[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Klaus Darilion klaus.mailinglists at pernau.at
Fri Apr 17 11:06:39 CEST 2009 


Klaus Darilion schrieb:
> 
> Iñaki Baz Castillo schrieb:
>> 2009/4/16 Juha Heinanen <jh at tutpro.com>:
>>> Klaus Darilion writes:
>>>
>>>  > Wouldn't it be better to always derive the realm from the From header -
>>>  > because the authorize/challenge function are actually just for
>>>  > authentication - and authentication means to authenticate the party
>>>  > which sends the request. (actually the problem is even complexer as an
>>>  > realm needs not to be equivalent to the domain at all - stupid SIP).
>>>
>>> i agree.
>> I don't agree at all. As I said, this would break authentication
>> requeriment for thirdy party PUA's.
> 
> No. Probably we should take care when using words and do not mix them up:
> 
> authentication: verify the identity of the sender. That is: check the 
> credentials. The verified sender is the username+realm of the 
> Authorization header
> 
> authorization: verify if the sender is allowed the things it want to do. 
> That is, for example verify if the sender (identified by credentials) is 
> allowed to use a certain URI in the TO header of REGISTER requests. Or 
> verify that the sender is allowed to PUBLISH information for the URI in 
> the request line. Or verify that the sender is allowed to use the URI in 
> the From header as identity when making a phone call.
> 
> 
> The authentication will be done using the www/proxy_authorize functions 
> (which probably should be renamed to _authenticate()).
> 
> Authorization can be done either in script, e.g.
>    ....do _authorize()...
>    if (is_method("PUBLISH")) {
> 	if ( $ar==$rd && $au==$rU) {
> 		good.....(first party publication)
> 	} else {
> 		3rd party publication or hacking attempt
> 		....
> 	}
>    }
> or by using functions like check_from() or check_to().
> 
> 
> 
> So, there is just one thing left: if using proxy/www_authorize without 
> specifying the realm manually, the realm will be calculated dynamically 
> - currently From domain except for REGISTER the To domain is used. Thus, 
> to follow this tradition the RURI domain needs to be used for RURI - by 
> using always From header the 3rd party publication/registration will not 
> work if the 3rd party will use a different domain. Today I think using 
> RURI domain for auto-realm-calculation for PUBLISH is the correct fix.

Stupid me - as I said previously, and well explained by Inaki, using 
always From for realm calculation is better.

regards
klaus

> 
> Of course better fine-tuning can be achieved by setting the realm 
> manually using for example $fd, $td or $rd.
> 
> regards
> klaus
> 
> 
> 
> 
> regards
> Klaus
> 
> _______________________________________________
> Kamailio (OpenSER) - Devel mailing list
> Devel at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/devel
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/devel

More information about the Devel mailing list