[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Jan Janak jan at iptel.org
Fri Apr 17 15:17:45 CEST 2009 

On 17-04 11:01, Iñaki Baz Castillo wrote:
> 2009/4/17 Klaus Darilion <klaus.mailinglists at pernau.at>:
> > So, there is just one thing left: if using proxy/www_authorize without
> > specifying the realm manually, the realm will be calculated dynamically -
> > currently From domain except for REGISTER the To domain is used. Thus, to
> > follow this tradition the RURI domain needs to be used for RURI - by using
> > always From header the 3rd party publication/registration will not work if
> > the 3rd party will use a different domain. Today I think using RURI domain
> > for auto-realm-calculation for PUBLISH is the correct fix.
> 
> Sincerelly I think that selecting To domain as realm in REGISTER is
> also wrong. You explained above very well the difference between
> authentication and authorization, and I think that proxy_authorize()
> function mixes both:
> 
> Authentication verifies the identity of the sender (not of the target
> AoR). In a REGISTER, the sender (as in any request) is the From URI,
> not the To URI. Let's show a case of third party registration:
> 
>   REGISTER sip:server
>   From: alice at atlanta.com
>   To: bob at biloxi.net
> 
> The sender is alice, so the realm in 401 should be "atlanta.com". Here
> the authentication ends.
> Later we can check the *authorization* by using check_to(). If
> check_to() returns false then we could query some table to find if
> alice at atlanta.com is allowed to register bob at biloxi.net AoRo.
> 
> First authentication, after that, authorization. Why proxy_authorize()
> and www_authorize() pre-checks the authorization by choosing a realm
> *not* based on the sender (From)?
> 
> In conclusion: IMHO proxy_authorize() and www_authorize() should use
> From domain as realm by default, also in REGISTER and PUBLISH. I'd
> like to insist: authentication is the verification of the *sender*,
> and the *sender* is always the From.

I agree. This is also how we do it in the default configuration file of
SER. We select the virtual domain to be used based on the domain part of the

More information about the Devel mailing list