From 1bbf7e6c2ff571b2e26b643a7e86e35790b91875 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Tue, 17 Feb 2026 03:23:19 +0100
Subject: Add username/password authentication to servers and client

Disallow anonymous sessions on both the LDS and registering server by
configuring UA_AccessControl_default with a hardcoded user/password
credential pair.  Set UA_ClientConfig_setAuthenticationUsername on the
client configs used for register, re-register, and deregister calls.
Use UA_Client_connectUsername in the FindServers client when reading
server time.
---
 src/client_find_servers.c |  3 ++-
 src/server_lds.c          | 14 ++++++++++++++
 src/server_register.c     | 20 ++++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/client_find_servers.c b/src/client_find_servers.c
index c62fc15..4789b38 100644
--- a/src/client_find_servers.c
+++ b/src/client_find_servers.c
@@ -160,7 +160,8 @@ readServerTime (UA_Client *client,
       UA_LOG_INFO (UA_Log_Stdout, UA_LOGCATEGORY_CLIENT,
                    "Connecting to %s to read current time...", url);
 
-      UA_StatusCode retval = UA_Client_connect (client, url);
+      UA_StatusCode retval
+          = UA_Client_connectUsername (client, url, "user", "password");
       UA_free (url);
       if (retval != UA_STATUSCODE_GOOD)
         {
diff --git a/src/server_lds.c b/src/server_lds.c
index a7794aa..12dfe59 100644
--- a/src/server_lds.c
+++ b/src/server_lds.c
@@ -10,6 +10,7 @@
 
 #include "common.h"
 
+#include <open62541/plugin/accesscontrol_default.h>
 #include <open62541/plugin/log_stdout.h>
 #include <open62541/server.h>
 #include <open62541/server_config_default.h>
@@ -66,6 +67,19 @@ main (int argc, char *argv[])
 
   UA_ServerConfig *serverConfig = UA_Server_getConfig (server);
 
+  /* Disallow anonymous sessions.
+     UA_ServerConfig_setDefaultWithSecurityPolicies (called by
+     createSecureServer) resets access control, so this must come after server
+     creation.  The static credential list is deep-copied. */
+  UA_UsernamePasswordLogin logins[]
+      = { { UA_STRING_STATIC ("user"), UA_STRING_STATIC ("password") } };
+  retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
+  if (retval != UA_STATUSCODE_GOOD)
+    {
+      UA_Server_delete (server);
+      return EXIT_FAILURE;
+    }
+
   /* Mark this server as a Discovery Server so clients can identify it. */
   serverConfig->applicationDescription.applicationType
       = UA_APPLICATIONTYPE_DISCOVERYSERVER;
diff --git a/src/server_register.c b/src/server_register.c
index e1defd0..8b750fe 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -12,6 +12,7 @@
 
 #include <open62541/client.h>
 #include <open62541/client_config_default.h>
+#include <open62541/plugin/accesscontrol_default.h>
 #include <open62541/plugin/log_stdout.h>
 #include <open62541/server.h>
 #include <open62541/server_config_default.h>
@@ -93,6 +94,19 @@ main (int argc, char **argv)
 
   UA_ServerConfig *serverConfig = UA_Server_getConfig (server);
 
+  /* Disallow anonymous sessions.
+     UA_ServerConfig_setDefaultWithSecurityPolicies (called by
+     createSecureServer) resets access control, so this must come after server
+     creation.  The static credential list is deep-copied. */
+  UA_UsernamePasswordLogin logins[]
+      = { { UA_STRING_STATIC ("user"), UA_STRING_STATIC ("password") } };
+  retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
+  if (retval != UA_STATUSCODE_GOOD)
+    {
+      UA_Server_delete (server);
+      return EXIT_FAILURE;
+    }
+
   serverConfig->applicationDescription.applicationType
       = UA_APPLICATIONTYPE_SERVER;
 
@@ -111,6 +125,8 @@ main (int argc, char **argv)
       UA_Server_delete (server);
       return EXIT_FAILURE;
     }
+  UA_ClientConfig_setAuthenticationUsername (&clientConfig, "user",
+                                             "password");
 
   UA_String discoveryUrl = UA_STRING_ALLOC (discoveryEndpoint);
   retval = UA_Server_registerDiscovery (server, &clientConfig, discoveryUrl,
@@ -136,6 +152,8 @@ main (int argc, char **argv)
               argv + 11, trustSize, securityMode, securityPolicyUri);
           if (retval == UA_STATUSCODE_GOOD)
             {
+              UA_ClientConfig_setAuthenticationUsername (&clientConfig, "user",
+                                                         "password");
               UA_String reregUrl = UA_STRING_ALLOC (discoveryEndpoint);
               retval = UA_Server_registerDiscovery (server, &clientConfig,
                                                     reregUrl, UA_STRING_NULL);
@@ -155,6 +173,8 @@ main (int argc, char **argv)
       trustSize, securityMode, securityPolicyUri);
   if (retval == UA_STATUSCODE_GOOD)
     {
+      UA_ClientConfig_setAuthenticationUsername (&clientConfig, "user",
+                                                 "password");
       UA_String deregUrl = UA_STRING_ALLOC (discoveryEndpoint);
       retval = UA_Server_deregisterDiscovery (server, &clientConfig, deregUrl);
       UA_String_clear (&deregUrl);
-- 
cgit v1.2.3