[SIPForum-discussion] Proxy-to-User Authentication
Robert Sparks
rjsparks at nostrum.com
Mon Mar 19 13:35:04 UTC 2007
It would be an odd edge condition for it to be appropriate for you to
return
a 404 (given that you returned a 401 the first time). That means that
whoever
resubmitted the request with credentials has credentials that you are
willing
to accept as valid for a resource you don't know about. If you have a
policy
that anyone with an account can modify the registration for any AoR
on your
system, I could see this happening. Typical systems bind a set of
credentials
fairly tightly to an AoR (this username password can only be used
with this AoR
and its the only username password pair I'll accept for that AoR). In
that situation,
returning a 404 would only make sense if you had recently deleted the
resource
but hadn't invalidated the credentials yet.
If the credentials in the second request aren't good, you'll return
another 401.
RjS
On Mar 19, 2007, at 2:01 PM, Martin Weiglhofer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear all,
>
> assume, that a user tries to register a contact address on a registrar
> which requires authentication, but the user is not known by the
> registrar. The user sends a REGISTER message (without authentication
> credentials) which is answered with a "401 Unauthorized" response. Now
> the user sends a second REGISTER request which includes an
> Authorization
> header field. What should be the response of the server to the second
> REGISTER request? Should the registrar again reply with a "401
> Unauthorized", or should the registrar reject the request with a "404
> Not Found"?
>
> Thanks in advance.
>
> Regards
> Martin
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFF/oml6XHVH58yroMRAuH7AKCHsGhkTlLznZKVpLw93FXAqnKIuwCgwCMy
> E06PmQIXSxEV62ajCjmDqEk=
> =UvKG
> -----END PGP SIGNATURE-----
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit http://
> sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
More information about the discussion
mailing list