| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_network_transaction.h" | 5 #include "net/http/http_network_transaction.h" |
| 6 | 6 |
| 7 #include "base/compiler_specific.h" | 7 #include "base/compiler_specific.h" |
| 8 #include "base/field_trial.h" | 8 #include "base/field_trial.h" |
| 9 #include "base/format_macros.h" | 9 #include "base/format_macros.h" |
| 10 #include "base/histogram.h" | 10 #include "base/histogram.h" |
| (...skipping 1761 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1772 // challenge, then we can invalidate the preemptively used entry. | 1772 // challenge, then we can invalidate the preemptively used entry. |
| 1773 // Otherwise as-is we may send the failed credentials one extra time. | 1773 // Otherwise as-is we may send the failed credentials one extra time. |
| 1774 if (auth_identity_[target].source == HttpAuth::IDENT_SRC_PATH_LOOKUP) | 1774 if (auth_identity_[target].source == HttpAuth::IDENT_SRC_PATH_LOOKUP) |
| 1775 return; | 1775 return; |
| 1776 | 1776 |
| 1777 // Clear the cache entry for the identity we just failed on. | 1777 // Clear the cache entry for the identity we just failed on. |
| 1778 // Note: we require the username/password to match before invalidating | 1778 // Note: we require the username/password to match before invalidating |
| 1779 // since the entry in the cache may be newer than what we used last time. | 1779 // since the entry in the cache may be newer than what we used last time. |
| 1780 session_->auth_cache()->Remove(auth_origin, | 1780 session_->auth_cache()->Remove(auth_origin, |
| 1781 auth_handler_[target]->realm(), | 1781 auth_handler_[target]->realm(), |
| 1782 auth_handler_[target]->scheme(), |
| 1782 auth_identity_[target].username, | 1783 auth_identity_[target].username, |
| 1783 auth_identity_[target].password); | 1784 auth_identity_[target].password); |
| 1784 } | 1785 } |
| 1785 | 1786 |
| 1786 bool HttpNetworkTransaction::SelectPreemptiveAuth(HttpAuth::Target target) { | 1787 bool HttpNetworkTransaction::SelectPreemptiveAuth(HttpAuth::Target target) { |
| 1787 DCHECK(!HaveAuth(target)); | 1788 DCHECK(!HaveAuth(target)); |
| 1788 | 1789 |
| 1789 // Don't do preemptive authorization if the URL contains a username/password, | 1790 // Don't do preemptive authorization if the URL contains a username/password, |
| 1790 // since we must first be challenged in order to use the URL's identity. | 1791 // since we must first be challenged in order to use the URL's identity. |
| 1791 if (request_->url.has_username()) | 1792 if (request_->url.has_username()) |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1832 GetIdentityFromURL(request_->url, | 1833 GetIdentityFromURL(request_->url, |
| 1833 &auth_identity_[target].username, | 1834 &auth_identity_[target].username, |
| 1834 &auth_identity_[target].password); | 1835 &auth_identity_[target].password); |
| 1835 embedded_identity_used_ = true; | 1836 embedded_identity_used_ = true; |
| 1836 // TODO(eroman): If the password is blank, should we also try combining | 1837 // TODO(eroman): If the password is blank, should we also try combining |
| 1837 // with a password from the cache? | 1838 // with a password from the cache? |
| 1838 return true; | 1839 return true; |
| 1839 } | 1840 } |
| 1840 | 1841 |
| 1841 // Check the auth cache for a realm entry. | 1842 // Check the auth cache for a realm entry. |
| 1842 HttpAuthCache::Entry* entry = session_->auth_cache()->LookupByRealm( | 1843 HttpAuthCache::Entry* entry = |
| 1843 auth_origin, auth_handler_[target]->realm()); | 1844 session_->auth_cache()->Lookup(auth_origin, auth_handler_[target]->realm(), |
| 1845 auth_handler_[target]->scheme()); |
| 1844 | 1846 |
| 1845 if (entry) { | 1847 if (entry) { |
| 1846 // Disallow re-using of identity if the scheme of the originating challenge | 1848 auth_identity_[target].source = HttpAuth::IDENT_SRC_REALM_LOOKUP; |
| 1847 // does not match. This protects against the following situation: | 1849 auth_identity_[target].invalid = false; |
| 1848 // 1. Browser prompts user to sign into DIGEST realm="Foo". | 1850 auth_identity_[target].username = entry->username(); |
| 1849 // 2. Since the auth-scheme is not BASIC, the user is reasured that it | 1851 auth_identity_[target].password = entry->password(); |
| 1850 // will not be sent over the wire in clear text. So they use their | 1852 return true; |
| 1851 // most trusted password. | |
| 1852 // 3. Next, the browser receives a challenge for BASIC realm="Foo". This | |
| 1853 // is the same realm that we have a cached identity for. However if | |
| 1854 // we use that identity, it would get sent over the wire in | |
| 1855 // clear text (which isn't what the user agreed to when entering it). | |
| 1856 if (entry->handler()->scheme() == auth_handler_[target]->scheme()) { | |
| 1857 auth_identity_[target].source = HttpAuth::IDENT_SRC_REALM_LOOKUP; | |
| 1858 auth_identity_[target].invalid = false; | |
| 1859 auth_identity_[target].username = entry->username(); | |
| 1860 auth_identity_[target].password = entry->password(); | |
| 1861 return true; | |
| 1862 } | |
| 1863 LOG(WARNING) << "The scheme of realm " << auth_handler_[target]->realm() | |
| 1864 << " has changed from " << entry->handler()->scheme() | |
| 1865 << " to " << auth_handler_[target]->scheme(); | |
| 1866 // Fall through. | |
| 1867 } | 1853 } |
| 1868 | 1854 |
| 1869 // Use default credentials (single sign on) if this is the first attempt | 1855 // Use default credentials (single sign on) if this is the first attempt |
| 1870 // at identity. Do not allow multiple times as it will infinite loop. | 1856 // at identity. Do not allow multiple times as it will infinite loop. |
| 1871 // We use default credentials after checking the auth cache so that if | 1857 // We use default credentials after checking the auth cache so that if |
| 1872 // single sign-on doesn't work, we won't try default credentials for future | 1858 // single sign-on doesn't work, we won't try default credentials for future |
| 1873 // transactions. | 1859 // transactions. |
| 1874 if (!default_credentials_used_ && | 1860 if (!default_credentials_used_ && |
| 1875 auth_handler_[target]->AllowsDefaultCredentials()) { | 1861 auth_handler_[target]->AllowsDefaultCredentials()) { |
| 1876 auth_identity_[target].source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS; | 1862 auth_identity_[target].source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS; |
| (...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2029 endpoint_); | 2015 endpoint_); |
| 2030 | 2016 |
| 2031 alternate_protocol_mode_ = kDoNotUseAlternateProtocol; | 2017 alternate_protocol_mode_ = kDoNotUseAlternateProtocol; |
| 2032 if (connection_->socket()) | 2018 if (connection_->socket()) |
| 2033 connection_->socket()->Disconnect(); | 2019 connection_->socket()->Disconnect(); |
| 2034 connection_->Reset(); | 2020 connection_->Reset(); |
| 2035 next_state_ = STATE_INIT_CONNECTION; | 2021 next_state_ = STATE_INIT_CONNECTION; |
| 2036 } | 2022 } |
| 2037 | 2023 |
| 2038 } // namespace net | 2024 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1949004:
Added authentication scheme as key to HttpAuthCache. (Closed)
Base URL: http://src.chromium.org/git/chromium.git