Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Side by Side Diff: net/http/http_auth_handler_negotiate.cc

Issue 3155046: Add support for delegated Kerberos tickets during Negotiate authentication. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/http/http_auth_handler_negotiate.h ('k') | net/http/http_auth_sspi_win.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/http_auth_handler_negotiate.h" 5 #include "net/http/http_auth_handler_negotiate.h"
6 6
7 #include "base/logging.h" 7 #include "base/logging.h"
8 #include "base/string_util.h" 8 #include "base/string_util.h"
9 #include "base/utf_string_conversions.h" 9 #include "base/utf_string_conversions.h"
10 #include "net/base/address_family.h" 10 #include "net/base/address_family.h"
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after
83 LOG(INFO) << "can't initialize GSSAPI library"; 83 LOG(INFO) << "can't initialize GSSAPI library";
84 return false; 84 return false;
85 } 85 }
86 // GSSAPI does not provide a way to enter username/password to 86 // GSSAPI does not provide a way to enter username/password to
87 // obtain a TGT. If the default credentials are not allowed for 87 // obtain a TGT. If the default credentials are not allowed for
88 // a particular site (based on whitelist), fall back to a 88 // a particular site (based on whitelist), fall back to a
89 // different scheme. 89 // different scheme.
90 if (!AllowsDefaultCredentials()) 90 if (!AllowsDefaultCredentials())
91 return false; 91 return false;
92 #endif 92 #endif
93 if (CanDelegate())
94 auth_system_.Delegate();
93 scheme_ = "negotiate"; 95 scheme_ = "negotiate";
94 score_ = 4; 96 score_ = 4;
95 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; 97 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
96 return auth_system_.ParseChallenge(challenge); 98 return auth_system_.ParseChallenge(challenge);
97 } 99 }
98 100
99 // Require identity on first pass instead of second. 101 // Require identity on first pass instead of second.
100 bool HttpAuthHandlerNegotiate::NeedsIdentity() { 102 bool HttpAuthHandlerNegotiate::NeedsIdentity() {
101 return auth_system_.NeedsIdentity(); 103 return auth_system_.NeedsIdentity();
102 } 104 }
103 105
104 bool HttpAuthHandlerNegotiate::IsFinalRound() { 106 bool HttpAuthHandlerNegotiate::IsFinalRound() {
105 return auth_system_.IsFinalRound(); 107 return auth_system_.IsFinalRound();
106 } 108 }
107 109
108 bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() { 110 bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() {
109 if (target_ == HttpAuth::AUTH_PROXY) 111 if (target_ == HttpAuth::AUTH_PROXY)
110 return true; 112 return true;
111 if (!url_security_manager_) 113 if (!url_security_manager_)
112 return false; 114 return false;
113 return url_security_manager_->CanUseDefaultCredentials(origin_); 115 return url_security_manager_->CanUseDefaultCredentials(origin_);
114 } 116 }
115 117
118 bool HttpAuthHandlerNegotiate::CanDelegate() const {
119 // TODO(cbentzel): Should delegation be allowed on proxies?
120 if (target_ == HttpAuth::AUTH_PROXY)
121 return false;
122 if (!url_security_manager_)
123 return false;
124 return url_security_manager_->CanDelegate(origin_);
125 }
126
116 std::wstring HttpAuthHandlerNegotiate::CreateSPN( 127 std::wstring HttpAuthHandlerNegotiate::CreateSPN(
117 const AddressList& address_list, const GURL& origin) { 128 const AddressList& address_list, const GURL& origin) {
118 // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI, 129 // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI,
119 // and in the form HTTP@<host>:<port> through GSSAPI 130 // and in the form HTTP@<host>:<port> through GSSAPI
120 // http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx 131 // http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx
121 // 132 //
122 // However, reality differs from the specification. A good description of 133 // However, reality differs from the specification. A good description of
123 // the problems can be found here: 134 // the problems can be found here:
124 // http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-k b911149-and-kb908209-are-not-the-soluton.aspx 135 // http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-k b911149-and-kb908209-are-not-the-soluton.aspx
125 // 136 //
(...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after
309 resolver_, disable_cname_lookup_, 320 resolver_, disable_cname_lookup_,
310 use_port_)); 321 use_port_));
311 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) 322 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
312 return ERR_INVALID_RESPONSE; 323 return ERR_INVALID_RESPONSE;
313 handler->swap(tmp_handler); 324 handler->swap(tmp_handler);
314 return OK; 325 return OK;
315 #endif 326 #endif
316 } 327 }
317 328
318 } // namespace net 329 } // namespace net
OLDNEW
« no previous file with comments | « net/http/http_auth_handler_negotiate.h ('k') | net/http/http_auth_sspi_win.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698