Skip to main content

Re: sip/websocket authentication.

  • From: binod pg < >
  • To:
  • Subject: Re: sip/websocket authentication.
  • Date: Wed, 13 Nov 2013 21:46:04 +0530
  • Organization: Oracle Corporation

Hi Keith,

Thanks for the write up. I can see that both the proposals are largely going
in the same direction. Lets discuss in the EG meeting and try to converge on
something.

thanks,
Binod.

On 11/13/2013 7:34 PM, Keith Lewis wrote:
Hi all,

I was asked at the last meeting to provide some proposals regarding WebSocket authentication.
I have attached my response - sorry that it is so late.
At the last meeting I was suggesting that no changes to the API would be required but on further reflection I agree with Binod that there are cases which are not easily mapped into our existing mechanisms.

I did not realise that Binod was also presenting a proposal.

Keith Lewis


On 13 November 2013 10:24, binod pg < <mailto: >> wrote:

    Hi everyone,

    As you know, the sip/websocket draft has changed since we released
    EDR in terms of
    authentication. The draft has more scenarios and requirements for
    authentication now.

    Please read section 7,  A.1, A.2 and  A.3 of the draft
    http://tools.ietf.org/html/draft-ietf-sipcore-sip-websocket-09

    The current situations is as follows.

    - The Sip/Websocket server assigns an specific "sip identity"
    after a user has logged into the
      web application with any of the web authentication procedure.

    - When the SIP messages reach the server on such a websocket
    connection, the server is required
      to validate that the identity in the SIP message matches with
    the assigned "sip idenity". There is
      no explanation about which sip header of the SIP message carries
    the "sip identity".

    For an application to support sip/websocket, we need the following
    changes.

    1) In the login-config element of the deployment descriptor, we
    will support an additional identity-assertion-scheme
        called "client-asserted-identity". By default
    client-asserted-identity will be using "From" header for matching the
        validation.  Application can override the name of header used
    by the element "identity-assertion-header".

        <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>example.com <http://example.com></realm-name>
            <identity-assertion>
<identity-assertion-scheme>*Client-Asserted-Identity*</identity-assertion-scheme>
    <identity-assertion-support>SUPPORTED</identity-assertion- support>
    *<idenity-assertion-header>From</idenity-assertion-header>*
            </identity-assertion>
       </login-config>

       1b) We can also allow application to invoke a method in
    sipservletrequest to do the identity assertion.
    SipServletRequest.assertIdentity(String idenity).
              This would let application to extract the identity
    header it knows from the SIP message and assert the identity.

    2) An http servlet in a converged application would want to access
    the SIP identity (eg: to implement section A.2) assigned by the
    container based on
        container specific configuration.
        The proposal is to let application access the SIP identity
    using HttpServletRequest.getAttribute("javax.servlet.sip.idenity");

    Please review.

    thanks,
    Binod.

    p.s: We can potentially deprecate P-Asserted-Identity in favor of
    Client-Asserted-Identity.



--------------------

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. CafeX Communications.




sip/websocket authentication.

binod pg 11/13/2013

Re: sip/websocket authentication.

Keith Lewis 11/13/2013

Re: sip/websocket authentication.

binod pg 11/13/2013
 
 
Close
loading
Please Confirm
Close