[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong
klaus.mailinglists at pernau.at
Thu Apr 16 18:27:33 CEST 2009
Juha Heinanen schrieb:
> SourceForge.net writes:
> > For PUBLISH requests, Authentication user should be checked against
> > RURI. Thus, realm should be derived from RURI too.
> > Can someone please review the patch - I am not sure if the usage of
> > &(_m->parsed_uri) is correct in this situation.
> i replied to this a couple of days ago, but it went to noreply address.
> i'll try again. i reviewed the patch and i don't think it is correct.
> if you want to take authentication user from ruri, there is no reason to
> parse from uri.
True. Probably a copy/paste error.
> i can take care of the patch, but i would like first to understand, why
> publish authentication should be done based on request uri. is this
> because of third party publish or what? normally the user itself (in
> from header) sends the publish.
PUBLISH defines, that the entity who's presence is published is
addressed in the request URI.
> i personally check in my script that from uri of publish matches ruri
> and thus to me it is irrelevant if authentication user is taken from
> from uri or ruri.
The problem I see - and which I tried to fix in the patch is another:
When calling www|proxy_authorize() without specifying the realm, the
realm is derived automatically - for REGISTER the To-domain, for other
requests the From-domain will be used. Thus, I thought that for PUBLISH
the domain of the RURI should be used as realm.
The more I think about it I come to the conclusion that my patch just
makes things even more wrong.
Wouldn't it be better to always derive the realm from the From header -
because the authorize/challenge function are actually just for
authentication - and authentication means to authenticate the party
which sends the request. (actually the problem is even complexer as an
realm needs not to be equivalent to the domain at all - stupid SIP).
Then, depending on the scenario the relevant checks can be performed in
script - e.g. if fromuser=authuser, touri=authuser at realm or
ruri=authuser at realm.
Probably it would be even nicer if authentication username has to
contain the domain and the realm is just an identifier if the SIP proxy
without relation to domains.
> -- juha
> Kamailio (OpenSER) - Devel mailing list
> Devel at lists.kamailio.org
More information about the Devel