I was looking at Arjun's patch for XECS-1604. It contains an isAuthenticated method to test if an incoming subscription request (for a resource-list URI) is authenticated. His version seems to be largely copied from SipRegistrarServer.cpp. But I wonder if the authentication algorithm should be adjusted.
In particular, the code checks to see if the Authorization header has the correct user/realm/password/nonce in the ordinary way. But in addition, it checks that the authorization user matches the user-part of the From header (where fromNameAddr is given to getCredential as the identity of the credential to be looked up). I think in this case, we want to omit that last check, that the Authorization header should stand alone. Also, this code does not respect any P-Asserted-Identity that other sipX components may have added. Perhaps this code should be replaced by the authorization code used in the auth proxy function? Dale _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
