Unoffical empeg BBS

Quick Links: Empeg FAQ | Software | RioCar.Org | Hijack | jEmplode | emphatic
Repairs: Repairs | Addons: Eutronix | Cases

Topic Options
#213284 - 14/04/2004 21:32 Hijack v381: HTTP authentication
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Hijack v381 is now out.

New in this release: HTTP authentication for web access.

By default, anyone can access anything (same as now).
To restrict web access, define one or two user:password combinations in config.ini on the player:

khttpd_basic=guest:password1
khttpd_full=admin:password2


Then give out the first password to trusted office pals who just want to stream tunes, and reserve use of the second password for when you want to login yourself to do anything other than simple streaming to your PC/Workstation.

The userid's of "guest" and "admin" are merely suggestions -- anything will do, up to 20 characters total for the "user:passwd" string (colon included).

These new options REPLACE the old security method (below). Yes, I know this is actually less secure, but it's way easier to use, which in the end likely makes it MORE secure than the old way.

So, if you have any of the old options below in config.ini, Hijack will now complain until you nuke'em:

khttpd_dirs=xxx
khttpd_files=xxx
khttpd_commands=xxx
khttpd_playlists=xxx


EDIT: There is (currently) no Logout link anywhere; to log out, just quit/restart the web browser.

Also new in this release, HTML keywords are now served as lowercase rather than uppercase. This makes the patchfile bigger than it might otherwise have been.

Cheers


Edited by mlord (14/04/2004 21:34)

Top
#213285 - 15/04/2004 12:27 Re: Hijack v381: HTTP authentication [Re: mlord]
Skunk
Master Boot Logo(er)

Registered: 26/08/2003
Posts: 525
Loc: California
Works like a charm!
I too have wanted the "basic user" mode for the office for a long time now. Many thanks!

I do have one small problem now. Tony's Empeg Face will not connect when in "@work" mode.

How do I get it see the player when in work mode?
_________________________
aka: [color:"blue"]Boot Logo Master[/color]
PayPal Contributions for Custom Boot Logos are gladly accepted. <img src="/ubbthreads/images/graemlins/smile.gif" alt="" />
itirado[@]adobe[.]com

Top
#213286 - 15/04/2004 12:34 Re: Hijack v381: HTTP authentication [Re: Skunk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
Hm. I've never password protected my empeg so I don't know how to do passwords in EmpegFace.

You can try going into the empegface configruation and making the player address username:password@empeg-address and see if that works. Dunno if it will or not...
_________________________
Tony Fabris

Top
#213287 - 15/04/2004 13:09 Re: Hijack v381: HTTP authentication [Re: tfabris]
Skunk
Master Boot Logo(er)

Registered: 26/08/2003
Posts: 525
Loc: California
nope, nada.

I guess I was to quick to say it works like a charm.

Here are some other things I found.

If I try to access the player by IP address or player name, i get the "basic" authentication window, type in the user and PW, and it goes directly to the playlist menu. Cool, that works.

If I try to access CG99's web interface by typing in it's address and location, I get the "full" authentication window but this time, after typing the user and PW, I get a "basic" authentication window!?!?! So I type the user and PW only to get an authentication error.

Did i configure something wrong?
_________________________
aka: [color:"blue"]Boot Logo Master[/color]
PayPal Contributions for Custom Boot Logos are gladly accepted. <img src="/ubbthreads/images/graemlins/smile.gif" alt="" />
itirado[@]adobe[.]com

Top
#213288 - 15/04/2004 13:32 Re: Hijack v381: HTTP authentication [Re: Skunk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
If you do http://username:password@empeg-address in a web browser, does that work? For any of the above (Regular, CG99, etc)?
_________________________
Tony Fabris

Top
#213289 - 15/04/2004 13:44 Re: Hijack v381: HTTP authentication [Re: Skunk]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Mmm.. the web interface *should* still work, but I never use it because it's a Microsoft-only thing, or at least that was the case for much of it's early lifespan.

Note about the login prompt: Regardless of whether it says "Basic" or "Full", you can enter either userid..

Kinda weird that it would ask for Full, and then later demand Basic though.

I'll play with it some more when I get a chance, and we'll iron out such wrinkles.

Tony: for authentication, your app just has to include one more line in the HTTP header anytime it sends a request:

EDIT: correction:

Authorization: Basic userid:password

Note that the Basic keyword belongs there regardless of which userid the app wants to use (the basic or full access).


The wrinkle is that the userid:password has to be base64-encoded as per the HTTP specifications. A standalone routine to do this is included in the v381 patchfile (and full sources) for kftpd.c in Hijack. Just pull the C code from there and re-use it in your app. Since I wrote it, I hereby license it to you (tfabris) for free use/redistribution, with no GPL strings attached. Just replace "kmalloc()" with "malloc()" and it should work just fine.

Cheers


Edited by mlord (15/04/2004 13:51)

Top
#213290 - 15/04/2004 13:44 Re: Hijack v381: HTTP authentication [Re: tfabris]
Skunk
Master Boot Logo(er)

Registered: 26/08/2003
Posts: 525
Loc: California
nope.
_________________________
aka: [color:"blue"]Boot Logo Master[/color]
PayPal Contributions for Custom Boot Logos are gladly accepted. <img src="/ubbthreads/images/graemlins/smile.gif" alt="" />
itirado[@]adobe[.]com

Top
#213291 - 15/04/2004 13:48 Re: Hijack v381: HTTP authentication [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Note -- my original reply above has now been edited with major corrections.

-ml

Top
#213292 - 15/04/2004 13:53 Re: Hijack v381: HTTP authentication [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
Thanks very much for that information and the permission to use the code.

I don't have time to add authentication to Face at the moment, but perhaps soon.

Maybe I'll start a new thread collecting new requests for Face features that I can gang into the next release.
_________________________
Tony Fabris

Top
#213293 - 15/04/2004 13:58 Re: Hijack v381: HTTP authentication [Re: tfabris]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
If Face has a config file or registry entries somewhere, then just a way to enter the "userid:password" parameter is pretty much all that's needed there -- just treat it as a single combined string like Hijack does. Face then just needs to base64 encode it, and include the one extra HTTP header line in the requests to Hijack's web server. Done.

Cheers

Top
#213294 - 15/04/2004 14:33 Re: Hijack v381: HTTP authentication [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
then just a way to enter the "userid:password" parameter is pretty much all that's needed there (...) Done.


Yes, but it's a tad more complicated than that. Since the program isn't written in C, I'd need to either translate your base64 code to VB, or find some existing art on doing base64 in VB. Then again, I wouldn't be surprised if there was a built in windows function to do the encoding for me, I'll have a look when I get a chance. Anyway, I'd also need to update the user interface to add the fields for the user name and password, and deal with whether I want to store it as plaintext or store it encoded for security reasons. Then there's parsing it all back from my ini file.

There's a nagging feeling in the back of my mind telling me that doing username:password@empeg-address worked in the past, though. Which makes me wonder why it's not working now. I could be wrong.

Oh wait, I know why it worked in the past. Before I was using the internet explorer function, so it was essentially acting like a web browser. To get rid of the blocking call to the IE DLL so that I could do my own idle loop, I switched to direct winsock calls instead. Okay.
_________________________
Tony Fabris

Top
#213295 - 15/04/2004 15:30 Re: Hijack v381: HTTP authentication [Re: tfabris]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Mmm okay.

There's an off-by-one bug in the buffer calculation in v381, so here (attached) is the full corrected function.
-ml


Attachments
212169-encode_base64.c (326 downloads)


Top
#213296 - 15/04/2004 15:36 Hijack v382: Fixed (?) streaming authentication [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
The new authentication scheme in v381 had an off-by-one bug in buffer calculation, and also appeared to prevent streaming to XMMS (and possibly WinAmp and others ?).

So, here is v382 (out shortly):

-- fixed off-by-one buffer bug.
-- generated .m3u files now include user:passwd strings in URLs for streaming.

Cheers

Top
#213297 - 15/04/2004 16:17 Re: Hijack v381: HTTP authentication [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
Cool, thanks. If I end up doing it, I'll use this VB prior art that seems to work well in my quick test.
_________________________
Tony Fabris

Top
#213298 - 15/04/2004 16:25 Re: Hijack v381: HTTP authentication [Re: tfabris]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Wow, that's a lot of code for something that's really simple.

I suppose you've already run both it and the C version, to verify that they produce the exact same output for a given input, right?

Cheers

Top
#213299 - 15/04/2004 16:51 Re: Hijack v381: HTTP authentication [Re: mlord]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Wow, that's a lot of code for something that's really simple.
Welcome to Visual Basic, Mark.
_________________________
- Tony C
my empeg stuff

Top
#213300 - 15/04/2004 16:57 Re: Hijack v381: HTTP authentication [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
Wow, that's a lot of code for something that's really simple.
Well, it's a collection of functions rather than just the one or two I really need. Technically, I could probably pare that down quite a bit if I ended up using it.

But truthfully, it's normal for a VB program to get wordy for certain things that are done very simply in C. By the same token, a lot of the windows-specific stuff that takes pages and pages of code to do in C is handled with essentially no code at all in VB because it's built-in. That's why I like VB, the basic bits of creating windows and handling input/output are already done for me, so I don't have to spend time on those things.

I suppose you've already run both it and the C version, to verify that they produce the exact same output for a given input, right?
Not yet. I'm not worried about it too much, I'll look into it more when I get down to brass tacks and actually do the work.
_________________________
Tony Fabris

Top
#213301 - 15/04/2004 21:14 Re: Hijack v381: HTTP authentication [Re: tfabris]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Wow, that's a lot of code for something that's really simple.

No slight intended there, just an observation I've been making since senior year (and beyond) at university -- the code to solve a similar problem can range from 10s to 1000s of lines, depending upon its ancestry.

Cheers

Top
#213302 - 15/04/2004 22:02 Re: Hijack v381: HTTP authentication [Re: mlord]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 30694
Loc: Seattle, WA
No offense taken at all.

I've seen some pretty compact C routines in my time.
_________________________
Tony Fabris

Top
#213303 - 16/04/2004 10:38 Hijack v383: Fixed default permissions [Re: mlord]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
Hijack v383 is now out.

This release fixes a bug in v382 whereby if *no* khttpd userid:passwds were specified, then the default was to allow only "guest" permissions for some functions.

Now the default behaviour should be the same as pre-v381.

Cheers


Edited by mlord (16/04/2004 12:17)

Top
#322074 - 07/05/2009 15:21 Re: Hijack v383: Fixed default permissions [Re: mlord]
benjammin
member

Registered: 11/08/2002
Posts: 174
Loc: Champaign, IL
I realize this thread is OLD... but some of us slackers (like me) have just started to use this and have some observations:

=============================

I've just tried this now with FireFox 3 and would like to get some clarification for the things I'm seeing:

with a basic AND full password specified,

Firefox asks me for the basic, and then the full.

If I cancel the full, I can't get in at all.

If I enter the basic AND the full, I get the playlist with no options to do anything.
I can't drive the front of the empeg. The display is up - but nothing works.

I'm using "empeg web lite 0.95"


Using Internet Exploder,
Basic only -- works (although the XML functions are lost and the display is plain looking HTML (looks like rudimentary page), but streaming works)
Full works (entered into the basic window as no "full" prompt appears separately like with FF) and gives me
the full normal XML empeg-web-lite menu I'd normally see without the passwords in firefox.

Thoughts?

-Ben
_________________________
Empeg Mk2 in fabulous green! Green Face, Green BackLit Buttons... GREEN...

Top
#322100 - 07/05/2009 23:11 Re: Hijack v383: Fixed default permissions [Re: benjammin]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 13564
Loc: Canada
I assume you are using this with some kind of existing web-based tool or something? Eg. "weblite 0.95", or "empface", or ???

I notice that weblite does behave a bit weird with this stuff.

Top
#322106 - 08/05/2009 12:49 Re: Hijack v383: Fixed default permissions [Re: mlord]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
He said:
Originally Posted By: benjammin
I'm using "empeg web lite 0.95"
_________________________
Bitt Faulk

Top