[asterisk-scf-dev] CR-ASTSCF-43: commented on by Kevin P. Fleming "Sip Authentication Hook Design"

FishEye on / crucible at code.asterisk.org
Fri Jan 21 17:24:32 CST 2011


[Kevin P. Fleming][1]

####  [commented][2] on [CR-ASTSCF-43][3]

Throughout the page, please refer to authentication of SIP requesters (not the
greatest word, but it's accurate), not users or clients. If you prefer a more
friendly construction, 'issuers of SIP requests' would also work.


If RequestInfo would be subclassed to include additional information specific
to particular request types, it seems that it would be more logical to just
require that, and remove the 'method' member of the class, since it would be
duplicate information in that situation.


Nit: the nonce is randomly generated for each authentication challenge, not
re-generated.


Nit: the RequestTypeSeq declaration is missing a terminating semi-colon.


Nit: "lets" not "let's" when it is an action verb ![][4]


Nit: In the sequence diagram, the "authorize()" operation is really
"authenticate()"... this page doesn't touch on the subject of authorization,
which is a whole other kettle of worms.


Brainstorming a bit here: we discussed (in person) that a 401/407 response
could potentially include multiple WWW-Authenticate headers. Even though this
is not common usage, being able to support it seems valuable, and it would
have another beneficial side effect: if the hook returned a sequence of
DigestChallenge, it would be able to return an empty sequence and the 'doAuth'
mechanism could go away completely.


This looks really, really good at this point. Nice work.

   [1]: https://code.asterisk.org/code/user/kpfleming ()

   [2]: https://code.asterisk.org/code/cru/CR-ASTSCF-43#c650

   [3]: https://code.asterisk.org/code/cru/CR-ASTSCF-43

   [4]: http://code.asterisk.org/code/static/leudr0/2static/images/wiki/icons/
emoticons/smile.gif

URL: https://code.asterisk.org/code/cru/CR-ASTSCF-43#c650



More information about the asterisk-scf-dev mailing list