On Wed, Aug 12, 2009 at 3:01 PM, Peter Fowler<[email protected]> wrote: > > >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of >> Krzeminski, Damian (BL60:9D30) >> Sent: Wednesday, August 12, 2009 2:22 PM >> To: [email protected] >> Subject: Re: [sipX-dev] REST API plain text vs MD5 digit >> authentication >> >> Peter Fowler wrote: >> > >> > This issue/question came up on today's scrum. >> > >> > From the sipXivr process I want to use various REST APIs. Eg. I am >> > trying to use the newly added REST api for searching phonebooks. >> > >> > The issue is that many (all?) of the REST apis in SipX >> require plain >> > text user pins whereas I only have access to the MD5 digest >> of the pin >> > (from validusers.xml). Eg. >> > >> > _https://200:1...@domain_name:8443/sipxconfig/..._ >> > <https://200:1...@domain_name:8443/sipxconfig/...> >> > >> > Ideally I would like to pass the MD5 digest fo the pin >> instead. I had >> > a quick look at security.beans. xml but didn't go much farther than >> > that prior for asking for input on the Dev list: >> > >> > - is this a reasonable request? >> >> Supporting DIGEST authentication in sipXconfig REST is >> definitely a valid request. >> Using MD5 DIGEST in place of the PIN in BASIC authentication >> is probably not (security gurus are welcomed to chime in). >> >> >> > - how to proceed, what files/code would need to change? >> > >> >> Not sure: security.beans.xml is where I would start... >> That probably needs to be changed by reconfiguring Acegi >> filters. But we may need to update Acegi since we are using >> some ancient version. >> I'll be looking at this problem this month if no-one gets >> there before me since we need to tackle XX-6166 anyway. >> >> >> Now - let's take a step back... >> I assume you are authenticating users somehow (you should not >> be accessing user credentials in validusers.xml without >> authenticating users - that opens a whole slew of security problems). >> Maybe the right answer to this questions is to allow >> authenticating users with whatever credentials you already >> have? For example if those users are XMPP users sipXconfig >> configures them and could use those to authenticate REST requests. >> D. >> >> >> >> _______________________________________________ >> sipx-dev mailing list [email protected] List >> Archive: http://list.sipfoundry.org/archive/sipx-dev >> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev >> sipXecs IP PBX -- http://www.sipfoundry.org/ > > My Personal Assistant Bot will only include the Jabber addresses of SipX > Users in its roster and those users will authenticate with OpenFire to > login > with their XMPP client. As such my Bot doesn't have any direct access to > credentials. > > If people don't think this is secure enough, let me know. Could ask the > user to enter > Pin in the chat session since session is over TLS. Just need to ensure > the chat history > Somehow would not include the pin! > > Otherwise, I'll leave this problem (XX-6166) in your much more capable > hands. > > Peter
In my SipXCallController REST service, I propose to proceed as follows: The same REST resource will be mapped to two ports: Requests originating from the sipx proxy domain over HTTPS can rely on Host Name verification + TLS and the fact that the java keystore (the same one that we use for xml rpc) is secure. This is good enough for XML RPC today and should hence suffice for REST as well. Requests _not_ originating from the sipx proxy domain over HTTPS will be sent to another port and are required to supply a pin. This pin will be supplied over https and hence the interaction is secure ( cannot be snooped). The Rest resource can do a one way hash using this pin and compare with the pintoken and reject the request if the two dont match. Any comments on the above? QUESTION: How is the pintoken computed from the pin ? Thanks Ranga > > > > _______________________________________________ > sipx-dev mailing list [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev > sipXecs IP PBX -- http://www.sipfoundry.org/ > -- M. Ranganathan _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
