Daniel,
What whould you think about this variant of xcap authentication:
event_route[xhttp:request] { xdbg("===== xhttp: request [$rv] $rm => $hu\n"); if($hu=~"^/xcap-root/") { # xcap ops $xcapuri(u=>data) = $hu; if($xcapuri(u=>xuid)=~"^sip:.+@.+") $var(uri) = $xcapuri(u=>xuid); else if($xcapuri(u=>xuid)=~".+@.+") $var(uri) = "sip:"+ $xcapuri(u=>xuid); else $var(uri) = "sip:"+ $xcapuri(u=>xuid) + "@" + $Ri;
if($xcapuri(u=>auid)=="xcap-caps") { ... skipped ... }
#!ifdef WITH_XHTTPAUTH #!ifdef WITH_MULTIDOMAIN if (!www_authorize("$(var(uri){uri.host})", "subscriber")) { www_challenge("$(var(uri){uri.host})", "0"); #!else if (!www_authorize("xcap", "subscriber")) { www_challenge("xcap", "0"); #!endif
exit; }
set_reply_close(); set_reply_no_connect();
#!ifdef WITH_XHTTPAUTH # be sure auth user access only its documents #!ifdef WITH_MULTIDOMAIN if($aU=~".+@.+") $var(tmp) = "sip:"+$aU; else $var(tmp) = "sip:"+$aU+"@"+$(var(uri){uri.host});
if ($var(uri)!=$var(tmp)) { xdbg("===== xhttp: Forbidden!!! $var(tmp) - $var(uri)\n"); #!else if ($au!=$(var(uri){uri.user})) { xdbg("===== xhttp: Forbidden!!! $au - $(var(uri){uri.user})\n"); #!endif
..
Regards, Andrey.
2010/10/16 Rouskol Andrey anry-dev@yandex.ru:
if($hu=~"^/xcap-root/") { # xcap ops $xcapuri(u=>data) = $hu; if($xcapuri(u=>xuid)=~"^sip:.+@.+") $var(uri) = $xcapuri(u=>xuid); else if($xcapuri(u=>xuid)=~".+@.+") $var(uri) = "sip:"+ $xcapuri(u=>xuid); else $var(uri) = "sip:"+ $xcapuri(u=>xuid) + "@" + $Ri;
Doesn't the module automatically parse the URL's auid, xui, document, document path and so?
Iñaki,
Yes, it does. Xcap module parses request url, and produces $xcapuri(u=>xuid), which could have different formats: user, user@domain or sip:user@domain. And $var{uri} is a "sip normalised" form of it, ie: sip:user@domain.
This part was taken from Daniels tutorial as is. My question was about authorization part.
Regards, Andrey.
16.10.10, 13:58, "Iñaki Baz Castillo" ibc@aliax.net:
2010/10/16 Rouskol Andrey :
if($hu=~"^/xcap-root/") { # xcap ops $xcapuri(u=>data) = $hu; if($xcapuri(u=>xuid)=~"^sip:.+@.+") $var(uri) = $xcapuri(u=>xuid); else if($xcapuri(u=>xuid)=~".+@.+") $var(uri) = "sip:"+ $xcapuri(u=>xuid); else $var(uri) = "sip:"+ $xcapuri(u=>xuid) + "@" + $Ri;
Doesn't the module automatically parse the URL's auid, xui, document, document path and so?
Hello,
the module parses inside the xcap uri, but you can build a custom one in config and give it as parameter to xcap server functions. In this way you can do normalization, sanity checks, etc.
For these kind of operations I added a variable that can be used to access parts of an xcap uri very easily in configuration file, not to fight with complex regular expression substitutions or other string functions/transformations.
Cheers, Daniel
On 10/17/10 1:05 AM, Rouskol Andrey wrote:
Iñaki,
Yes, it does. Xcap module parses request url, and produces $xcapuri(u=>xuid), which could have different formats: user, user@domain or sip:user@domain. And $var{uri} is a "sip normalised" form of it, ie: sip:user@domain.
This part was taken from Daniels tutorial as is. My question was about authorization part.
Regards, Andrey.
16.10.10, 13:58, "Iñaki Baz Castillo"ibc@aliax.net:
2010/10/16 Rouskol Andrey :
if($hu=~"^/xcap-root/") { # xcap ops $xcapuri(u=>data) = $hu; if($xcapuri(u=>xuid)=~"^sip:.+@.+") $var(uri) = $xcapuri(u=>xuid); else if($xcapuri(u=>xuid)=~".+@.+") $var(uri) = "sip:"+ $xcapuri(u=>xuid); else $var(uri) = "sip:"+ $xcapuri(u=>xuid) + "@" + $Ri;Doesn't the module automatically parse the URL's auid, xui, document, document path and so?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello Andrey,
seems ok, I will give some more thoughts about.
At the end of the day, it is your decision as administrator how you enforce the xcap-uri format and authentication/authorization.
The fact is that http uri does not contain domain part usually, it is just document/resource reference part. I have seen services asking the users to add the domain as mandatory to xcap uri. It is a reason why the xcap document path can be given as parameter, not taken implicit, so the admin can transform the one received to a normalized one.
Cheers, Daniel
On 10/16/10 8:43 AM, Rouskol Andrey wrote:
Daniel,
What whould you think about this variant of xcap authentication:
event_route[xhttp:request] { xdbg("===== xhttp: request [$rv] $rm => $hu\n"); if($hu=~"^/xcap-root/") { # xcap ops $xcapuri(u=>data) = $hu; if($xcapuri(u=>xuid)=~"^sip:.+@.+") $var(uri) = $xcapuri(u=>xuid); else if($xcapuri(u=>xuid)=~".+@.+") $var(uri) = "sip:"+ $xcapuri(u=>xuid); else $var(uri) = "sip:"+ $xcapuri(u=>xuid) + "@" + $Ri;
if($xcapuri(u=>auid)=="xcap-caps") { ... skipped ... }#!ifdef WITH_XHTTPAUTH #!ifdef WITH_MULTIDOMAIN if (!www_authorize("$(var(uri){uri.host})", "subscriber")) { www_challenge("$(var(uri){uri.host})", "0"); #!else if (!www_authorize("xcap", "subscriber")) { www_challenge("xcap", "0"); #!endif
exit; } set_reply_close(); set_reply_no_connect();#!ifdef WITH_XHTTPAUTH # be sure auth user access only its documents #!ifdef WITH_MULTIDOMAIN if($aU=~".+@.+") $var(tmp) = "sip:"+$aU; else $var(tmp) = "sip:"+$aU+"@"+$(var(uri){uri.host});
if ($var(uri)!=$var(tmp)) { xdbg("===== xhttp: Forbidden!!! $var(tmp) - $var(uri)\n");#!else if ($au!=$(var(uri){uri.user})) { xdbg("===== xhttp: Forbidden!!! $au - $(var(uri){uri.user})\n"); #!endif
..
Regards, Andrey.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
2010/10/19 Daniel-Constantin Mierla miconda@gmail.com:
The fact is that http uri does not contain domain part usually,
It should, at least if such devices want to "interoperate" (a word that doesn't exist in XCAP) with today's XCAP specifications.
it is just document/resource reference part. I have seen services asking the users to add the domain as mandatory to xcap uri. It is a reason why the xcap document path can be given as parameter, not taken implicit, so the admin can transform the one received to a normalized one
What do you mean with "document path given as parameter"? Could you show an example of what you mean please?
On 10/19/10 10:58 AM, Iñaki Baz Castillo wrote:
2010/10/19 Daniel-Constantin Mierlamiconda@gmail.com:
The fact is that http uri does not contain domain part usually,
It should, at least if such devices want to "interoperate" (a word that doesn't exist in XCAP) with today's XCAP specifications.
it is just document/resource reference part. I have seen services asking the users to add the domain as mandatory to xcap uri. It is a reason why the xcap document path can be given as parameter, not taken implicit, so the admin can transform the one received to a normalized one
What do you mean with "document path given as parameter"? Could you show an example of what you mean please?
http://kamailio.org/docs/modules/stable/modules_k/xcap_server.html#id2751589
Second parameter can be any pseudo-variable. So instead of using the HTTP uri, you can overwrite it with new values. Otherwise, if you don't need to change it, you can give $hu, which is the HTTP uri.
Cheers, Daniel
-
Daniel-Constantin Mierla -
Iñaki Baz Castillo -
Rouskol Andrey