Hi Tonny, The “auth-crypt” connection type does exactly that: only Clients who have an installed credential (in the Server’s /cred resource) can create an authenticated CoAPS session with the Server. The “anon-clear” connection type, on the other hand, will match any (anonymous) Client request over CoAP, so it sounds like this isn’t the conn type you want to use in this case.
Use “auth-crypt” conn type ACE, and I believe you’ll have the access policy you are after. Let me know if that doesn’t make sense for some reason! Thanks, Nathan From: Tonny Tzeng [mailto:[email protected]] Sent: Tuesday, August 15, 2017 6:21 PM To: Heldt-Sheller, Nathan <[email protected]> Cc: iotivity-dev <[email protected]> Subject: Re: [dev] provisioning client discover no unowned devices with V2 ACL Hi Nathan, Thanks for confirming the use of ACE1 is deprecated. I am unsure whether the connection type ACE can meet my usage, as I'd like to have only Clients who have paired with the Server can access to the application resources. It seems to me the Server with connection type ACEs can be accessed by any Clients, even the Server does not provisioned with the Client's credential. The role based ACE you mentioned in separate mail might work, however it's not supported by the json2cbor currently. Is there subject based ACE we could give it a try? Thanks. Best Regards, Tonny On 16 August 2017 at 01:58, Heldt-Sheller, Nathan <[email protected]<mailto:[email protected]>> wrote: Thanks Tonny, Yes, IoTivity 1.3 requires the /acl2 Resource and proper formatting using the ACE2 definition. Tthe /acl resource is deprecated and cannot be used in OCF 1.0 Devices. To get the equivalent function to the “*” Subject (all Subjects) in ACE1, you just need to create two ACE2 entries, with “auth_crypt” and “anon_clear” Subject, which will encompass all Subjects. Let me know if you need help with the .json file example of this config! Thanks, Nathan From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Tonny Tzeng Sent: Tuesday, August 15, 2017 9:21 AM To: iotivity-dev <[email protected]<mailto:[email protected]>> Subject: [dev] provisioning client discover no unowned devices with V2 ACL Hi developers, I tried to supply my sampleserver_justworks app with a modified oic_svr_db_server_justworks.json, as I'd like to defines ACL in V1 format, instead of using the original V2 ACLs, but the provisioning client can't discover this unowned device anymore if the device uses V1 ACL. Is it right behavior or any restrictions when to use V1 ACLs? it looks to me the V1 ACL accepts "*" uuid, and I am hesitated to use the connection type ACE in V2, so I'm wondering why the use of V1 ACL causing the unowned device becomes undiscoverable? Best Regards, Tonny
_______________________________________________ iotivity-dev mailing list [email protected] https://lists.iotivity.org/mailman/listinfo/iotivity-dev
