Configuring and Managing WebLogic SIP Server
|
 |
 |
|
 |
 |
Configuring P-Asserted-Identity Assertion
The following sections describe how the P-Asserted-Identity and privacy headers affect forwarding to trusted and non-trusted hosts, and how to configure a WebLogic SIP Server P-Asserted-Identity Asserter provider:
- Understanding Trusted Host Forwarding with P-Asserted-Identity
- Overview Strict and Non-Strict P-Asserted-Identity Asserter Providers
- Configuring a P-Asserted-Identity Assertion Provider
Understanding Trusted Host Forwarding with P-Asserted-Identity
WebLogic SIP Server supports the P-Asserted-Identity SIP header as described in RFC3325. To enable use of this header, you must configure one of two available P-Asserted Identity Assertion provider as described in Configuring a P-Asserted-Identity Assertion Provider.
When WebLogic SIP Server receives a message having the P-Asserted-Identity header from a trusted host configured with the provider, it logs in the user specified in the header to determine group membership and other privileges.
The presence of a P-Asserted-Identity header combined with the Privacy header also determines whether WebLogic SIP Server forwards a given message to trusted and non-trusted hosts. Figure 11-1 summarizes the forwarding restrictions with P-Asserted-Identity.
Figure 11-1 Forwarding Restrictions with P-Asserted-Identity and Privacy Headers
Overview Strict and Non-Strict P-Asserted-Identity Asserter Providers
If the contents of a P-Asserted-Identity header are invalid, or if the header is received from a non-trusted host, then the security provider returns an "anonymous" user to the SIP Servlet container. If you configured the PAsserted Identity Strict Asserter provider, an exception is also thrown so that you can audit the substitution of the anonymous user. (If you configured the basic PAsserted Identity Asserter provider, no exception is thrown.)
With either provider, if the requested resource is protected, the SIP container then uses the authentication method defined in the auth-type element in the Servlet's sip.xml deployment descriptor to authorize the request. (For example, digest authentication may be used if the Servlet specifies the digest authentication method.)
If the requested resource is not protected, the anonymous user is simply passed to the SIP Servlet without authorization.
Configuring a P-Asserted-Identity Assertion Provider
Follow these steps to configure a security provider used to support the P-Asserted-Identity header. Note that one of two providers can be selected, as described in Overview Strict and Non-Strict P-Asserted-Identity Asserter Providers:
- In the left pane of the Console, expand the Security->Realms->myrealm->Providers->Authentication node.
- Configure a new PAsserted Identity Asserter...—Select this option to configure a provider that does not throw an exception when the
P-Asserted-Identityheader is invalid or is received from a non-trusted host and an anonymous user is substituted. - Configure a new PAsserted Identity Strict Asserter...—Select this option to configure a provider that throws an exception when the
P-Asserted-Identityheader is invalid or is received from a non-trusted host and an anonymous user is substituted. See Overview Strict and Non-Strict P-Asserted-Identity Asserter Providers for more information.
- Trusted Hosts: Enter one or more host names that the provider will treat as trusted hosts. Note that the provider does not use trusted hosts configured in the
sipserver.xmlfile (sip-security.) - User Name Mapper Class Name: Enter the name of a custom Java class used to map user names in the
P-Asserted-Identityheader to user names in the default security realm. Or, leave this field blank to use the default user name mapper. See Configuring a User Name Mapper in the WebLogic Server 8.1 Documentation for more information. - Base64Decoding Required: This field is not used by the provider.
