Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers
If the contents of a P-Asserted-Identity header are invalid, or if the header is received from a non-trusted host, then the security provider returns an "anonymous" user to the SIP Servlet container. If you configured the PAsserted Identity Strict Asserter provider, an exception is also thrown so that you can audit the substitution of the anonymous user. (If you configured the basic PAsserted Identity Asserter provider, no exception is thrown.)
With either provider, if identity assertion fails and the requested resource is protected (the request matches a security-constraint
defined in sip.xml
), the SIP container uses the auth-method
defined in the sip.xml
deployment descriptor to challenge the end user. For example, digest authentication may be used if the Servlet specifies the digest authentication method.
If the requested resource is not protected, the anonymous user is simply passed to the SIP Servlet without authorization. Because the 3GPP TS 24.229 specification recommends forced authorization even when a resource is unrestricted (and privacy is not requested), you should use declarative security to protect all of a SIP Servlet's resources to remain compliant with the specification. See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for more information.
If authorization of the anonymous user fails, Converged Application Server then forces authentication by challenging the user.