On Tue, 2007-06-12 at 22:44 -0700, Mushtaq Ilyas wrote: > "To: The To header field contains the address of record whose > registration is to be created, queried, or modified. The To > header field and the Request-URI field typically differ, as > the former contains a user name. This address-of-record MUST > be a SIP URI or SIPS URI." > > "From: The From header field contains the address-of-record of the > person responsible for the registration. The value is the > same as the To header field unless the request is a third- > party registration." > > " 4. The registrar SHOULD determine if the authenticated user is > authorized to modify registrations for this address-of-record. > For example, a registrar might consult an authorization > database that maps user names to a list of addresses-of-record > for which that user has authorization to modify bindings. If > the authenticated user is not authorized to modify bindings, > the registrar MUST return a 403 (Forbidden) and skip the > remaining steps." > > My question is the authenticated user in the last paragraph above is > a) extracted from the Request-Uri? > b) the aor in the From header field?
The authenticated user is the one whose user name is passed in the 'user' attribute of the valid WWW-Authenticate header. You might choose to require that match the To header (if you do not allow third party registrations) or From header (if you do), but that is matter of local policy. -- Scott Lawrence tel:+1-781-938-5306;ext=162 or sip:[EMAIL PROTECTED] sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs Chief Technology Officer - Pingtel Corp. http://www.pingtel.com/ _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
