[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Apr 17 11:06:39 CEST 2009
Klaus Darilion schrieb:
>
> Iñaki Baz Castillo schrieb:
>> 2009/4/16 Juha Heinanen <jh at tutpro.com>:
>>> Klaus Darilion writes:
>>>
>>> > Wouldn't it be better to always derive the realm from the From header -
>>> > because the authorize/challenge function are actually just for
>>> > authentication - and authentication means to authenticate the party
>>> > which sends the request. (actually the problem is even complexer as an
>>> > realm needs not to be equivalent to the domain at all - stupid SIP).
>>>
>>> i agree.
>> I don't agree at all. As I said, this would break authentication
>> requeriment for thirdy party PUA's.
>
> No. Probably we should take care when using words and do not mix them up:
>
> authentication: verify the identity of the sender. That is: check the
> credentials. The verified sender is the username+realm of the
> Authorization header
>
> authorization: verify if the sender is allowed the things it want to do.
> That is, for example verify if the sender (identified by credentials) is
> allowed to use a certain URI in the TO header of REGISTER requests. Or
> verify that the sender is allowed to PUBLISH information for the URI in
> the request line. Or verify that the sender is allowed to use the URI in
> the From header as identity when making a phone call.
>
>
> The authentication will be done using the www/proxy_authorize functions
> (which probably should be renamed to _authenticate()).
>
> Authorization can be done either in script, e.g.
> ....do _authorize()...
> if (is_method("PUBLISH")) {
> if ( $ar==$rd && $au==$rU) {
> good.....(first party publication)
> } else {
> 3rd party publication or hacking attempt
> ....
> }
> }
> or by using functions like check_from() or check_to().
>
>
>
> So, there is just one thing left: if using proxy/www_authorize without
> specifying the realm manually, the realm will be calculated dynamically
> - currently From domain except for REGISTER the To domain is used. Thus,
> to follow this tradition the RURI domain needs to be used for RURI - by
> using always From header the 3rd party publication/registration will not
> work if the 3rd party will use a different domain. Today I think using
> RURI domain for auto-realm-calculation for PUBLISH is the correct fix.
Stupid me - as I said previously, and well explained by Inaki, using
always From for realm calculation is better.
regards
klaus
>
> Of course better fine-tuning can be achieved by setting the realm
> manually using for example $fd, $td or $rd.
>
> regards
> klaus
>
>
>
>
> regards
> Klaus
>
> _______________________________________________
> Kamailio (OpenSER) - Devel mailing list
> Devel at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/devel
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/devel
More information about the Devel
mailing list