Hi,
I managed to verify using remote IP that there is no security break in
/mailbox REST
In fact, this is the piece of code that ensures this:
// For (minimal) security, check the request is arriving from THIS
machine
// TODO (change this once using https and authentication of remote
party)
if (!request.getLocalAddr().equals(request.getRemoteAddr())) {
response.sendError(403); // Send 403 Forbidden
return;
}
in MailboxServlet.java
but the other REST services (/mwi and /recording) are not secured. They can
be accessed from remote IP.
My question is, we should write authentication only for /mailbox REST, or
for all REST calls made in IVR?
Also, with regard to authentication, I would vote for secured Digest
Authentication (HTTPS Digest Authentication)
What do you think ?
Thanks,
Mircea
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev/
