<div dir="ltr"><div><div><div><div>Well, reopening that thread seaking for some help again :(<br></div>The solution is working pretty nice, and my config looks like that<br> # authenticate requests<br> if has_credentials("****"){<br> $var(y) = @msg.header.Authorization;<br> xlog("$var(y)");<br> exec_avp("/etc/kamailio/login.py '$var(y)' '$rm'", "$avp(s:test)");<br> xlog("$avp(s:test)");<br> }<br><br> if ($avp(s:test) != "1") {<br> www_challenge(****", "1");<br> exit;<br> }<br><br></div>login.py returns 1 if creds are OK and 0 if no.<br></div>Now I'm seeking help with such question - as I understand, currently anyone can register or auth his requests by using same Authorization header for all purposes. So, I mean, someone can grab Auth header from the user's packet and just use it to dig in the server. <br></div>How to avoid that? As I understood it's implemented in Kamailio. Can you please tell me? Or give a link to RFC/doc where this is described? As I understood, I'll need to implement that in my script, or maybe I can use some built-it functions?<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-11-13 19:52 GMT+02:00 Alexandru Covalschi <span dir="ltr"><<a href="mailto:568691@gmail.com" target="_blank">568691@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Many thanks for you help Sebastian! <br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">2015-11-13 19:13 GMT+02:00 Sebastian Damm <span dir="ltr"><<a href="mailto:damm@sipgate.de" target="_blank">damm@sipgate.de</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><span><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 13, 2015 at 3:43 PM, Alexandru Covalschi <span dir="ltr"><<a href="mailto:568691@gmail.com" target="_blank">568691@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">What if I don't need a plaintext password on Kamailio? I mean, I don't want to user pv_www_authenticate or other auth functions again - I need to fully control AUTH on API. Is it ok to just send 200 OK to client if API tells me that password is ok?<br></div><div class="gmail_extra"></div></blockquote></div><br></div></span><div class="gmail_extra">You don't need to use pv_*_authenticate. This is just an internal function which tells you, whether your user supplied correct credentials or not. You can replace it by checking the return code or output of the script and then continue in your dialplan. You could then call save() from the registrar module, which automatically sends a 200 OK to your user (unless you explicitly prevent it from doing so).<span><font color="#888888"><br><br></font></span></div><span><font color="#888888"><div class="gmail_extra">Sebastian<br></div></font></span></div>
<br></div></div><span class="">_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br></span></blockquote></div><span class=""><br><br clear="all"><br>-- <br><div><div dir="ltr">Alexandru Covalschi<br>ABRISS-Solutions<div>VoIP engineer and system administrator<br>phone: <a href="tel:%2B37367398493" value="+37367398493" target="_blank">+37367398493</a><br>web: <a href="http://abs-telecom.com/" target="_blank">http://abs-telecom.com/</a></div></div></div>
</span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Alexandru Covalschi<br>ABRISS-Solutions<div>VoIP engineer and system administrator<br>phone: +37367398493<br>web: <a href="http://abs-telecom.com/" target="_blank">http://abs-telecom.com/</a></div></div></div>
</div>