< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] Digest credentials for many different usernames fromsingle realm


Proxies can challenge all requests - not just registrations (ie. INVITE
requests).  In these cases using the To header is pretty misleading.

> -----Original Message-----
> From: Dmitry Semyonov [mailto:dsemyonov@xxxxxxx]
> Sent: Thursday, September 28, 2006 12:50 PM
> To: Scott Godin
> Cc: resiprocate-devel
> Subject: RE: [reSIProcate] Digest credentials for many different
> usernames fromsingle realm
> 
> Scott,
> 
> On Thu, 28 Sep 2006 at 11:54 -0400, Scott Godin wrote:
> 
> > > Auth user is not exposed in 401/407 responses. Therefore I'm going
> > > to match user (which will be a new parameter of
> > > UserProfile::setDigetsCredential()) with user from the To header.
> > > (Note that matching with From does not solve my problem.)
> >
> > I am concerned about this.  Although it may solve your particular
> > problem, I don't think using the To: header is a good general
> > solution, and one that should be committed to SVN.  In general you
> > are providing credentials about yourself, and the most appropriate
> > spot to get that info is the From header - definitely not the To
> > header.  Perhaps you should be looking at overriding UserProfile
> > with a customer version of getDigestCredential for your purposes.
> 
> When you register with SIP registrar you pass your AOR in the To
> header. Obviously, everything will work as before.
> 
> When you're calling to several end-points, every UAS (not proxy!) may
> return 401. The From header will be the same for all the responses.
> 
> With my implementation at this point you get the flexibility to either
> provide different credentials for each end-point by calling aforehand:
> 
>   setDigestCredential(realm, user1, authuser1, passwd1);
>   setDigestCredential(realm, user2, authuser2, passwd2);
>   setDigestCredential(realm, user3, authuser3, passwd3);
> 
> or provide the same (possibly your own) credential for everybody by
> 
>   setDigestCredential(realm, user1, authuser, passwd);
>   setDigestCredential(realm, user2, authuser, passwd);
>   setDigestCredential(realm, user3, authuser, passwd);
> 
> or alternatively by
> 
>   setDigestCredential(realm, authuser, passwd).
> 
> Note that proposed change does not break any existing functionality,
> but rather adds a good degree of flexibility to the DUM authentication
> mechanism.
> 
> --
> ...Bye..Dmitry.