Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issue 3155046: Add support for delegated Kerberos tickets during Negotiate authentication. (Closed)

Created:
10 years, 4 months ago by cbentzel
Modified:
9 years, 7 months ago
Reviewers:
wtc, ahendrickson
CC:
chromium-reviews, pam+watch_chromium.org, John Grabowski, cbentzel+watch_chromium.org, darin-cc_chromium.org
Visibility:
Public.

Description

Add support for delegated kerberos tickets to Negotiate authentication. This is controlled by the --auth-negotiate-delegate-whitelist command line. By default no servers are delegated to. BUG=50076 TEST=net_unittests, go to an IIS server specified in --auth-negotiate-delegate-whitelist and see if this works correctly. Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=57695

Patch Set 1 #

Patch Set 2 : '' #

Patch Set 3 : '' #

Total comments: 14

Patch Set 4 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+177 lines, -66 lines) Patch
M chrome/browser/io_thread.cc View 2 3 1 chunk +11 lines, -7 lines 0 comments Download
M chrome/common/chrome_switches.h View 2 3 1 chunk +1 line, -0 lines 0 comments Download
M chrome/common/chrome_switches.cc View 2 3 1 chunk +8 lines, -2 lines 0 comments Download
M net/http/http_auth_filter.h View 2 3 2 chunks +5 lines, -5 lines 0 comments Download
M net/http/http_auth_filter.cc View 1 chunk +3 lines, -1 line 0 comments Download
M net/http/http_auth_filter_unittest.cc View 3 chunks +2 lines, -3 lines 0 comments Download
M net/http/http_auth_gssapi_posix.h View 1 2 3 2 chunks +6 lines, -0 lines 0 comments Download
M net/http/http_auth_gssapi_posix.cc View 1 2 3 3 chunks +8 lines, -1 line 0 comments Download
M net/http/http_auth_handler_negotiate.h View 2 3 2 chunks +2 lines, -1 line 0 comments Download
M net/http/http_auth_handler_negotiate.cc View 2 3 2 chunks +11 lines, -0 lines 0 comments Download
M net/http/http_auth_sspi_win.h View 1 2 3 2 chunks +6 lines, -0 lines 0 comments Download
M net/http/http_auth_sspi_win.cc View 1 2 3 4 chunks +18 lines, -10 lines 0 comments Download
M net/http/url_security_manager.h View 2 3 1 chunk +37 lines, -9 lines 0 comments Download
M net/http/url_security_manager.cc View 2 1 chunk +13 lines, -4 lines 0 comments Download
M net/http/url_security_manager_posix.cc View 1 chunk +3 lines, -2 lines 0 comments Download
M net/http/url_security_manager_unittest.cc View 1 chunk +3 lines, -3 lines 0 comments Download
M net/http/url_security_manager_win.cc View 2 3 3 chunks +40 lines, -18 lines 0 comments Download

Messages

Total messages: 3 (0 generated)
cbentzel
Wan-Teh, Andy is on vacation this week so I sent this to you. The main ...
10 years, 4 months ago (2010-08-26 20:03:43 UTC) #1
wtc
LGTM. http://codereview.chromium.org/3155046/diff/22001/1006 File chrome/browser/io_thread.cc (right): http://codereview.chromium.org/3155046/diff/22001/1006#newcode252 chrome/browser/io_thread.cc:252: if (command_line.HasSwitch(switches::kAuthDefaultCredentialsWhitelist)) Nit: add curly braces around these ...
10 years, 4 months ago (2010-08-26 21:30:06 UTC) #2
cbentzel
10 years, 3 months ago (2010-08-27 17:10:53 UTC) #3
http://codereview.chromium.org/3155046/diff/22001/1008
File chrome/common/chrome_switches.h (left):

http://codereview.chromium.org/3155046/diff/22001/1008#oldcode37
chrome/common/chrome_switches.h:37: extern const char kAuthServerWhitelist[];
On 2010/08/26 21:30:06, wtc wrote:
> It seems bad to remove a command-line option.  I remember these options
> are documented...

I wrote the documentation, but it also exists in some bugs. I'll move this back
to the same string for users. I don't want to have to tell users different
command lines for different versions.

http://codereview.chromium.org/3155046/diff/22001/1014
File net/http/http_auth_handler_negotiate.cc (right):

http://codereview.chromium.org/3155046/diff/22001/1014#newcode93
net/http/http_auth_handler_negotiate.cc:93: if (AllowsDelegation())
On 2010/08/26 21:30:06, wtc wrote:
> It's easy to miss the difference between AllowsDelegation and AllowDelegation.
> 
> Perhaps AllowsDelegation can be renamed CanDelegate?  See line 124 below.

Good name suggestion. I went with CanDelegate for the query and Delegate for the
action.

http://codereview.chromium.org/3155046/diff/22001/1022
File net/http/url_security_manager_win.cc (right):

http://codereview.chromium.org/3155046/diff/22001/1022#newcode38
net/http/url_security_manager_win.cc:38: mutable
ScopedComPtr<IInternetSecurityManager> security_manager_;
On 2010/08/26 21:30:06, wtc wrote:
> Why does this member need to be mutable?  Do we need to propagage 'const'
> more?

CanUseDefaultCredentials calls CreateInstance for an IInternetSecurityManager if
security_manager_ does not already have a COM pointer. This was done lazilly
because there was a startup performance regression when done early.

I moved this logic into a separate non-const method and did a const_cast in
CanUseDefaultCredentials instead.

Powered by Google App Engine
This is Rietveld 408576698