Skip to main content

sip/websocket authentication.

  • From: binod pg < >
  • To:
  • Subject: sip/websocket authentication.
  • Date: Wed, 13 Nov 2013 15:54:44 +0530
  • Organization: Oracle Corporation

Hi everyone,

As you know, the sip/websocket draft has changed since we released EDR in terms of
authentication. The draft has more scenarios and requirements for authentication now.

Please read section 7, A.1, A.2 and A.3 of the draft

The current situations is as follows.

- The Sip/Websocket server assigns an specific "sip identity" after a user has logged into the
  web application with any of the web authentication procedure.

- When the SIP messages reach the server on such a websocket connection, the server is required
to validate that the identity in the SIP message matches with the assigned "sip idenity". There is
no explanation about which sip header of the SIP message carries the "sip identity".

For an application to support sip/websocket, we need the following changes.

1) In the login-config element of the deployment descriptor, we will support an additional identity-assertion-scheme
called "client-asserted-identity". By default client-asserted-identity will be using "From" header for matching the
validation. Application can override the name of header used by the element "identity-assertion-header".

<identity-assertion-support>SUPPORTED</identity-assertion- support>

1b) We can also allow application to invoke a method in sipservletrequest to do the identity assertion. SipServletRequest.assertIdentity(String idenity).
This would let application to extract the identity header it knows from the SIP message and assert the identity.

2) An http servlet in a converged application would want to access the SIP identity (eg: to implement section A.2) assigned by the container based on
    container specific configuration.
The proposal is to let application access the SIP identity using HttpServletRequest.getAttribute("javax.servlet.sip.idenity");

Please review.


p.s: We can potentially deprecate P-Asserted-Identity in favor of Client-Asserted-Identity.

sip/websocket authentication.

binod pg 11/13/2013

Re: sip/websocket authentication.

Keith Lewis 11/13/2013

Re: sip/websocket authentication.

binod pg 11/13/2013
Please Confirm