequest request, Identity clientIdentity) {
boolean authorized = isAuthorized(request, clientIdentity);
DefaultBootstrapSession session = new DefaultBootstrapSession(request, clientIdentity, authorized);
return session;
}
private boolean isAuthorized(BootstrapRequest request, Identity clientIdentity) {
// put your custom code here
Iterator<SecurityInfo> securityInfos = securityStore.getAllByEndpoint(request.getEndpointName());
return securityChecker.checkSecurityInfos(request.getEndpointName(), clientIdentity, securityInfos);
}
});This is not too much code but I agree this is not so elegant... So maybe you're right and it would be better to create an As I explained at #1359 (comment), your solution doesn't fit the use case where someone want to store data extracted by Authorizer in the BootstrapSession (like for registration at #1293) But maybe we can do that in a second time. |
|
About :
|
|
@Warmek I guess nobody will review it, or ? |
sbernard31
added
bsserver
Hi, my name is Bartosz and I will be working as contributor from Orange Polska.
There wasn't an Authorizer for Bootstrap Server.
We need customizable Authorizers in Boostrap Server, similarly to Leshan Server.
I've made my first commit on opl/bootstrap_authorizer
The text was updated successfully, but these errors were encountered: