< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index  

Re: [reSIProcate] Managing authentication in an B2BUA


I'm interested in how this would be done, so please indulge me for a second
with thoughts on this:

* without the b2bua knowing the credentials to authenticate userA, I'm not
sure that its possible to solve this with DUM in general.
* forwarding the challenge response in #7 to UserB will require: #4 has the
same challenge information as #3 (nonce, realm).
* if the above is correct and assuming that this will work, when #3 is
received by DUM, the b2bua should fail to return any credentials to DUM,
which *should* just terminate the session and send the ACK.  The auth info
in #3 will need to be stored.  You *should* be able to reject #1 in DUM with
a 401 and then use an outbound feature or onReadyToSend to modify the 401
with the data stored from #3.  When #7 is received override
ServerAuthManager::process and skip the authentication process for this
invite. For #8 another outbound feature/onReadyToSend to add the auth from
#7.  Call *should* now progress normally through DUM.

Maybe this isn't possible due to digest authentication mechanisms that I
missed, but the procedures for modifying DUM should work. Can anyone else
comment on this? Maybe you have already worked this out and are willing to
explain a little further for my benefit, :-).

-justin  

-----Original Message-----
From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx
[mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Tomasz
Nowak
Sent: Wednesday, March 07, 2007 9:32 AM
To: resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
Subject: [reSIProcate] Managing authentication in an B2BUA

Hi,

I'm using resiprocate (version 1.0.2) as a base for my B2BUA and wanted 
to implement following scenario:

UserA                  B2BUA                   UserB
  |                       |                       |
  |  1.INVITE             |                       |
  |---------------------->|  2.INVITE             |
  |                       |---------------------->|
  |                       |    3.401 Unauthorized |
  |    4.401 Unauthorized |<----------------------|
  |<----------------------|  5.ACK                |
  |  6.ACK                |---------------------->|
  |---------------------->|                       |
  |                       |                       |
  |  7.INVITE(credential) |                       |
  |---------------------->|  8.INVITE(credential) |
  |                       |---------------------->|


The idea is, that after receiving '401 Unauthorized' from UserB, B2BUA 
should challenge UserA using realm & nonce taken from the message just 
received from UserB. Later on, B2BUA can reuse the credential received 
in message (7) to reINVITE UserB.

To setup DUM to be able to respond to digest challenges from UserB, I 
have to use ClientAuthManager.

I suppose I'll need to modify ClientAuthManager::handle() method, so 
that it will issue a challenge for UserA.

I'm wondering if I need to modify also 
DialogSet::handledByAuthOrRedirect() so that it:
- doesn't send a reINVITE immediately (it has to be done after message (7)),
- return always true, so that the DialogSet (between B2BUA & UserB) 
doesn't get destroyed.

Besides, how can I know, when an INVITE with credentials comes - do I 
have to modify ServerAuthManager logic?

What are your thoughts on my idea - I'm affraid I can miss something or 
introduce some bugs especially by modifying DialogSet code.

Best Regards,
Tomasz Nowak

_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel