Pages: 1 [2]   Go Down
Author Topic: Password protect for arduino webserver?  (Read 12149 times)
0 Members and 2 Guests are viewing this topic.
0
Offline Offline
Newbie
*
Karma: 0
Posts: 24
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.

I still have no idea how to implement the basic authenticiation in a sketch.

Did you check my example?
Logged

0
Offline Offline
Tesla Member
***
Karma: 118
Posts: 8962
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.

Running your arduino on a non standard port behind a router and not releasing public links to the arduino URL may be all you need.
Logged

Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.   smiley-cool

Offline Offline
Newbie
*
Karma: 0
Posts: 20
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.

@zoomkat yes , I m already doing that port 'trick' but I was looking for some extra security
which I could use for other projects as well.
Logged

0
Offline Offline
Newbie
*
Karma: 0
Posts: 24
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

@arian , yes i looked at your example but I noticed it was for the ECN28J60 Ethernet chip.
I have the arduino ethernet board with the W5100 chip.

That's correct it's for enc28j60, but the parsing functions that you are looking for worked on application layer - which is chip independent.
Logged

Santo Domingo, Dominican Republic
Offline Offline
Jr. Member
**
Karma: 0
Posts: 51
Keep it simple.
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Im also in need of this. Looking for the simplest way of doing this aswell. For what is worth I'll try using the TextFinder Library and the HTML password field. I'll see how it goes...

I'll be checking the forum aswell xD
Logged

Keep it simple.

Dubuque, Iowa, USA
Offline Offline
Edison Member
*
Karma: 33
Posts: 2277
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning  a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.

Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 1
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

The proper way to implement this is to use HTTP Authentication as Wagner described. There are gobs of explanations that a web search will provide you, but basically it comes down to programming the Arduino to look for an Authorization: header (with a valid user/password encoded therein) in the request, or returning  a 401 status if not.

This is an intrinsic behavior of web browsers to handle this authentication scheme. It would be very similar to implement the authentication using a cookie but that causes a little more work in having to generate a username/password input. HTTP authentication would do that for you.




anyone been able to get this working? Im allso looking for a secure solution for my arduino webserver (allso for domotica-solution). Im new with Arduino, and i dont have much experience with php or html. I can write a simple button-page, but thats it smiley-roll-sweat
Logged

Offline Offline
Jr. Member
**
Karma: 0
Posts: 70
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Here is the example
   it don not work, i download and what im supppose to do with that?
Logged

Seattle, WA USA
Offline Offline
Brattain Member
*****
Karma: 551
Posts: 46240
Seattle, WA USA
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
it don not work, i download and what im supppose to do with that?
You downloaded the example, and you don't know what to do with it, but you know it doesn't work. I don't think so.
Logged

Cardiff, UK
Offline Offline
Jr. Member
**
Karma: 0
Posts: 69
Programmer of all sorts
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Just an addition to the suggestions already posted; I have also written a web server with the W5100 and use the authorization supplied in the GET request by the client.  My webserver is controlled by a PHP script using CURL which puts the authorization into the request:

Code:
GET /secret.ard HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtQW==

I use a Base64 library to unencode the credentials.  (search for adamvr-arduino-base64-4be16cd.zip)

In my program I look for the Authorization

Code:
if (requestLine.startsWith("Authorization: Basic ")){
  strcpy(username, getUsername(requestLine));
}

:

// Returns  username:password
char* getUsername(String authorizationLine){
  String encryptedDetails = authorizationLine.replace("Authorization: Basic ","");
  char encrypted[300];
  char decrypted[300];
   
  encryptedDetails.toCharArray(encrypted, 300);
   
  int length = base64_decode(decrypted, encrypted, 300);
 
  return decrypted;
}

I'll be using this for controlling my heating externally.  It's definitely worth putting some extra security in, but not too much smiley

Hope this helps!

« Last Edit: October 03, 2011, 03:26:56 pm by supercrab » Logged

My Arduino 7 segment LCD/LED library

http://code.google.com/p/arduino-seven-segment/

Offline Offline
Newbie
*
Karma: 0
Posts: 1
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Hi!
I'm new to Arduino, I'm from Cuba so my English is very bad.
I'm working in the same problem about Basic Authentication with Arduino web server. I don't think you need the Base64 library for Arduino because you only need to compare the generated code, you don't need to know the user and password just the code in order to allow access.
You can generate this code for a  user/password pair with any other available tool.

This is an easy soluction, the main problem of that way is that you cannot change the user and password at least re-program the arduino.

I'm working in a solution that have admin/admin as the default, and using a web form to change the user and password whenever I want. In this case is needed the Base64 library for Arduino to generate the new code.

Other Idea is supply a hardware switch to reset to the default configuration. In this case the default configuration ask for the Basic Authentication but will accept any code for the first time and will use that code as the valid code for the next time. You will need to save this new code to the EEPROM.

Hope this helps!
Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 11
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I was Wagner, if you were able to get anywhere with this and make your example work. I am too looking for a way to secure an Arduino webpage.

Thanks,

Dan
Logged

Harmelen
Offline Offline
Newbie
*
Karma: 0
Posts: 2
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Did get the Basic authentication to work using the TinyWebServer example FileUpload.
It did take me some time trying and debugging.
So you might want to give it a try:

const char* headers[] = {
  "Content-Length",
  "Authorization",     // add to be able to query it
  NULL
};

// add var's to keep the results
boolean authenticated = false;
String user;

// add this function which send a 401 signal to the client to force a logon
boolean authenticate(TinyWebServer& web_server)
{
  const char* authorization = web_server.get_header_value("Authorization");

  #if DEBUG
    Serial.print ("DEBUG Authorization="); Serial.println(authorization);
  #endif

  char basic[7] = "Basic ";
  if(0 == strncmp(authorization,basic,6))
  {
    if (0 == strcmp("dXNlcjp1c2Vy", authorization + 6))   {      // base64 string for user:user
      user = "user";  authenticated = true; return true;  }
    if (0 == strcmp("YWRtaW46YWRtaW4=", authorization + 6)) {     // base64 string for admin:admin
      user = "admin";  authenticated = true; return true;   }
  }
  // web_server.send_authenticate();
  web_server.write("HTTP/1.1 401 Authorization Required\r\n");
  web_server.write("WWW-Authenticate: Basic realm=\"LloRealm\"\r\n");
  web_server.end_headers();
  web_server.write("<!doctype html><html lang='nl'><head><title>Error</title><meta charset='utf-8'/></head>");
  web_server.write("<body><h1>401 Unauthorized.</h1></body></html>");
  return false;
}

boolean file_handler(TinyWebServer& web_server) {
  char* filename = TinyWebServer::get_file_from_path(web_server.get_path());
 
  if (!authenticate(web_server)) return false;     // when you add this the website will require a valid logon

  send_file_name(web_server, filename);
  free(filename);
  return true;
}


Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 20
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I saw your post from July 29, 2013 about your success with getting some authentication to work on TinyWebServer file upload example. I have no background in programming so I wonder if you could email or post the whole working sketch so I can see where in the example you inserted the authentication code.
I am trying to get this to work in the BlinkLed sketch.
Thanks....arniep
Logged

Pages: 1 [2]   Go Up
Jump to: