5-4 Oracle WebLogic Server SIP Container Developer’s Guide a unique key and annotate that method with SipApplicationKey. When the SIP container selects that application for example, as a result of the AR choosing it for an initial request, it obtains a key using the annotated method, and uses the key and application name to determine if the SipApplicationSession exists. If one exists, the container associates the new request with the existing session, rather than generating a new session. See section 15 in the SIP Servlet Specification v1.1 http:jcp.orgenjsrdetail?id=289 for more information about using session key-based targeting. Note: If you develop a spiral proxy application using this targeting mechanism, and the application modifies the record-route more than once, it must generate different keys for the initial request, if necessary, when processing record-route hops. If it does not, then the application cannot discriminate record-route hops for subsequent requests. Securing SIP Servlet Resources 6-1 6 Securing SIP Servlet Resources The chapter describes how to apply security constraints to SIP Servlet resources when deploying to WebLogic Server, in the following sections: ■ Section 6.1, Overview of SIP Servlet Security ■ Section 6.2, Triggering SIP Response Codes ■ Section 6.3, Specifying the Security Realm ■ Section 6.4, Role Mapping Features ■ Section 6.5, Using Implicit Role Assignment ■ Section 6.6, Assigning Roles Using security-role-assignment ■ Section 6.7, Assigning run-as Roles ■ Section 6.8, Role Assignment Precedence for SIP Servlet Roles ■ Section 6.9, Debugging Security Features ■ Section 6.10, weblogic.xml Deployment Descriptor Reference

6.1 Overview of SIP Servlet Security

The SIP Servlet API specification defines a set of deployment descriptor elements that can be used for providing declarative and programmatic security for SIP Servlets. The primary method for declaring security constraints is to define one or more security-constraint elements in the sip.xml deployment descriptor. The security-constraint element defines the actual resources in the SIP Servlet, defined in resource-collection elements, that are to be protected. security-constraint also identifies the role names that are authorized to access the resources. All role names used in the security-constraint are defined elsewhere in sip.xml in a security-role element. SIP Servlets can also programmatically refer to a role name within the Servlet code, and then map the hard-coded role name to an alternate role in the sip.xml security-role-ref element during deployment. Roles must be defined elsewhere in a security-role element before they can be mapped to a hard-coded name in the security-role-ref element. The SIP Servlet specification also enables Servlets to propagate a security role to a called Enterprise JavaBean EJB using the run-as element. Once again, roles used in the run-as element must be defined in a separate security-role element in sip.xml. Chapter 14 in the SIP Servlet API specification provides more details about the types of security available to SIP Servlets. SIP Servlet security features are similar to security