...
This tutorial describes how to configure security realms to provide authentication and access control for to SIP applications running in Cipango. A realm has a unique name, and is composed of a set of users. Each user has authentication information (for example, a password) and a set of roles associated with him/herself.
Note |
---|
Declarative security is not available in Cipango before the as of version 2.1.1 |
Sip
...
Application configuration
In this tutorial, we'll who how to add SIP Digest authentication to the MyServlet
servlet when receiving REGISTER
and INVITE
requests.
To add declarative security, add the following declarations in your sip.xml
file:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <sip-app xmlns="http://www.jcp.org/xml/ns/sipservlet" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jcp.org/xml/ns/sipservlet http://www.jcp.org/xml/ns/sipservlet/sip-app_1_1.xsd" version="1.1"> <!-- Ensure that all accessREGISTER and toINVITE therequests servletprocessed withby nameservlet MyAuthServletMyServlet are authentified --> <security-constraint> <resource-collection> <resource-name>Authname>Protected resource<Resource</resource-name> <servlet-name>MyAuthServlet</servlet-name> </resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <!-- Ensure that all REGISTER and INVITE methods are authentified and restricted to the role 'user' --> <security-constraint> <resource-collection> <resource-name>Method Auth resource</resource-name>MyServlet</servlet-name> <sip-method>INVITE</sip-method> <sip-method>REGISTER</sip-method> </resource-collection> <auth-constraint> <role-name>user<name>*</role-name> </auth-constraint> </security-constraint> <!-- Use realm name cipango.org and digest for authentication --> <login-config> <auth-method>DIGEST</auth-method> <realm-name>cipango.org</realm-name> </login-config> </sip-app> |
Like in jetty, a LoginService must also be provided to allow declarative security.
It could be provided as a single realm to share common security information across all of your sip applications:
Code Block | |
---|---|
xml | xml |
title | cipango.xml | <Configure id="Server" class="oorg.cipango.server.Server">
...
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
</Configure>
|
...
[...]
</sip-app>
|
Next step is to declare users and their credentials. To do so, we add the following jetty-web.xml
configuration file to our application (in the same directory as sip.xml
). In this file we configure a LoginService
which is responsible for user management.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="ISO-8859-1"?> <Configure class="org.cipango.sipapp.SipAppContext"> <Get name="sipSecurityHandler"> <Set name="loginService"> <New class="org.eclipse.jetty.security.HashLoginService"> <Set name="name">cipango.org</Set> <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set> </New> </Set> </Get> </Configure> |
with realm.properties
likeFinal step is then to populate the realm.properties
located in the etc
directory of your cipango installation with all desired users and passwords. Each line in the file contains a username, a password, and 0 or more role assignments. For instance, to grant access to alice and bob with passwords foo and bar, add the following lines:
No Format | ||
---|---|---|
| ||
otheralice: OBF:1xmk1w261u9r1w1c1xmq,user plainfoo bob: plain,user user: password,user |
Note |
---|
The password must not be crypted (using MD5 for instance) as Digest authentication is used. |
Additional Resources
...
bar
|
You may now send REGISTER
and INVITE
requests to your servlet. These requests are authenticated and access is granted only to users alice or bob.