View Source

Introduction

This tutorial describes how to configure security realms to provide authentication and access control for SIP applications running in Cipango. A realm has a unique name, and is composed of a set of users. Each user has authentication information (for example, a password) and a set of roles associated with him/herself.

Declarative security is not available in Cipango before the version 2.1.1

Sip application configuration

Declarative security is enabled with the following content in sip.xml

<?xml version="1.0" encoding="UTF-8"?>
<sip-app  xmlns="http://www.jcp.org/xml/ns/sipservlet"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.jcp.org/xml/ns/sipservlet http://www.jcp.org/xml/ns/sipservlet/sip-app_1_1.xsd"
          version="1.1">

  <!-- Ensure that all access to the servlet with name MyAuthServlet are authentified -->
  <security-constraint>
    <resource-collection>
      <resource-name>Auth resource</resource-name>
      <servlet-name>MyAuthServlet</servlet-name>
    </resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <!-- Ensure that all REGISTER and INVITE methods are authentified and restricted to the role 'user' -->
  <security-constraint>
    <resource-collection>
      <resource-name>Method Auth resource</resource-name>
      <sip-method>INVITE</sip-method>
      <sip-method>REGISTER</sip-method>
    </resource-collection>
    <auth-constraint>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>
	
  <!--  Use realm name cipango.org and digest for authentication -->
  <login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>cipango.org</realm-name>
  </login-config>
</sip-app>

Like in jetty, a LoginService must also be provided to allow declarative security.
It could be provided as a single realm to share common security information across all of your sip applications:

<Configure id="Server" class="oorg.cipango.server.Server">
 
...
    <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.security.HashLoginService">
          <Set name="name">Test Realm</Set>
          <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
          <Set name="refreshInterval">0</Set>
        </New>
      </Arg>
    </Call>
 
</Configure>

or it could be provided for a single application using the jetty-web.xml (this file should be located in same directory that sip.xml)

<?xml version="1.0" encoding="ISO-8859-1"?>
<Configure class="org.cipango.sipapp.SipAppContext">
  <Get name="sipSecurityHandler">
    <Set name="loginService">
      <New class="org.eclipse.jetty.security.HashLoginService">
            <Set name="name">cipango.org</Set>
            <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
      </New>
    </Set>
  </Get>

</Configure>

with realm.properties like

other: OBF:1xmk1w261u9r1w1c1xmq,user
plain: plain,user
user: password,user

The password must not be crypted (using MD5 for instance) as Digest authentication is used.

Additional Resources

SIP Authentication in Cipango is similar to web authentication in Jetty
sip.xml format: JSR 289
Realm.properties format