Thanks for your good comments. Here is my answer:
1. I agree this and Authorization headers should be processed in a list,
like contact header list.
2. I'm not sure of the lifespan of the security token (i.e.
authorization header) in SIP. Our assumption in the operator network is
within the registration. If the granularity is smaller, like per session
call or per dialog. I wonder if it is too expensive to do it. Btw,
authorization inspection is also done at the registration phase, with
authentication in our assumption.
3. as a result of 2, I plan to remove cache only in unregister() and
timeout process (ua may lose the connection due to the exception or
I'm busy with the integration work of our SSO on openSER. But i would
like to practice the patch after this.