[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Klaus Darilion klaus.mailinglists at pernau.at
Thu Apr 16 18:27:33 CEST 2009 


Juha Heinanen schrieb:
> SourceForge.net writes:
> 
>  > For PUBLISH requests, Authentication user should be checked against
>  > RURI. Thus, realm should be derived from RURI too. 
>  > 
>  > Can someone please review the patch - I am not sure if the usage of
>  > &(_m->parsed_uri) is correct in this situation.
> 
> i replied to this a couple of days ago, but it went to noreply address.
> 
> i'll try again.  i reviewed the patch and i don't think it is correct.
> if you want to take authentication user from ruri, there is no reason to
> parse from uri.

True. Probably a copy/paste error.

> i can take care of the patch, but i would like first to understand, why
> publish authentication should be done based on request uri.  is this
> because of third party publish or what?  normally the user itself (in
> from header) sends the publish.

PUBLISH defines, that the entity who's presence is published is 
addressed in the request URI.

> i personally check in my script that from uri of publish matches ruri
> and thus to me it is irrelevant if authentication user is taken from
> from uri or ruri.

Correct.

The problem I see - and which I tried to fix in the patch is another: 
When calling www|proxy_authorize() without specifying the realm, the 
realm is derived automatically - for REGISTER the To-domain, for other 
requests the From-domain will be used. Thus, I thought that for PUBLISH 
the domain of the RURI should be used as realm.

The more I think about it I come to the conclusion that my patch just 
makes things even more wrong.

Wouldn't it be better to always derive the realm from the From header - 
because the authorize/challenge function are actually just for 
authentication - and authentication means to authenticate the party 
which sends the request. (actually the problem is even complexer as an 
realm needs not to be equivalent to the domain at all - stupid SIP).

Then, depending on the scenario the relevant checks can be performed in 
script - e.g. if fromuser=authuser, touri=authuser at realm or 
ruri=authuser at realm.

Probably it would be even nicer if authentication username has to 
contain the domain and the realm is just an identifier if the SIP proxy 
without relation to domains.

regards
klaus


> 
> -- juha
> 
> _______________________________________________
> Kamailio (OpenSER) - Devel mailing list
> Devel at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/devel
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/devel

More information about the Devel mailing list