Hi Josep,
When a request is challenged with 407 (containing proxy-authenticate header),
the request should be re-submitted with proxy-authorization header.
Please refer the following section is RFC-3261:
22.3 Proxy-to-User Authentication
Similarly, when a UAC sends a request to a proxy server, the proxy
server MAY authenticate the originator before the request is
processed. If no credentials (in the Proxy-Authorization header
field) are provided in the request, the proxy can challenge the
originator to provide credentials by rejecting the request with a 407
(Proxy Authentication Required) status code. The proxy MUST populate
the 407 (Proxy Authentication Required) message with a Proxy-
Authenticate header field value applicable to the proxy for the
requested resource.
The use of Proxy-Authenticate and Proxy-Authorization parallel that
described in [17], with one difference. Proxies MUST NOT add values
to the Proxy-Authorization header field. All 407 (Proxy
Authentication Required) responses MUST be forwarded upstream toward
the UAC following the procedures for any other response. It is the
UAC's responsibility to add the Proxy-Authorization header field
value containing credentials for the realm of the proxy that has
asked for authentication.
If a proxy were to resubmit a request adding a Proxy-Authorization
header field value, it would need to increment the CSeq in the new
request. However, this would cause the UAC that submitted the
original request to discard a response from the UAS, as the CSeq
value would be different.
In your scenario, proxy-authorization header in INVITE request should be sent
after challenge with 407 response.
Thanks,
Alok Tiwari
Aricent
-----Original Message-----
From: sip-implementors-boun...@lists.cs.columbia.edu
[mailto:sip-implementors-boun...@lists.cs.columbia.edu] On Behalf Of Josep
Benavent
Sent: Thursday, January 14, 2010 4:44 PM
To: sip-implementors@lists.cs.columbia.edu
Subject: [Sip-implementors] 407 Authentication failure
Hello,
I'm developing a UA using JAIN-SIP that connect to Asterisk server and I
can't complete an INVITE process correctly.
The dialogue I implemented is:
1. Send register
2. Received a trying and a 401 Unauthorized
3. I send a register again with the authorization header (with the nonce and
the response fields )
4. Received a TRYING and a 200 OK messages.
At this point, I received some UDP packets from the SER continuously (I
suppose I had registered correctly).
Now, I send and INVITE message (without authorization header) and I receive
a 407 Authentication failure message. I send an ACK and again an INVITE
message now, with authorization header (response) and using the nonce I
received in the last 407 message, but I always receive again 407 message as
response from the server.
I detail the authorization headers following:
*Authorization header in 407 message:*
Proxy-Authenticate: Digest realm="i2cat.net",
nonce="4b4ef99f88dede8c57be94d4c63464f9d268fbc5"
*Authorization header in INVITE message:*
Authorization: Digest username="josep.benavent",realm="i2cat.net
",nonce="4b4ef99f88dede8c57be94d4c63464f9d268fbc5",uri="
sip:xavier.ca...@i2cat.net <sip%3axavier.ca...@i2cat.net>
",response="d6b6a75c32bc237984f03ffb26d9d745",algorithm=MD5
(I incremented de CSeq number correctly with each INVITE message).
OK, I suppose my error is in the function that creates the response with a
nonce value in the INVITE message, I detail following:
MessageDigestAlgorithm digest = new
MessageDigestAlgorithm();
String responseCode = digest.calculateResponse("MD5",
this.user, response.getRealm(), this.pwd, response.getNonce(), null, null,
Request.INVITE,uri.toString(), null, null);
(Variables values are that you can see in the Authorization header in INVITE
message detail).
Does any body know what are the values I need to create a correct
responseCode? I also tried to include a Cnonce value in the
digest.calculateResponse function with any result.
Any idea will be welcome.
Thank you for your attention,
Josep Benavent
_______________________________________________
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
________________________________
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for
the use of the individual to whom it is addressed. It may contain privileged or
confidential information and should not be circulated or used for any purpose
other than for what it is intended. If you have received this message in error,
please notify the originator immediately. If you are not the intended
recipient, you are notified that you are strictly prohibited from using,
copying, altering, or disclosing the contents of this message. Aricent accepts
no responsibility for loss or damage arising from the use of the information
transmitted by this email including damage from virus."
_______________________________________________
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
