The following sections provide an overview of WebLogic SIP Server security:
WebLogic SIP Server users must be authenticated whenever they request access to a protected resource, such as a protected method within a deployed SIP Servlet. WebLogic SIP Server enables you to implement user authentication for SIP Servlets using any of the following techniques:
Authorization
SIP header to transmit the username and password to SIP Servlets. BASIC authentication is not recommended for production systems unless you can somehow ensure that all connections between clients and the WebLogic SIP Server instance are secure. This document does not provide configuration instructions for using BASIC authentication.
Different SIP Servlets deployed on WebLogic SIP Server can use different authentication mechanisms as necessary. The required authentication mechanism is specified in the auth-method
element of the SIP Servlet's sip.xml
deployment descriptor. The deployment descriptor may also define which resources are to be protected, listing specific role names that are required for access. See
Securing SIP Servlet Resources in Developing Applications with WebLogic SIP Server for information about securing resources and mapping roles in the SIP Servlet deployment descriptor.
WebLogic SIP Server authentication services are implemented using one or more authentication providers. An authentication provider performs the work of proving the identity of a user or system process, and then transmitting the identity information to other components of the system.
You can configure and use multiple authentication providers to uses different authentication methods, or to work together to provide authentication. For example, when using Digest authentication you typically configure both a Digest Identity Asserter provider to assert the validity of a digest, and a second LDAP or RDBMS authentication provider that determines the group membership of a validated user.
When linking multiple authentication providers, you must specify the order in which providers are used to evaluate a given user, and also specify how much control each provider has over the authentication process. Each provider can contribute a "vote" that specifies whether or not the provider feels a given user is valid. The provider's control flag indicates how the provider's vote is used in the authentication process.
For more information about configuring providers, see either Configuring Digest Authentication or Configuring Client-Cert Authentication.
WebLogic SIP Server also enables you to designate trusted hosts for your system. Trusted hosts are hosts for which WebLogic SIP Server performs no authentication. If the server receives a SIP message having a destination address that matches a configured trusted hostname, the message is delivered without Authentication. See sip-security in Configuring and Managing WebLogic SIP Server for more information.
WebLogic SIP Server supports the P-Asserted-Identity
SIP header as described in RFC3325. This functionality automatically logs in using credentials specified in the P-Asserted-Identity
header when they are received form a trusted host. When combined with the privacy
header, P-Asserted-Identity
also determines whether the message can be forwarded to trusted and non-trusted hosts. See Configuring P-Asserted-Identity Assertion for more information.
The SIP Servlet API specification defines a set of deployment descriptor elements that can be used for providing declarative and programmatic security for SIP Servlets. The primary method for declaring security constraints is to define one or more security-constraint
elements and role definitions in the sip.xml
deployment descriptor. WebLogic SIP Server adds additional deployment descriptor elements to help developers easily map SIP Servlet roles to actual principals and/or roles configured in the SIP Servlet container. See
Securing SIP Servlet Resources in
Developing Applications with WebLogic SIP Server for more information.
WebLogic SIP Server includes an auditing provider that you can configure to monitor authentication events in the security realm. See Configuring a WebLogic Auditing Provider in the WebLogic Server 9.2 documentation for more information.
Table 1-1 lists WebLogic SIP Server configuration tasks and provides links to additional information.
sip-security in Configuring WebLogic SIP Server
|