[Serusers] Help with authorization

Jan Janak jan at iptel.org
Fri Apr 22 14:35:15 CEST 2005


On 21-04 21:08, Steve Blair wrote:
> 
>  I have a working 0.9.1 config to which I would like add server side
> features such as call forward all (cfwdall). I have a pretty good idea
> how to handle cfwdall using avp_ops however I'm stuck on the
> authentication.
> 
>  If a subscriber has local calling permissions (acl=local) and cfwdall
> their phone to a long distance number I need to respond with an
> informative response.
> 
>  In the INVITE processing in my config I have statements such as:
> 
>        if (is_user_in("credentials", "ld")) {
>          setflag(11);
>        };
> 
>  These checks fail with the following errors:
> 
>  Apr 21 18:31:53 ser[498]:  [SER]: AVP: Checking From gateway caller
>  Apr 21 18:31:53 ser[498]: check_username(): No authorized credentials 
> found (error in scripts)
>  Apr 21 18:31:53 ser[498]: check_username(): Call {www,proxy}_authorize 
> before calling
>         check_* function !
>  Apr 21 18:31:53 ser[498]: [SER]: Flag for UMVM redirect successful.
>  Apr 21 18:31:53 ser[498]:  [SER]: AVP: Checking credentials
>  Apr 21 18:31:53 ser[498]: is_user_in(): No authorized credentials 
> found (error in scripts)

  Checking the username without authentication does not make much sense
  because the user could fake the contents of the header field. That's
  why check_* functions require authorized credentials to be present.

>   I thought adding proxy_authorize("", "subscriber")), check_to and 
> check_from calls prior
> to the is_user_in check would address these errors but that hasn't 
> worked either.
> 
>    If I want to set a flag if the caller is an authorized subscriber, 
> the callee is an
> authorized subscriber and then use "is_user_in" to determine if the 
> called party has
> a particular credential what am I missing?

  I am not sure I understand "the callee is an authorized subscriber".
  Digest authentication can only be performed for the caller, not the
  callee, because there is no way of challenging the callee.

    Jan.




More information about the sr-users mailing list