Peter Fowler wrote: > > This issue/question came up on today's scrum. > > From the sipXivr process I want to use various REST APIs. Eg. I am > trying to use the newly added > REST api for searching phonebooks. > > The issue is that many (all?) of the REST apis in SipX require plain > text user pins whereas I only have > access to the MD5 digest of the pin (from validusers.xml). Eg. > > _https://200:1...@domain_name:8443/sipxconfig/…_ > <https://200:1...@domain_name:8443/sipxconfig/…> > > Ideally I would like to pass the MD5 digest fo the pin instead. I had a > quick look at > security.beans. xml but didn't go much farther than that prior for > asking for input on the > Dev list: > > - is this a reasonable request?
Supporting DIGEST authentication in sipXconfig REST is definitely a valid request. Using MD5 DIGEST in place of the PIN in BASIC authentication is probably not (security gurus are welcomed to chime in). > - how to proceed, what files/code would need to change? > Not sure: security.beans.xml is where I would start... That probably needs to be changed by reconfiguring Acegi filters. But we may need to update Acegi since we are using some ancient version. I'll be looking at this problem this month if no-one gets there before me since we need to tackle XX-6166 anyway. Now - let's take a step back... I assume you are authenticating users somehow (you should not be accessing user credentials in validusers.xml without authenticating users - that opens a whole slew of security problems). Maybe the right answer to this questions is to allow authenticating users with whatever credentials you already have? For example if those users are XMPP users sipXconfig configures them and could use those to authenticate REST requests. D. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
