Hi Rafael,
You shouldn't authenticate request within the dialog (with to_tag), but only the initial requests (which create the dialog).
To be sure "from" is the same as "credentials" call check_from() after authentication was confirmed - this way , further in your script, you can check "from" with the same confidence as for "credentials".
Best regards, Marian
Rafael J. Risco G.V. wrote:
Marian thanks a lot again, it works with uri "from" instead of "credentials" , I also changed my script to challenge all non-register messages just to ensure CANCELs and INVITEs follow the same path, its that correct? (...according to Jan "auth module will never challenge ACKs and CANCELs, it will always return that the authentication was sucessful), by the way, is there any security disadvantage in to use "from" instead of credentials?
best regards rafael
PS: thats my new register and non-register auth method:
if (method == "REGISTER") { log(1, "ANALYZING REGISTER REQUEST\n"); if (is_user_in("Request-URI", "deactivated")) { sl_send_reply("402", "Su cuenta fue
desactivada"); break; }; ### digest authentication if (!www_authorize("mydomain.com.pe", "subscriber")) { www_challenge("mydomain.com.pe", "0"); break; };
if (!save("location")) { sl_reply_error(); }; break; }; if (!method == "REGISTER" && src_ip!=GW_AS5350_IP) { log(1, "ANALYZING INVITE||CANCEL... REQUESTs\n"); if (!proxy_authorize("mydomain.com.pe", "subscriber")) { proxy_challenge("mydomain.com.pe", "1"); break; }; /* ***************** Dial out to Local and PSTN logic
****************** */
# forward n digit requests to gateway AS5350 (Celulares) if(uri=~"^sip:9"){ log(1," digit expression match - Celulares"); if (!is_user_in("from", "mobile")) { sl_send_reply("403", "No permission
for mobile calls"); break; }; rewritehostport("GW_AS5350_IP:5060"); route(1); ##Nathelper break; };
}; ...... . . .
On Sat, 26 Mar 2005 23:55:28 +0100, Marian Dumitru marian.dumitru@voice-sistem.ro wrote:
Hi Rafael,
the cancelling doesn't work because you process the INVITEs and CANCELs in different way and because of this the CANCEL cannot follow the same path as the INVITE. As CANCEL is not authenticate (and it should not be), the is_user_in("credentials", "mobile") will fail for CANCELs and you will reply with "403 No permission for mobile calls". Either replace "credential" with "from", either skip this test for CANCELS.
Best regards, Marian
-- Voice System http://www.voice-system.ro