[SIPForum-discussion] Proxy-to-User Authentication

Martin Weiglhofer mweiglh at ist.tugraz.at
Mon Mar 19 14:52:22 UTC 2007 

Thanks for the fast answer.

If I understood your explanation correctly, that means that I might
mislead the user, such that the user thinks password or username for the
authentication are incorrect. Instead the user might have configured the
wrong registration server on the SIP phone.


Robert Sparks wrote:
> It would be an odd edge condition for it to be appropriate for you to
> return
> a 404 (given that you returned a 401 the first time). That means that
> whoever
> resubmitted the request with credentials has credentials that you are
> willing
> to accept as valid for a resource you don't know about. If you have a
> policy
> that anyone with an account can modify the registration for any AoR on your
> system, I could see this happening. Typical systems bind a set of
> credentials
> fairly tightly to an AoR (this username password can only be used with
> this AoR
> and its the only username password pair I'll accept for that AoR). In
> that situation,
> returning a 404 would only make sense if you had recently deleted the
> resource
> but hadn't invalidated the credentials yet.
> 
> If the credentials in the second request aren't good, you'll return
> another 401.
> 
> RjS
> 
> On Mar 19, 2007, at 2:01 PM, Martin Weiglhofer wrote:
> 
> Dear all,
> 
> assume, that a user tries to register a contact address on a registrar
> which requires authentication, but the user is not known by the
> registrar. The user sends a REGISTER message (without authentication
> credentials) which is answered with a "401 Unauthorized" response. Now
> the user sends a second REGISTER request which includes an Authorization
> header field. What should be the response of the server to the second
> REGISTER request? Should the registrar again reply with a "401
> Unauthorized", or should the registrar reject the request with a "404
> Not Found"?
> 
> Thanks in advance.
> 
> Regards
> Martin
> 
_______________________________________________
This is the SIP Forum discussion mailing list
TO UNSUBSCRIBE, or edit your delivery options, please visit
http://sipforum.org/mailman/listinfo/discussion
Post to the list at discussion at sipforum.org

-- 
Martin Weiglhofer
Inst. f. Software Technology - Graz University of Technology
Inffeldgasse 16b/II - 8010 Graz - Austria
phone: ++43 316 873 5763
mail: weiglhofer at ist.tugraz.at
web: http://www.ist.tugraz.at/staff/weiglhofer

More information about the discussion mailing list