| OLD | NEW |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_auth_handler_negotiate.h" | 5 #include "net/http/http_auth_handler_negotiate.h" |
| 6 | 6 |
| 7 #include "base/logging.h" | 7 #include "base/logging.h" |
| 8 #include "base/string_util.h" | 8 #include "base/string_util.h" |
| 9 #include "base/utf_string_conversions.h" | 9 #include "base/utf_string_conversions.h" |
| 10 #include "net/base/address_family.h" | 10 #include "net/base/address_family.h" |
| (...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 83 LOG(INFO) << "can't initialize GSSAPI library"; | 83 LOG(INFO) << "can't initialize GSSAPI library"; |
| 84 return false; | 84 return false; |
| 85 } | 85 } |
| 86 // GSSAPI does not provide a way to enter username/password to | 86 // GSSAPI does not provide a way to enter username/password to |
| 87 // obtain a TGT. If the default credentials are not allowed for | 87 // obtain a TGT. If the default credentials are not allowed for |
| 88 // a particular site (based on whitelist), fall back to a | 88 // a particular site (based on whitelist), fall back to a |
| 89 // different scheme. | 89 // different scheme. |
| 90 if (!AllowsDefaultCredentials()) | 90 if (!AllowsDefaultCredentials()) |
| 91 return false; | 91 return false; |
| 92 #endif | 92 #endif |
| 93 if (CanDelegate()) |
| 94 auth_system_.Delegate(); |
| 93 scheme_ = "negotiate"; | 95 scheme_ = "negotiate"; |
| 94 score_ = 4; | 96 score_ = 4; |
| 95 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; | 97 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; |
| 96 return auth_system_.ParseChallenge(challenge); | 98 return auth_system_.ParseChallenge(challenge); |
| 97 } | 99 } |
| 98 | 100 |
| 99 // Require identity on first pass instead of second. | 101 // Require identity on first pass instead of second. |
| 100 bool HttpAuthHandlerNegotiate::NeedsIdentity() { | 102 bool HttpAuthHandlerNegotiate::NeedsIdentity() { |
| 101 return auth_system_.NeedsIdentity(); | 103 return auth_system_.NeedsIdentity(); |
| 102 } | 104 } |
| 103 | 105 |
| 104 bool HttpAuthHandlerNegotiate::IsFinalRound() { | 106 bool HttpAuthHandlerNegotiate::IsFinalRound() { |
| 105 return auth_system_.IsFinalRound(); | 107 return auth_system_.IsFinalRound(); |
| 106 } | 108 } |
| 107 | 109 |
| 108 bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() { | 110 bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() { |
| 109 if (target_ == HttpAuth::AUTH_PROXY) | 111 if (target_ == HttpAuth::AUTH_PROXY) |
| 110 return true; | 112 return true; |
| 111 if (!url_security_manager_) | 113 if (!url_security_manager_) |
| 112 return false; | 114 return false; |
| 113 return url_security_manager_->CanUseDefaultCredentials(origin_); | 115 return url_security_manager_->CanUseDefaultCredentials(origin_); |
| 114 } | 116 } |
| 115 | 117 |
| 118 bool HttpAuthHandlerNegotiate::CanDelegate() const { |
| 119 // TODO(cbentzel): Should delegation be allowed on proxies? |
| 120 if (target_ == HttpAuth::AUTH_PROXY) |
| 121 return false; |
| 122 if (!url_security_manager_) |
| 123 return false; |
| 124 return url_security_manager_->CanDelegate(origin_); |
| 125 } |
| 126 |
| 116 std::wstring HttpAuthHandlerNegotiate::CreateSPN( | 127 std::wstring HttpAuthHandlerNegotiate::CreateSPN( |
| 117 const AddressList& address_list, const GURL& origin) { | 128 const AddressList& address_list, const GURL& origin) { |
| 118 // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI, | 129 // Kerberos Web Server SPNs are in the form HTTP/<host>:<port> through SSPI, |
| 119 // and in the form HTTP@<host>:<port> through GSSAPI | 130 // and in the form HTTP@<host>:<port> through GSSAPI |
| 120 // http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx | 131 // http://msdn.microsoft.com/en-us/library/ms677601%28VS.85%29.aspx |
| 121 // | 132 // |
| 122 // However, reality differs from the specification. A good description of | 133 // However, reality differs from the specification. A good description of |
| 123 // the problems can be found here: | 134 // the problems can be found here: |
| 124 // http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-k
b911149-and-kb908209-are-not-the-soluton.aspx | 135 // http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-k
b911149-and-kb908209-are-not-the-soluton.aspx |
| 125 // | 136 // |
| (...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 309 resolver_, disable_cname_lookup_, | 320 resolver_, disable_cname_lookup_, |
| 310 use_port_)); | 321 use_port_)); |
| 311 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) | 322 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) |
| 312 return ERR_INVALID_RESPONSE; | 323 return ERR_INVALID_RESPONSE; |
| 313 handler->swap(tmp_handler); | 324 handler->swap(tmp_handler); |
| 314 return OK; | 325 return OK; |
| 315 #endif | 326 #endif |
| 316 } | 327 } |
| 317 | 328 |
| 318 } // namespace net | 329 } // namespace net |
| OLD | NEW |