High Performance OPC UA Server SDK
1.3.1.248
|
This lesson will extend the previous example client with user authentication.
In this example we introduce two more configuration defines to configure the user authentication.
CONFIG_USERNAME
The username to use for authentication.CONFIG_PASSWORD
: The password to use for authentication.Of course, you should never hard code usernames and passwords in real applications like in this example.
When connecting using a secure connection, it is not problem to transmit clear text passwords. But it is when connecting using security policy None
or with message mode Sign
. This example also demonstrates how to securely authenticate with encrypted passwords if the connection itself is not encrypted, but only signed.
You can verify this in Wireshark if you capture the traffic and change #if 1
to #if 0
to disable the secure channel encryption.
It is even possible to use encrypted passwords with security policy None
. The passwords are still encrypted, but without a trusted secure channel you cannot verify that the server is who it claims to be. It could be an attacker which performs a man in the middle (MITM) attack to intercept user credentials.
For this reason it is recommended to always use a secure channel with a policy other than None
and enable at least message mode Sign
.
The GetEndpoints service callback is now extended to also select a matching user token. This is done by calling the new helper function find_user_token
.
Setting the authentication info is done by creating a ua_auth_credentials structure and calling ua_client_set_credentials. Most of the information could be filled without even knowing the user token. But one of the required information is the policy_id
, which is a server defined string, which can only be retrieved from the server's endpoint descriptions. The other is the security policy uri to use for encrypting the user identity token. Usually this is the same as for the secure channel (except for security policy none), but the returned security_policy_uri
in struct ua_usertokenpolicy can also be NULL
, which means you have to use the security_policy_uri
of the secure channel (See section 7.37 UserTokenPolicy, Part 4 OPC UA Specification 1.04).
Helper function find_user_token: