< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Digest credentials for many different usernames fromsingle realm


I would like to see this change.  Although I vaguely remember starting
to do this myself a long while back and others had a reason that we
didn't really need it.  Is anyone opposed to this?

I think the search order should be:
1.  Find a credential where both user and realm match.
2.  If not found, return first credential with realm match.
3.  If not found, return first credential with user match.
4.  If not found, return first credential.

I think it is fairly common for proxies to get the realm stuff wrong, so
we need some kind of fallback when the realm doesn't match.

I guess you are planning to match Auth user with the user in the From
header?

Scott

-----Original Message-----
From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
Dmitry Semyonov
Sent: Wednesday, September 27, 2006 9:25 AM
To: resiprocate-devel
Subject: [reSIProcate] Digest credentials for many different usernames
fromsingle realm

Hello all.

Background.

Sipura phone could be forced to resynchronize with provisioning 
server by sending unsolicited NOTIFY request to the phone with 
"resync" Event header. Note that Sipura authorizes such request with 
its own credentials. I.e. username, auth username and password values 
are different for each phone even if all the phones are from the same 
realm.


Problem.

There is a limitation in DUM - it allows only single credential per 
realm. Therefore, such NOTIFY requests could not be sent to several 
phones simultaneously using single UserProfile. A workaround could be 
to create separate profile for each new request, but I would like to 
avoid such approach on the server side with potentially tenths of 
thousands phones.


Proposal.

I propose to extend UserProfile interface to allow setting, getting 
and clearing of credentials based not only on realm value but also on 
username (don't confuse with auth username!). It will be also 
necessary to modify ClientAuthManager to retrieve credentials using 
username from To header field of 401/407 response in addition to 
realm value.

What do you think? Will you accept a patch for this feature?

-- 
...Bye..Dmitry.
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxx
https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel