Merge pull request #586 from bwssytems/SecurityImpl

Merge security impl branch

BridgeSettings.configWriter needs synchonized question
Fixes #571 

[feature request] Web Users/Login enhancement
Fixes #402 

User authentication... question
Fixes #270 

Security VS habridge enhancement question
Fixes #390 

issue tcp command bug
Fixes #564 

Device inactive not working bug
Fixes #565 opened 13 days ago

README.md

@@ -214,12 +214,12 @@ The default ip address for the bridge to listen on is all interfaces (0.0.0.0).
 java -jar -Dserver.ip=192.168.1.1 ha-bridge-W.X.Y.jar
 ```
 ### -Dsecurity.key=`<Your Key To Encrypt Security Data>`
-The default security key is encoded into the Java code. The default should not be used as anyone with access to the code can decode your password. To override what the default , specify -Dsecurity.key=`<Your Key To Encrypt Security Data>` explicitly on the command line. This is will prevent any issues if your config file gets hacked. The command line example:
+This option is very important to set if you will be using username/passwords to secure the ha-bridge. The ha-bridge needs to encrypt the settings in the config file and to make sure they are secured specifically to you is to provide this key. Otherwise a default key is used and it is available in the code on github for the ha-bridge here, so not very secure in that sense. **It is very important provide this if you are using username/password.** To override the default, specify -Dsecurity.key=`<Your Key To Encrypt Security Data>` explicitly on the command line. This is will prevent any issues if your config file gets hacked. The command line example:
 ```
 java -jar -Dsecurity.key=Xfawer354WertSdf321234asd ha-bridge-W.X.Y.jar
 ```
 ### -Dexec.garden=`<The path to your scripts and program directory>`
-The default exec garden path is not set which allows any program or script to be called. The default should not be used as anyone with access to the your system can create a exec command call and execute it from the api. To override what the default , specify -Dexec.garden=`<The path to your scripts and program directory>` explicitly on the command line. This is will prevent any issues if your system file gets hacked. The command line example:
+This sets a directory of your choosing to have a walled area for what can be executed by the Exec Command type. This is a good feature to use if you use the capabilities of executing a script or program from the ha-bridge. The default is not set which allows any program or script to be called and anyone with access to the your system could create an exec command call and execute it from the api. This is will prevent any issues if your system gets hacked.  To override the default, specify -Dexec.garden=`<The path to your scripts and program directory>` explicitly on the command line. The command line example:
 ```
 java -jar -Dexec.garden=C:\Users\John\bin
 ```

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>com.bwssystems.HABridge</groupId>
 	<artifactId>ha-bridge</artifactId>
-	<version>4.5.0rc1</version>
+	<version>4.5.0</version>
 	<packaging>jar</packaging>
 
 	<name>HA Bridge</name>

src/main/java/com/bwssystems/HABridge/BridgeSecurity.java

@@ -5,6 +5,12 @@ import java.io.UnsupportedEncodingException;
 import java.security.GeneralSecurityException;
 import java.util.Base64;
 import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.UUID;
+import java.util.Map.Entry;
 
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
@@ -15,6 +21,9 @@ import javax.crypto.spec.PBEParameterSpec;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.bwssystems.HABridge.api.hue.HueError;
+import com.bwssystems.HABridge.api.hue.HueErrorResponse;
+import com.bwssystems.HABridge.api.hue.WhitelistEntry;
 import com.google.gson.Gson;
 import com.google.gson.JsonSyntaxException;
 
@@ -23,6 +32,8 @@ import spark.Request;
 public class BridgeSecurity {
 	private static final Logger log = LoggerFactory.getLogger(BridgeSecurity.class);
 	private static final String USER_SESSION_ID = "user";
+	private static final String DEPRACATED_INTERNAL_USER = "thehabridgeuser";
+	private static final String TEST_USER_TYPE = "test_ha_bridge";
     private static final byte[] SALT = {
             (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
             (byte) 0xde, (byte) 0x33, (byte) 0x10, (byte) 0x12,
@@ -51,7 +62,8 @@ public class BridgeSecurity {
 			} catch (IOException e) {
 				anError = e.getMessage();
 			}
-			log.warn("Cound not get security data, using default security (none): " + anError);
+			if(anError != null)
+				log.warn("Cound not get security data, using default security (none): " + anError);
 		}
 		
 		if(theData == null || anError != null) {
@@ -190,6 +202,91 @@ public class BridgeSecurity {
 		this.settingsChanged = settingsChanged;
 	}
 
+	public HueError[] validateWhitelistUser(String aUser, String userDescription, boolean strict) {
+		String validUser = null;
+		boolean found = false;
+		if (aUser != null && !aUser.equalsIgnoreCase("undefined") && !aUser.equalsIgnoreCase("null")
+				&& !aUser.equalsIgnoreCase("")) {
+			if (securityDescriptor.getWhitelist() != null) {
+				Set<String> theUserIds = securityDescriptor.getWhitelist().keySet();
+				Iterator<String> userIterator = theUserIds.iterator();
+				while (userIterator.hasNext()) {
+					validUser = userIterator.next();
+					if (validUser.equals(aUser))
+						found = true;
+				}
+			}
+		}
+
+		if(!found && !strict) {
+			newWhitelistUser(aUser, userDescription);
+			
+			found = true;
+		}
+		
+		if (!found) {
+			return HueErrorResponse.createResponse("1", "/api/" + aUser, "unauthorized user", null, null, null).getTheErrors();
+		}
+
+		Object anUser = securityDescriptor.getWhitelist().remove(DEPRACATED_INTERNAL_USER);
+		if(anUser != null)
+			setSettingsChanged(true);
+		
+		return null;
+	}
+	
+	public void newWhitelistUser(String aUser, String userDescription) {
+		if(aUser.equals(DEPRACATED_INTERNAL_USER))
+			return;
+		if (securityDescriptor.getWhitelist() == null) {
+			securityDescriptor.setWhitelist(new HashMap<>());
+		}
+		if(userDescription == null)
+			userDescription = "auto insert user";
+		
+		securityDescriptor.getWhitelist().put(aUser, WhitelistEntry.createEntry(userDescription));
+		setSettingsChanged(true);
+	}
+
+	public String createWhitelistUser(String userDescription) {
+		String aUser = getNewUserID();
+		newWhitelistUser(aUser, userDescription);
+		return aUser;
+	}
+
+	public void convertWhitelist(Map<String, WhitelistEntry> whitelist) {
+		securityDescriptor.setWhitelist(whitelist);
+	}
+
+	private String getNewUserID() {
+		UUID uid = UUID.randomUUID();
+		StringTokenizer st = new StringTokenizer(uid.toString(), "-");
+		String newUser = "";
+		while (st.hasMoreTokens()) {
+			newUser = newUser + st.nextToken();
+		}
+
+		return newUser;
+	}
+	
+	public void removeTestUsers() {
+		if (securityDescriptor.getWhitelist() != null) {
+			Object anUser = securityDescriptor.getWhitelist().remove(DEPRACATED_INTERNAL_USER);
+			if(anUser != null)
+				setSettingsChanged(true);
+
+		    Iterator<Entry<String, WhitelistEntry>> it = securityDescriptor.getWhitelist().entrySet().iterator();
+		    while (it.hasNext()) {
+		        Map.Entry<String, WhitelistEntry> pair = it.next();
+		        it.remove(); // avoids a ConcurrentModificationException
+		        if(pair.getValue().getName().equals(TEST_USER_TYPE)) {
+		        	securityDescriptor.getWhitelist().remove(pair.getKey());
+					setSettingsChanged(true);
+		        }
+		    }
+		}
+	}
+
 	private String encrypt(String property) throws GeneralSecurityException, UnsupportedEncodingException {
         SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
         SecretKey key = keyFactory.generateSecret(new PBEKeySpec(habridgeKey));

src/main/java/com/bwssystems/HABridge/BridgeSecurityDescriptor.java

@@ -1,12 +1,14 @@
 package com.bwssystems.HABridge;
 
 import java.util.Map;
+import com.bwssystems.HABridge.api.hue.WhitelistEntry;
 
 public class BridgeSecurityDescriptor {
 	private Map<String, User> users;
 	private boolean useLinkButton;
 	private String execGarden;
 	private boolean secureHueApi;
+	private Map<String, WhitelistEntry> whitelist;
 
 	public BridgeSecurityDescriptor() {
 		super();
@@ -44,6 +46,12 @@ public class BridgeSecurityDescriptor {
 	public void setSecureHueApi(boolean secureHueApi) {
 		this.secureHueApi = secureHueApi;
 	}
+	public Map<String, WhitelistEntry> getWhitelist() {
+		return whitelist;
+	}
+	public void setWhitelist(Map<String, WhitelistEntry> whitelist) {
+		this.whitelist = whitelist;
+	}
 
 	public boolean isSecure() {
 		boolean secureFlag = false;

src/main/java/com/bwssystems/HABridge/BridgeSettings.java

@@ -12,6 +12,8 @@ import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
 import java.nio.file.attribute.PosixFilePermission;
 import java.security.GeneralSecurityException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Set;
@@ -29,6 +31,7 @@ public class BridgeSettings extends BackupHandler {
 	private BridgeSettingsDescriptor theBridgeSettings;
 	private BridgeControlDescriptor bridgeControl;
 	private BridgeSecurity bridgeSecurity;
+    private static SimpleDateFormat dateFormat = new SimpleDateFormat("yyyyMMdd'T'HHmmss");
 	
 	public BridgeSettings() {
 		super();
@@ -55,6 +58,10 @@ public class BridgeSettings extends BackupHandler {
 	public BridgeSecurity getBridgeSecurity() {
 		return bridgeSecurity;
 	}
+	 public static String getCurrentDate() {
+		 return dateFormat.format(new Date());
+	 }
+	
 	public void buildSettings() {
         String addressString = null;
         String theVeraAddress = null;
@@ -140,7 +147,7 @@ public class BridgeSettings extends BackupHandler {
 	        theBridgeSettings.setNestpwd(System.getProperty("nest.pwd"));
         }
 
-        if(theBridgeSettings.getUpnpConfigAddress() == null || theBridgeSettings.getUpnpConfigAddress().equals("")) {
+        if(theBridgeSettings.getUpnpConfigAddress() == null || theBridgeSettings.getUpnpConfigAddress().trim().equals("") || theBridgeSettings.getUpnpConfigAddress().trim().equals("0.0.0.0")) {
         	addressString = checkIpAddress(null, true);
         	if(addressString != null) {
         		theBridgeSettings.setUpnpConfigAddress(addressString);
@@ -186,9 +193,12 @@ public class BridgeSettings extends BackupHandler {
         	theBridgeSettings.setWebaddress(serverIpOverride);
 		setupParams(Paths.get(theBridgeSettings.getConfigfile()), ".cfgbk", "habridge.config-");
 		
-		setupInternalTestUser();
-		
 		bridgeSecurity.setSecurityData(theBridgeSettings.getSecurityData());
+		if(theBridgeSettings.getWhitelist() != null) {
+			bridgeSecurity.convertWhitelist(theBridgeSettings.getWhitelist());
+			theBridgeSettings.removeWhitelist();
+			updateConfigFile();
+		}
 	}
 
 	public void loadConfig() {
@@ -221,11 +231,11 @@ public class BridgeSettings extends BackupHandler {
     		try {
 				newBridgeSettings.setSecurityData(bridgeSecurity.getSecurityDescriptorData());
 			} catch (UnsupportedEncodingException e) {
-				// TODO Auto-generated catch block
+				log.warn("could not get encoded security data: " + e.getMessage());
-				e.printStackTrace();
+				return;
 			} catch (GeneralSecurityException e) {
-				// TODO Auto-generated catch block
+				log.warn("could not get encoded security data: " + e.getMessage());
-				e.printStackTrace();
+				return;
 			}
     		bridgeSecurity.setSettingsChanged(false);
     	}
@@ -239,6 +249,18 @@ public class BridgeSettings extends BackupHandler {
         log.debug("Save HA Bridge settings.");
 		Path configPath = Paths.get(theBridgeSettings.getConfigfile());
     	JsonTransformer aRenderer = new JsonTransformer();
+    	if(bridgeSecurity.isSettingsChanged()) {
+    		try {
+				theBridgeSettings.setSecurityData(bridgeSecurity.getSecurityDescriptorData());
+			} catch (UnsupportedEncodingException e) {
+				log.warn("could not get encoded security data: " + e.getMessage());
+				return;
+			} catch (GeneralSecurityException e) {
+				log.warn("could not get encoded security data: " + e.getMessage());
+				return;
+			}
+    		bridgeSecurity.setSettingsChanged(false);
+    	}
     	String  jsonValue = aRenderer.render(theBridgeSettings);
     	configWriter(jsonValue, configPath);
     	_loadConfig(configPath);
@@ -262,7 +284,7 @@ public class BridgeSettings extends BackupHandler {
 		try {
 			Path target = null;
 			if(Files.exists(filePath)) {
-				target = FileSystems.getDefault().getPath(filePath.getParent().toString(), "habridge.config.old");
+				target = FileSystems.getDefault().getPath(filePath.getParent().toString(), "habridge.config.old." + getCurrentDate());
 				Files.move(filePath, target);
 			}
 			Files.write(filePath, content.getBytes(), StandardOpenOption.CREATE);
@@ -312,6 +334,7 @@ public class BridgeSettings extends BackupHandler {
 	        log.error("checkIpAddress cannot get ip address of this host, Exiting with message: " + e.getMessage(), e);
 	        return null;			
 		}
+		
 		String addressString = null;
         InetAddress address = null;
 		while (ifs.hasMoreElements() && addressString == null) {
@@ -338,9 +361,4 @@ public class BridgeSettings extends BackupHandler {
 		}
 		return addressString;
 	}
-	private void setupInternalTestUser() {
-		theBridgeSettings.setupInternalTestUser();
-		if(theBridgeSettings.isSettingsChanged())
-			this.updateConfigFile();
-	}
 }

src/main/java/com/bwssystems/HABridge/BridgeSettingsDescriptor.java

@@ -1,58 +1,105 @@
 package com.bwssystems.HABridge;
 
-import java.util.HashMap;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
+import com.google.gson.annotations.Expose;
-import java.util.StringTokenizer;
+import com.google.gson.annotations.SerializedName;
-import java.util.UUID;
 
 import com.bwssystems.HABridge.api.hue.HueConstants;
-import com.bwssystems.HABridge.api.hue.HueError;
-import com.bwssystems.HABridge.api.hue.HueErrorResponse;
 import com.bwssystems.HABridge.api.hue.WhitelistEntry;
 
 public class BridgeSettingsDescriptor {
-	private static final String DEFAULT_INTERNAL_USER = "thehabridgeuser";
+	@SerializedName("upnpconfigaddress")
-	private static final String DEFAULT_USER_DESCRIPTION = "default_test_user";
+	@Expose
 	private String upnpconfigaddress;
+	@SerializedName("serverport")
+	@Expose
 	private Integer serverport;
+	@SerializedName("upnpresponseport")
+	@Expose
 	private Integer upnpresponseport;
+	@SerializedName("upnpdevicedb")
+	@Expose
 	private String upnpdevicedb;
+	@SerializedName("veraaddress")
+	@Expose
 	private IpList veraaddress;
+	@SerializedName("harmonyaddress")
+	@Expose
 	private IpList harmonyaddress;
+	@SerializedName("buttonsleep")
+	@Expose
 	private Integer buttonsleep;
+	@SerializedName("upnpstrict")
+	@Expose
 	private boolean upnpstrict;
+	@SerializedName("traceupnp")
+	@Expose
 	private boolean traceupnp;
+	@SerializedName("nestuser")
+	@Expose
 	private String nestuser;
+	@SerializedName("nestpwd")
+	@Expose
 	private String nestpwd;
+	@SerializedName("farenheit")
+	@Expose
+	private boolean farenheit;
+	@SerializedName("configfile")
+	@Expose
+	private String configfile;
+	@SerializedName("numberoflogmessages")
+	@Expose
+	private Integer numberoflogmessages;
+	@SerializedName("hueaddress")
+	@Expose
+	private IpList hueaddress;
+	@SerializedName("haladdress")
+	@Expose
+	private IpList haladdress;
+	@SerializedName("haltoken")
+	@Expose
+	private String haltoken;
+	@SerializedName("whitelist")
+	@Expose
+	private Map<String, WhitelistEntry> whitelist;
+	@SerializedName("myechourl")
+	@Expose
+	private String myechourl;
+	@SerializedName("webaddress")
+	@Expose
+	private String webaddress;
+	@SerializedName("mqttaddress")
+	@Expose
+	private IpList mqttaddress;
+	@SerializedName("hassaddress")
+	@Expose
+	private IpList hassaddress;
+	@SerializedName("domoticzaddress")
+	@Expose
+	private IpList domoticzaddress;
+	@SerializedName("somfyaddress")
+	@Expose
+	private IpList somfyaddress;
+	@SerializedName("hubversion")
+	@Expose
+	private String hubversion;
+	@SerializedName("securityData")
+	@Expose
+	private String securityData;
+
+	
+	private boolean settingsChanged;
 	private boolean veraconfigured;
 	private boolean harmonyconfigured;
-	private boolean nestconfigured;
-	private boolean farenheit;
-	private String configfile;
-	private Integer numberoflogmessages;
-	private IpList hueaddress;
 	private boolean hueconfigured;
-	private IpList haladdress;
+	private boolean nestconfigured;
-	private String haltoken;
 	private boolean halconfigured;
-	private Map<String, WhitelistEntry> whitelist;
-	private boolean settingsChanged;
-	private String myechourl;
-	private String webaddress;
-	private IpList mqttaddress;
 	private boolean mqttconfigured;
-	private IpList hassaddress;
 	private boolean hassconfigured;
-	private String hubversion;
-	private IpList domoticzaddress;
 	private boolean domoticzconfigured;
-	private IpList somfyaddress;
 	private boolean somfyconfigured;
 	private boolean lifxconfigured;
-	private String securityData;
 	
 	public BridgeSettingsDescriptor() {
 		super();
@@ -226,8 +273,8 @@ public class BridgeSettingsDescriptor {
 	public Map<String, WhitelistEntry> getWhitelist() {
 		return whitelist;
 	}
-	public void setWhitelist(Map<String, WhitelistEntry> whitelist) {
+	protected void removeWhitelist() {
-		this.whitelist = whitelist;
+		whitelist = null;
 	}
 	public boolean isSettingsChanged() {
 		return settingsChanged;
@@ -377,80 +424,4 @@ public class BridgeSettingsDescriptor {
 	public Boolean isValidLifx() {
 		return this.isLifxconfigured();
 	}
-
-	public HueError[] validateWhitelistUser(String aUser, String userDescription, boolean strict) {
-		String validUser = null;
-		boolean found = false;
-		if (aUser != null && !aUser.equalsIgnoreCase("undefined") && !aUser.equalsIgnoreCase("null")
-				&& !aUser.equalsIgnoreCase("")) {
-			if (whitelist != null) {
-				Set<String> theUserIds = whitelist.keySet();
-				Iterator<String> userIterator = theUserIds.iterator();
-				while (userIterator.hasNext()) {
-					validUser = userIterator.next();
-					if (validUser.equals(aUser))
-						found = true;
-				}
-			}
-		}
-
-		if(!found && !strict) {
-			newWhitelistUser(aUser, userDescription);
-			
-			found = true;
-		}
-		
-		if (!found) {
-			return HueErrorResponse.createResponse("1", "/api/" + aUser, "unauthorized user", null, null, null).getTheErrors();
-		}
-		
-		return null;
-	}
-	
-	public void newWhitelistUser(String aUser, String userDescription) {
-		if (whitelist == null) {
-			whitelist  = new HashMap<>();
-		}
-		if(userDescription == null)
-			userDescription = "auto insert user";
-		
-		whitelist.put(aUser, WhitelistEntry.createEntry(userDescription));
-		setSettingsChanged(true);
-	}
-
-	public String createWhitelistUser(String userDescription) {
-		String aUser = getNewUserID();
-		newWhitelistUser(aUser, userDescription);
-		return aUser;
-	}
-
-	private String getNewUserID() {
-		UUID uid = UUID.randomUUID();
-		StringTokenizer st = new StringTokenizer(uid.toString(), "-");
-		String newUser = "";
-		while (st.hasMoreTokens()) {
-			newUser = newUser + st.nextToken();
-		}
-
-		return newUser;
-	}
-
-	public String getInternalTestUser() {
-		return DEFAULT_INTERNAL_USER;
-	}
-
-	public void setupInternalTestUser() {
-		boolean found = false;
-		if(whitelist != null) {
-			for (String key : whitelist.keySet()) {
-				if(key.equals(DEFAULT_INTERNAL_USER)) {
-					found = true;
-					break;
-				}
-			}
-		}
-		if(!found) {
-			newWhitelistUser(DEFAULT_INTERNAL_USER, DEFAULT_USER_DESCRIPTION);
-		}
-	}
 }

src/main/java/com/bwssystems/HABridge/HABridge.java

@@ -102,6 +102,9 @@ public class HABridge {
 				}
 	        }
         }
+        bridgeSettings.getBridgeSecurity().removeTestUsers();
+        if(bridgeSettings.getBridgeSecurity().isSettingsChanged())
+        	bridgeSettings.updateConfigFile();
         log.info("HA Bridge (v" + theVersion.getVersion() + ") exiting....");
         System.exit(0);
     }

src/main/java/com/bwssystems/HABridge/SystemControl.java

@@ -78,14 +78,6 @@ public class SystemControl {
 	        return "{\"version\":\"" + version.getVersion() + "\",\"isSecure\":" + bridgeSettings.getBridgeSecurity().isSecure() + "}";
 	    });
 
-	    // http://ip_address:port/system/habridge/testuser gets the valid test user for calling the api
-    	get (SYSTEM_CONTEXT + "/habridge/testuser", (request, response) -> {
-	    	log.debug("Get HA Bridge testuser: " + bridgeSettings.getBridgeSettingsDescriptor().getInternalTestUser());
-			response.status(HttpStatus.SC_OK);
-			response.type("application/json");
-	        return "{\"user\":\"" + bridgeSettings.getBridgeSettingsDescriptor().getInternalTestUser() + "\"}";
-	    });
-
 	    // http://ip_address:port/system/logmsgs gets the log messages for the bridge
     	get (SYSTEM_CONTEXT + "/logmsgs", (request, response) -> {
 			log.debug("Get logmsgs.");

src/main/java/com/bwssystems/HABridge/hue/HueMulator.java

@@ -595,9 +595,9 @@ public class HueMulator {
 
 	private String basicListHandler(String type, String userId, String requestIp) {
 		log.debug("hue " + type + " list requested: " + userId + " from " + requestIp);
-		HueError[] theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		HueError[] theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors != null) {
-			if(bridgeSettings.isSettingsChanged())
+			if(bridgeSettingMaster.getBridgeSecurity().isSettingsChanged())
 				bridgeSettingMaster.updateConfigFile();
 
 			return aGsonHandler.toJson(theErrors);
@@ -609,9 +609,9 @@ public class HueMulator {
 		log.debug("hue group list requested: " + userId + " from " + requestIp);
 		HueError[] theErrors = null;
 		Map<String, GroupResponse> groupResponseMap = null;
-		theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors == null) {
-			if(bridgeSettings.isSettingsChanged())
+			if(bridgeSettingMaster.getBridgeSecurity().isSettingsChanged())
 				bridgeSettingMaster.updateConfigFile();
 
 			groupResponseMap = new HashMap<String, GroupResponse>();
@@ -626,9 +626,9 @@ public class HueMulator {
 	private Object groupsIdHandler(String groupId, String userId, String requestIp) {
 		log.debug("hue group id: <" + groupId + "> requested: " + userId + " from " + requestIp);
 		HueError[] theErrors = null;
-		theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors == null) {
-			if(bridgeSettings.isSettingsChanged())
+			if(bridgeSettingMaster.getBridgeSecurity().isSettingsChanged())
 				bridgeSettingMaster.updateConfigFile();
 
 			if (groupId.equalsIgnoreCase("0")) {
@@ -651,9 +651,9 @@ public class HueMulator {
 		if (bridgeSettings.isTraceupnp())
 			log.info("Traceupnp: hue lights list requested: " + userId + " from " + requestIp);
 		log.debug("hue lights list requested: " + userId + " from " + requestIp);
-		theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors == null) {
-			if(bridgeSettings.isSettingsChanged())
+			if(bridgeSettingMaster.getBridgeSecurity().isSettingsChanged())
 				bridgeSettingMaster.updateConfigFile();
 
 	        List<DeviceDescriptor> deviceList = repository.findAllByRequester(requestIp);
@@ -727,13 +727,13 @@ public class HueMulator {
 				aDeviceType = "<not given>";
 	
 			if (newUser == null) {
-				newUser = bridgeSettings.createWhitelistUser(aDeviceType);
+				newUser = bridgeSettingMaster.getBridgeSecurity().createWhitelistUser(aDeviceType);
 			}
 			else {
-				bridgeSettings.validateWhitelistUser(newUser, aDeviceType, false);
+				bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(newUser, aDeviceType, false);
 			}
 	
-			if(bridgeSettings.isSettingsChanged())
+			if(bridgeSettingMaster.getBridgeSecurity().isSettingsChanged())
 				bridgeSettingMaster.updateConfigFile();
 	
 			if (bridgeSettings.isTraceupnp())
@@ -749,7 +749,7 @@ public class HueMulator {
 		if (bridgeSettings.isTraceupnp())
 			log.info("Traceupnp: hue api/:userid/config config requested: " + userId + " from " + ipAddress);
 		log.debug("hue api config requested: " + userId + " from " + ipAddress);
-		if (bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton()) != null) {
+		if (bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton()) != null) {
 			log.debug("hue api config requested, No User supplied, returning public config");
 			HuePublicConfig apiResponse = HuePublicConfig.createConfig("Philips hue",
 					bridgeSettings.getUpnpConfigAddress(), bridgeSettings.getHubversion());
@@ -765,7 +765,7 @@ public class HueMulator {
 	@SuppressWarnings("unchecked")
 	private Object getFullState(String userId, String ipAddress) {
 		log.debug("hue api full state requested: " + userId + " from " + ipAddress);
-		HueError[] theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		HueError[] theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors != null)
 			return theErrors;
 
@@ -779,7 +779,7 @@ public class HueMulator {
 	
 	private Object getLight(String userId, String lightId, String ipAddress) {
 		log.debug("hue light requested: " + lightId + " for user: " + userId + " from " + ipAddress);
-		HueError[] theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		HueError[] theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors != null)
 			return theErrors;
 
@@ -823,7 +823,7 @@ public class HueMulator {
 		Integer targetBri = null;
 		Integer targetBriInc = null;
 		log.debug("Update state requested: " + userId + " from " + ipAddress + " body: " + body);
-		HueError[] theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		HueError[] theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors != null)
 			return aGsonHandler.toJson(theErrors);
 		try {
@@ -873,7 +873,7 @@ public class HueMulator {
 		aMultiUtil.setDelayDefault(bridgeSettings.getButtonsleep());
 		aMultiUtil.setSetCount(1);
 		log.debug("hue state change requested: " + userId + " from " + ipAddress + " body: " + body);
-		HueError[] theErrors = bridgeSettings.validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
+		HueError[] theErrors = bridgeSettingMaster.getBridgeSecurity().validateWhitelistUser(userId, null, bridgeSettingMaster.getBridgeSecurity().isUseLinkButton());
 		if (theErrors != null)
 			return aGsonHandler.toJson(theErrors);
 		try {

src/main/resources/public/scripts/app.js

@@ -84,7 +84,6 @@ app.run( async function ($rootScope, $location, Auth, bridgeService) {
         Auth.init();
         if(Auth.isLoggedIn()) {
         	bridgeService.loadBridgeSettings();
-        	bridgeService.getTestUser();
         	bridgeService.getSecurityInfo();
         	bridgeService.viewMapTypes();
             $location.path("/");        	
@@ -94,13 +93,10 @@ app.run( async function ($rootScope, $location, Auth, bridgeService) {
         }
     });
     
-    $rootScope.$on('securityReview', function(event, data) {
+    $rootScope.$on('securityError', function(event, data) {
-        if(Auth.isLoggedIn()) {
+        Auth.logout();
-            $location.path("/");        	
+        event.preventDefault();
-        } else {
+        $location.path("/login");        	
-            event.preventDefault();
-            $location.path("/login");        	
-        }
     });
     
     $rootScope.$on('securityReinit', function(event, data) {
@@ -194,7 +190,10 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.devices = response.data;
 				},
 				function (error) {
-					self.displayError("Cannot get devices from habridge: ", error);
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
+						self.displayError("Cannot get devices from habridge: ", error);
 				}
 		);
 	};
@@ -205,6 +204,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewDevices();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayError("Cannot renumber devices from habridge: ", error);
 				}
 		);
@@ -237,12 +239,31 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 	};
 
 	this.getTestUser = function () {
-		return $http.get(this.state.systemsbase + "/habridge/testuser").then(
+		if(self.state.testuser === undefined || self.state.testuser === "") {
+			return $http.put(this.state.systemsbase + "/presslinkbutton").then(
+					function (response) {
+						self.getAUser();
+					},
+					function (error) {
+						if (error.status === 401)
+							$rootScope.$broadcast('securityReinit', 'done');
+						else
+						self.displayWarn("Cannot get testuser: ", error);
+					}
+			);
+		}
+	};
+
+	this.getAUser = function () {
+		return $http.post(this.state.huebase, "{\"devicetype\":\"test_ha_bridge\"}").then(
 				function (response) {
-					self.state.testuser = response.data.user;
+					self.state.testuser = response.data[0].success.username;
 				},
 				function (error) {
-					self.displayWarn("Cannot get testuser: ", error);
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
+					self.displayWarn("Cannot get a user: ", error);
 				}
 		);
 	};
@@ -251,8 +272,12 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 		return $http.get(this.state.systemsbase + "/securityinfo").then(
 				function (response) {
 					self.state.securityInfo = response.data;
+			    	self.getTestUser();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Cannot get security info: ", error);
 				}
 		);
@@ -271,6 +296,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("Updated security settings.")
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Update ecurity settings Error: ", error);
 				}
 		);
@@ -298,6 +326,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("Password updated")
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Update password Error: ", error);
 				}
 		);
@@ -319,6 +350,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					}
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("User add Error: ", error);
 				}
 		);
@@ -335,6 +369,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("User deleted")
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("User add Error: ", error);
 				}
 		);
@@ -346,6 +383,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displayTimer("Link your device", 30000);
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Cannot get security info: ", error);
 				}
 		);
@@ -477,6 +517,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.updateShowLifx();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Load Bridge Settings Error: ", error);
 				}
 		);
@@ -488,6 +531,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.backups = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Backups Error: ", error);
 				}
 		);
@@ -499,6 +545,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.configs = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Configs Error: ", error);
 				}
 		);
@@ -510,6 +559,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.logMsgs = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get log messages Error: ", error);
 				}
 		);
@@ -521,6 +573,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.loggerInfo = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get logger info Error: ", error);
 				}
 		);
@@ -534,6 +589,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.nestitems = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Nest Items Error: ", error);
 				}
 		);
@@ -547,6 +605,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.huedevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Hue Items Error: ", error);
 				}
 		);
@@ -560,6 +621,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.veradevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Vera Devices Error: ", error);
 				}
 		);
@@ -573,6 +637,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.verascenes = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Vera Scenes Error: ", error);
 				}
 		);
@@ -586,6 +653,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.harmonyactivities = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Harmony Activities Error: ", error);
 				}
 		);
@@ -599,6 +669,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.harmonydevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Harmony Devices Error: ", error);
 				}
 		);
@@ -612,6 +685,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.haldevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Hal Devices Error: ", error);
 				}
 		);
@@ -625,6 +701,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.mqttbrokers = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get MQTT Devices Error: ", error);
 				}
 		);
@@ -638,6 +717,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.hassdevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Hass Devices Error: ", error);
 				}
 		);
@@ -651,6 +733,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.domoticzdevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Domoticz Devices Error: ", error);
 				}
 		);
@@ -664,6 +749,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
     					self.state.somfydevices = response.data;
     				},
     				function (error) {
+    					if (error.status === 401)
+    						$rootScope.$broadcast('securityReinit', 'done');
+    					else
     					self.displayWarn("Get Somfy Devices Error: ", error);
     				}
     		);
@@ -678,6 +766,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.lifxdevices = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get Lifx Devices Error: ", error);
 				}
 		);
@@ -750,6 +841,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.state.mapTypes = response.data;
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Get mapTypes Error: ", error);
 				}
 		);
@@ -773,6 +867,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("Updated " + logComponents.length + " loggers for log levels.")
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Update Log components Error: ", error);
 				}
 		);
@@ -801,6 +898,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("Bulk device add successful.");
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Bulk Add new Device Error: ", error);
 				}
 		);
@@ -819,6 +919,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					function (response) {
 					},
 					function (error) {
+						if (error.status === 401)
+							$rootScope.$broadcast('securityReinit', 'done');
+						else
 						self.displayWarn("Edit Device Error: ", error);
 					}
 			);
@@ -829,6 +932,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					function (response) {
 					},
 					function (error) {
+						if (error.status === 401)
+							$rootScope.$broadcast('securityReinit', 'done');
+						else
 						self.displayWarn("Add new Device Error: ", error);
 					}
 			);
@@ -843,6 +949,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewBackups();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Backup Device Db Error: ", error);
 				}
 		);
@@ -857,6 +966,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewDevices();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Backup Db Restore Error: ", error);
 				}
 		);
@@ -870,6 +982,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewBackups();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Delete Backup Db File Error:", error);
 				}
 		);
@@ -899,6 +1014,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displayError("HABridge is now stopped. Restart must occur from the server.", null);
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayError("HABRidge Stop Error: ", error);
 				}
 		);
@@ -918,6 +1036,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					}, 2000);
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("HABRidge Reinit Error: ", error);
 				}
 		);
@@ -929,6 +1050,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.reinit();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Save Settings Error: ", error);
 				}
 		);
@@ -943,6 +1067,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewConfigs();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Backup Settings Error: ", error);
 				}
 		);
@@ -958,6 +1085,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewDevices();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Backup Settings Restore Error: ", error);
 				}
 		);
@@ -971,6 +1101,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewConfigs();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Delete Backup Settings File Error: ", error);
 				}
 		);
@@ -982,6 +1115,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.viewDevices();
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Delete Device Error: ", error);
 				}
 		);
@@ -1023,6 +1159,9 @@ app.service ('bridgeService', function ($rootScope, $http, $base64, $location, n
 					self.displaySuccess("Request Executed: " + msgDescription);
 				},
 				function (error) {
+					if (error.status === 401)
+						$rootScope.$broadcast('securityReinit', 'done');
+					else
 					self.displayWarn("Request Error, Pleae look in your habridge log: ", error);
 				}
 		);
@@ -3244,6 +3383,7 @@ app.controller('LoginController', function ($scope, $location, Auth) {
 	$scope.logout = function() {
         Auth.logout();
         $scope.loggedIn = Auth.isLoggedIn();
+    	bridgeService.displaySuccess("User Logged Out");
         $location.path("/login");
 	};
 });
@@ -3309,7 +3449,6 @@ app.factory('Auth', function($resource, $rootScope, $sessionStorage, $http, $bas
         delete $sessionStorage.user;
         delete $rootScope.user;
         delete bridgeService.state.loggedInUser;
-    	bridgeService.displaySuccess("User Logged Out");
     };
      
      

src/main/resources/public/views/securitydialog.html

@@ -23,7 +23,7 @@
 						type="text" ng-model="newUser"
 						placeholder="someone" nu-check="new-user" />
 	 			</div>
-                <div class="form-group">
+                <div ng-if="isSecure" class="form-group">
 	 				<button type="button" class="btn btn-danger" ng-click="delUser(newUser)">Delete</button>
                 </div>
 	 			<div ng-if="showPassword" postrender-action="setBlankPassword('password-1')">