[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Fri Apr 17 11:01:18 CEST 2009

2009/4/17 Klaus Darilion <klaus.mailinglists at pernau.at>:
>> I don't agree at all. As I said, this would break authentication
>> requeriment for thirdy party PUA's.
>
> No. Probably we should take care when using words and do not mix them up:
>
> authentication: verify the identity of the sender. That is: check the
> credentials. The verified sender is the username+realm of the Authorization
> header
>
> authorization: verify if the sender is allowed the things it want to do.
> That is, for example verify if the sender (identified by credentials) is
> allowed to use a certain URI in the TO header of REGISTER requests. Or
> verify that the sender is allowed to PUBLISH information for the URI in the
> request line. Or verify that the sender is allowed to use the URI in the
> From header as identity when making a phone call.

Yes, but this is what I said with "this would break *authentication*
requeriment for thirdy party PUA's."

If pua at domain1.org wants to publish a state for AoR alice at atlanta.com
it will send a PUBLISH like:

  PUBLISH sip_alice at atlanta.com
  From: pua at domain1.org

Kamailio requires *authentication* to pua at domain1.org, so
proxy_authorize()  (with no arguments) should use From domain as
realm, if not, pua at domain1.org could not authenticate.

> So, there is just one thing left: if using proxy/www_authorize without
> specifying the realm manually, the realm will be calculated dynamically -
> currently From domain except for REGISTER the To domain is used. Thus, to
> follow this tradition the RURI domain needs to be used for RURI - by using
> always From header the 3rd party publication/registration will not work if
> the 3rd party will use a different domain. Today I think using RURI domain
> for auto-realm-calculation for PUBLISH is the correct fix.

Sincerelly I think that selecting To domain as realm in REGISTER is
also wrong. You explained above very well the difference between
authentication and authorization, and I think that proxy_authorize()
function mixes both:

Authentication verifies the identity of the sender (not of the target
AoR). In a REGISTER, the sender (as in any request) is the From URI,
not the To URI. Let's show a case of third party registration:

  REGISTER sip:server
  From: alice at atlanta.com
  To: bob at biloxi.net

The sender is alice, so the realm in 401 should be "atlanta.com". Here
the authentication ends.
Later we can check the *authorization* by using check_to(). If
check_to() returns false then we could query some table to find if
alice at atlanta.com is allowed to register bob at biloxi.net AoRo.

First authentication, after that, authorization. Why proxy_authorize()
and www_authorize() pre-checks the authorization by choosing a realm
*not* based on the sender (From)?

In conclusion: IMHO proxy_authorize() and www_authorize() should use