Thursday Dec 18, 2008

Configuring NonceManager for Digest and Identity authentication modules

Identity authentication and Digest authentication modules need NonceManager to cache call-id and nonce values respectively.
One can configure the max nonce age for these modules using NonceManager property under Security-Service element in domain.xml. maxNonceAge value is in milliseconds.
"property name="NonceManager" value="id=identity-nonce-config,maxNonceAge=350000;id=sip-nonce-config,maxNonceAge=3000"

NonceManager for Digest authentication module is sip-nonce-config whose default value is 600000 milliseconds.
NonceManager for identity authentication module is identity-nonce-config whose default value is 3600000 milliseconds.

Snapshot of configuring NonceManager using Admin UI is here

Wednesday Jan 02, 2008

Using Digest Authentication with SIP Servlets

It is time to write in detail on how to use security features available in Sailfin, so here we go.

Before you begin follow these two common steps.
  1. Download latest stable sailfin build from here.
  2. Install Netbeans 6.0 with SIP plugin. You will find this installation document useful.

In this entry I will share on how to enable SIP Digest Authentication for SIP Servlet Application and authenticate using a SIP Client(We have tried Twinkle available with Ubuntu and X-Lite)

Step 1:

Create a new SIP Project in Netbeans as shown in Fig1.

Figure: 1

Step 2 :  Create a new Sip Servlet as shown in Figure 2

Figure 2

Step 3 :  Netbeans generates the SIP servlet with empty methods, I changed it to look like what is seen in figure 3.

Figure 3

Step 4 :  Now that we have created the servlet, we will now proceed to configure the application server.
            To do this Start the application server and database using following commands

            To start Sailfin Application server
                        asadmin start-domain domain1

            To start database   
                       asadmin start-database

Figure : 4

Step 5  Login into Admin console( http://localhost:4848 ) and create JDBC resource as shown in Figure 5

 Figure : 5

Step 6 : Now that we have created the JDBC resource we can now go ahead and create JDBC Digest Realm using the Admin console (shown in Figure 6)

Figure:  6

Step 7 :  Next step is to setup the backend . Connect to the database using Netbeans as shown in Figure 7 and run the following sql script.

Figure 7

Step 8 : Now that we have configured both the backend and the application server it is time to enable security in the SIP Servlet application.Create sip.xml and sun.xml as shown in Figure 8 and Figure 9.  The security constraint in sip.xml shows that REGISTER methods should be authenticated and only users with manager role should be allowed to register.

Figure 8

Figure : 9

Step 9 : Now build and deploy the application on to the Sip Application server. You can either do this using Netbeans or command line option (asadmin deploy <filename>).

Step 10 : Once the application is deployed run the SIP Client(In this case I used twinkle) . When the client tries to register user will be requested to enter authentication information as shown in Figure 10 and Figure 11 shows logs in Application server once the user is authenticated and authorized.

Figure: 10

Figure : 11

Powered by ScribeFire.

Monday Sep 24, 2007

Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by abstract class or by implementing standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below


/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm { required;
ldapRealm { required;
solarisRealm { required;
jdbcRealm { required;
jdbcDigestRealm { required;


Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);


   return null;



2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ; is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

\* returns PLAIN_TEXT or HASHED.
\* @returns int
    public int getType();

\* returns password.
\* @returns byte[]
  public byte[] getValue();


This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from


Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

Wednesday Aug 29, 2007

Sailfin/Sun Java System Communication Application Server/SJSCAS

From past couple of months I have been working on implementing Security features for Sailfin. Sailfin is based on JSR 289 and all the functional specifications that are under development are posted here. You can post your comments on features,requirements using the template posted here.

JSR 289 requires Sailfin to support Digest Authentication and P-Asserted Identity. We have enabled Digest authentication for both SIP and HTTP containers and one should be able to try it out using latest builds. I will soon write on how to configure Digest authentication for HTTP, SIP Containers in SJSCAS/Sailfin.




« February 2017