Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(24)

Unified Diff: net/http/url_security_manager.h

Issue 3155046: Add support for delegated Kerberos tickets during Negotiate authentication. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 10 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/http_auth_sspi_win.cc ('k') | net/http/url_security_manager.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/url_security_manager.h
===================================================================
--- net/http/url_security_manager.h (revision 57541)
+++ net/http/url_security_manager.h (working copy)
@@ -23,41 +23,69 @@
virtual ~URLSecurityManager() {}
// Creates a platform-dependent instance of URLSecurityManager.
- // The URLSecurityManager takes ownership of the HttpAuthFilter.
- static URLSecurityManager* Create(HttpAuthFilter* whitelist);
+ //
+ // |whitelist_default| is the whitelist of servers that default credentials
+ // can be used with during NTLM or Negotiate authentication. If
+ // |whitelist_default| is NULL and the platform is Windows, it indicates
+ // that security zone mapping should be used to determine whether default
+ // credentials sxhould be used. If |whitelist_default| is NULL and the
+ // platform is non-Windows, it indicates that no servers should be
+ // whitelisted.
+ //
+ // |whitelist_delegate| is the whitelist of servers that are allowed
+ // to have Delegated Kerberos tickets. If |whitelist_delegate| is NULL,
+ // no servers can have delegated Kerberos tickets.
+ //
+ // Both |whitelist_default| and |whitelist_delegate| will be owned by
+ // the created URLSecurityManager.
+ //
+ // TODO(cbentzel): Perhaps it's better to make a non-abstract HttpAuthFilter
+ // and just copy into the URLSecurityManager?
+ static URLSecurityManager* Create(const HttpAuthFilter* whitelist_default,
+ const HttpAuthFilter* whitelist_delegate);
// Returns true if we can send the default credentials to the server at
// |auth_origin| for HTTP NTLM or Negotiate authentication.
- virtual bool CanUseDefaultCredentials(const GURL& auth_origin) = 0;
+ virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const = 0;
+ // Returns true if Kerberos delegation is allowed for the server at
+ // |auth_origin| for HTTP Negotiate authentication.
+ virtual bool CanDelegate(const GURL& auth_origin) const = 0;
+
private:
DISALLOW_COPY_AND_ASSIGN(URLSecurityManager);
};
class URLSecurityManagerWhitelist : public URLSecurityManager {
public:
- // The URLSecurityManagerWhitelist takes ownership of the HttpAuthFilter.
- explicit URLSecurityManagerWhitelist(HttpAuthFilter* whitelist);
+ // The URLSecurityManagerWhitelist takes ownership of the whitelists.
+ URLSecurityManagerWhitelist(const HttpAuthFilter* whitelist_default,
+ const HttpAuthFilter* whitelist_delegation);
// URLSecurityManager methods.
- virtual bool CanUseDefaultCredentials(const GURL& auth_origin);
+ virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const;
+ virtual bool CanDelegate(const GURL& auth_origin) const;
private:
- scoped_ptr<HttpAuthFilter> whitelist_;
+ scoped_ptr<const HttpAuthFilter> whitelist_default_;
+ scoped_ptr<const HttpAuthFilter> whitelist_delegate_;
DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerWhitelist);
};
#if defined(UNIT_TEST)
-// An URLSecurityManager which always allows default credentials.
+// An URLSecurityManager which is very permissive.
class URLSecurityManagerAllow : public URLSecurityManager {
public:
URLSecurityManagerAllow() {}
virtual ~URLSecurityManagerAllow() {}
- virtual bool CanUseDefaultCredentials(const GURL& auth_origin) {
+ virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const {
return true;
}
+ virtual bool CanDelegate(const GURL& auth_origin) const {
+ return true;
+ }
private:
DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerAllow);
« no previous file with comments | « net/http/http_auth_sspi_win.cc ('k') | net/http/url_security_manager.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698