1. Security Guide
  2. Converged Application Server Security Concepts
  3. Authentication for SIP Servlets

Authentication for SIP Servlets

Converged Application Server users must be authenticated when they request access to a protected resource, such as a protected method within a deployed SIP Servlet. Converged Application Server enables you to implement user authentication for SIP Servlets using any of the following techniques:

  • DIGEST authentication uses a simple challenge-response mechanism to verify the identity of a user over SIP. This technique is described in "Configuring Digest Authentication". To authenticate over HTTP, application developers must provide their own implementations.

  • CLIENT-CERT authentication uses an X509 certificate chain passed to the SIP application to authenticate a user. The X509 certificate chain can be provided in a number of different ways. In the most common case, two-way SSL handshake is performed before transmitting the chain to ensure secure communication between the client and server. CLIENT-CERT authentication is described fully in "Configuring Client-Cert Authentication".

  • BASIC authentication uses the Authorization SIP header to transmit the username and password to SIP Servlets. BASIC authentication is deprecated in RFC 3261 and is not recommended for production systems. This document does not provide configuration instructions for using BASIC authentication.

Different SIP Servlets deployed on Converged Application Server can use different authentication mechanisms as necessary. The required authentication mechanism is specified in the auth-method element of the SIP Servlet's sip.xml deployment descriptor. The deployment descriptor may also define which resources are to be protected, listing specific role names that are required for access.

See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for information about securing resources and mapping roles in the SIP Servlet deployment descriptor.

Authentication Providers

Converged Application Server authentication services are implemented using one or more authentication providers. An authentication provider performs the work of proving the identity of a user or system process, and then transmitting the identity information to other components of the system.

You can configure and use multiple authentication providers to use different authentication methods, or to work together to provide authentication. For example, when using Digest authentication you typically configure both a Digest Identity Asserter provider to assert the validity of a digest, and a second LDAP or RDBMS authentication provider that determines the group membership of a validated user.

When linking multiple authentication providers, you must specify the order in which providers are used to evaluate a given user, and also specify how much control each provider has over the authentication process. Each provider can contribute a "vote" that specifies whether or not the provider feels a given user is valid. The provider's control flag indicates how the provider's vote is used in the authentication process.

See "Configuring Digest Authentication" or "Configuring Client-Cert Authentication" for more information about configuring providers.