[OpenSIPS-Devel] Add X-XCAP-Preferred-Identity header to XCAP clients

Iñaki Baz Castillo ibc at aliax.net
Thu Nov 19 12:58:20 CET 2009


El Jueves, 19 de Noviembre de 2009, Thiago Rondon escribió:
> Iñaki,
> 
> In this scenario that you said, alice could fetch bob's icon store in
> the XCAP server by authentication as alice, how the security roles works?
> 
> For example, if you can just give access to alice to see bob's icon if
> alice in the 'whitelist' of presence-rules.xml ?

That's a very good question for which there is no specifications (AFAIK).
However the server could have local policies (i.e: alice can get bob's icon, 
after authentication, since alice's domain matches bob's domain).

Inspecting the pres-rules of bob would be the more ellegant solution: if bob 
allows alice to see his status, then it makes sense that alice could fetch 
bob's icon (same as in XMPP, MSN networks).

However it requires that the XCAP server inspect bob's pres-rules, but it 
could be feasible.



> 
> Thanks!
> -Thiago Rondon
> 
> Iñaki Baz Castillo escreveu:
> > Hi, authorization in IETF's pure XCAP is not defined. This is: a XCAP
> > request doesn't identify the originator but just the requested user's
> > document.
> >
> > A too much simplistic workaround is requiring authentication for all the
> > requests and just allow the request if the credentials username matches
> > the request XUI.
> >
> > However this is not valid for some cool XCAP applications as fetching
> > users' icon (alice couldn't fetch bob's icon stored in the XCAP server as
> > alice cannot authenticate as bob).
> >
> > As I sad above, IETF didn't manage it. Instead there are some solutions
> > born in OMA, 3GPP and so...
> >
> > The solution is adding an identity header in the client request
> > identifying the desired identity (SIP or TEL URI), so the server would
> > ask authentication based on  the identity rather than on the XUI. This
> > would allow the server to authorize alice (after authentication) to
> > access bob's icon.
> >
> > This header can be:
> >
> >   X-XCAP-Preferred-Identity
> >     and/or
> >   X-3GPP-Preferred-Identity
> >
> > In OMA architecture, where there is an aggregation proxy in front of the
> > XCAP servers, the proxy authenticates the client and asserts its identity
> > by adding "X-XCAP/3GPP-Asserted-Identity" (some mechanism as in pure SIP
> > protocol).
> >
> > I've already implemented it in my Ruby XCAP client library (version 1.2):
> >   http://dev.sipdoc.net/projects/ruby-xcapclient/news
> >
> > I suggest to include it in other XCAP clients (AG's Python xcapclient,
> > sipsimpleclient, Blink...).
> >
> > Regards.
> 
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
> 


-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Devel mailing list