Re: [SR-Users] Grab users password from WWW-Auth header

Tue, 24 Nov 2015 08:34:04 -0800 

Well, reopening that thread seaking for some help again :(
The solution is working pretty nice, and my config looks like that
                # authenticate requests
                if has_credentials("****"){
                        $var(y) = @msg.header.Authorization;
                        xlog("$var(y)");
                        exec_avp("/etc/kamailio/login.py '$var(y)' '$rm'",
"$avp(s:test)");
                        xlog("$avp(s:test)");
                }

                if ($avp(s:test) != "1") {
                        www_challenge(****", "1");
                        exit;
                }

login.py returns 1 if creds are OK and 0 if no.
Now I'm seeking help with such question - as I understand, currently anyone
can register or auth his requests by using same Authorization header for
all purposes. So, I mean, someone can grab Auth header from the user's
packet and just use it to dig in the server.
How to avoid that? As I understood it's implemented in Kamailio. Can you
please tell me? Or give a link to RFC/doc where this is described? As I
understood, I'll need to implement that in my script, or maybe I can use
some built-it functions?

2015-11-13 19:52 GMT+02:00 Alexandru Covalschi <568...@gmail.com>:

> Many thanks for you help Sebastian!
>
> 2015-11-13 19:13 GMT+02:00 Sebastian Damm <d...@sipgate.de>:
>
>>
>> On Fri, Nov 13, 2015 at 3:43 PM, Alexandru Covalschi <568...@gmail.com>
>> wrote:
>>
>>> What if I don't need a plaintext password on Kamailio? I mean, I don't
>>> want to user pv_www_authenticate or other auth functions again - I need to
>>> fully control AUTH on API. Is it ok to just send 200 OK to client if API
>>> tells me that password is ok?
>>>
>>
>> You don't need to use pv_*_authenticate. This is just an internal
>> function which tells you, whether your user supplied correct credentials or
>> not. You can replace it by checking the return code or output of the script
>> and then continue in your dialplan. You could then call save() from the
>> registrar module, which automatically sends a 200 OK to your user (unless
>> you explicitly prevent it from doing so).
>>
>> Sebastian
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users@lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>
>
> --
> Alexandru Covalschi
> ABRISS-Solutions
> VoIP engineer and system administrator
> phone: +37367398493
> web: http://abs-telecom.com/
>



-- 
Alexandru Covalschi
ABRISS-Solutions
VoIP engineer and system administrator
phone: +37367398493
web: http://abs-telecom.com/

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to