> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Krzeminski, Damian (BL60:9D30) > Sent: Wednesday, August 12, 2009 2:22 PM > To: [email protected] > Subject: Re: [sipX-dev] REST API plain text vs MD5 digit > authentication > > Peter Fowler wrote: > > > > This issue/question came up on today's scrum. > > > > From the sipXivr process I want to use various REST APIs. Eg. I am > > trying to use the newly added REST api for searching phonebooks. > > > > The issue is that many (all?) of the REST apis in SipX > require plain > > text user pins whereas I only have access to the MD5 digest > of the pin > > (from validusers.xml). Eg. > > > > _https://200:1...@domain_name:8443/sipxconfig/..._ > > <https://200:1...@domain_name:8443/sipxconfig/...> > > > > Ideally I would like to pass the MD5 digest fo the pin > instead. I had > > a quick look at security.beans. xml but didn't go much farther than > > that prior for asking for input on the Dev list: > > > > - is this a reasonable request? > > Supporting DIGEST authentication in sipXconfig REST is > definitely a valid request. > Using MD5 DIGEST in place of the PIN in BASIC authentication > is probably not (security gurus are welcomed to chime in). > > > > - how to proceed, what files/code would need to change? > > > > Not sure: security.beans.xml is where I would start... > That probably needs to be changed by reconfiguring Acegi > filters. But we may need to update Acegi since we are using > some ancient version. > I'll be looking at this problem this month if no-one gets > there before me since we need to tackle XX-6166 anyway. > > > Now - let's take a step back... > I assume you are authenticating users somehow (you should not > be accessing user credentials in validusers.xml without > authenticating users - that opens a whole slew of security problems). > Maybe the right answer to this questions is to allow > authenticating users with whatever credentials you already > have? For example if those users are XMPP users sipXconfig > configures them and could use those to authenticate REST requests. > D. > > > > _______________________________________________ > sipx-dev mailing list [email protected] List > Archive: http://list.sipfoundry.org/archive/sipx-dev > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev > sipXecs IP PBX -- http://www.sipfoundry.org/
My Personal Assistant Bot will only include the Jabber addresses of SipX Users in its roster and those users will authenticate with OpenFire to login with their XMPP client. As such my Bot doesn't have any direct access to credentials. If people don't think this is secure enough, let me know. Could ask the user to enter Pin in the chat session since session is over TLS. Just need to ensure the chat history Somehow would not include the pin! Otherwise, I'll leave this problem (XX-6166) in your much more capable hands. Peter _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev sipXecs IP PBX -- http://www.sipfoundry.org/
