Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User Authentication - is there a better way?

I'm working on a phone application and I want to use the CallManager UserIDs and Passwords for user authentication to start up the application.

I tried using AXL, but the getUser request returned empty elements for password and pin.

Right now I'm using JTAPI's peer.getProvider method. If it's successful, great, I have a match. If it throws, then I know authentication failed, I can catch the error and send back a bad password / login message to the phone.

Is this a good idea or has someone come across a better way?


Re: User Authentication - is there a better way?

I take it not showing the pin and password is a security precaution. But you could always try to access the DC directory manually - though that would no longer be possible in CCM 5.

Another way would be using the built-in authentication page on the call manager. If you access certain urls on the phone, you have to provide a login and password. E.g. http:///CGI/ModeInfo .. so you could make a http get for that url and provide the user provided login and password in an authentication header.. if you get http 200 response, the l/p is valid, if you get a 401, the l/p is invalid.

The PlatformExceptionImpl could also signify another error and since there's no specific "bad login/pw" jtapi error, it may not be the most reliable way (if the cti manager has crashed, you'll get this message as well and you're relying on a component that you potentially don't need... plus this approach requires that the device association has been made.. in most installations I've come across, there was either EM, or the owner user id was set.. I've rarely seen device associations as this is only useful for cti).

New Member

Re: User Authentication - is there a better way?

"and you're relying on a component that you potentially don't need"


The concept of the app is a time clock (punch clock) where users can clock in or out from any IP Phone in the building and their times will be stored in an ERP system for payroll, yada yada...

I'm hearing preliminary information that the customer interested in this app may have locations where 1 IP Phone is being shared by 3 or 4 people (warehouse perhaps?) so I can't gaurantee a direct correlation of user to phone.

I figured it would be a clean solution to piggyback CallManager's userIDs and passwords since they would be used for other phone apps like Extension Mobility.

A funny thing about the AXL getUser "security" is that if I do a getPhone request, some of the information returned about services such as Fast Dials and the Address Book display the userID and PIN in the URL :D