Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1101)

Unified Diff: net/http/http_auth_controller.cc

Issue 3360017: Fix multi-round authentication.... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: SocketStream fix Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/http_auth_controller.h ('k') | net/http/http_auth_gssapi_posix.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_auth_controller.cc
===================================================================
--- net/http/http_auth_controller.cc (revision 59119)
+++ net/http/http_auth_controller.cc (working copy)
@@ -4,6 +4,7 @@
#include "net/http/http_auth_controller.h"
+#include "base/string_util.h"
#include "base/utf_string_conversions.h"
#include "net/base/auth.h"
#include "net/base/host_resolver.h"
@@ -151,27 +152,40 @@
const BoundNetLog& net_log) {
DCHECK(headers);
DCHECK(auth_origin_.is_valid());
-
LOG(INFO) << "The " << HttpAuth::GetAuthTargetString(target_) << " "
<< auth_origin_ << " requested auth"
<< AuthChallengeLogMessage(headers.get());
- // The auth we tried just failed, hence it can't be valid. Remove it from
- // the cache so it won't be used again.
- // TODO(wtc): IsFinalRound is not the right condition. In a multi-round
- // auth sequence, the server may fail the auth in round 1 if our first
- // authorization header is broken. We should inspect response_.headers to
- // determine if the server already failed the auth or wants us to continue.
- // See http://crbug.com/21015.
- if (HaveAuth() && handler_->IsFinalRound()) {
- InvalidateRejectedAuthFromCache();
- handler_.reset();
- identity_ = HttpAuth::Identity();
+ // Give the existing auth handler first try at the authentication headers.
+ // This will also evict the entry in the HttpAuthCache if the previous
+ // challenge appeared to be rejected, or is using a stale nonce in the Digest
+ // case.
+ if (HaveAuth()) {
+ HttpAuth::AuthorizationResult result = HttpAuth::HandleChallengeResponse(
+ handler_.get(), headers, target_, disabled_schemes_);
+ switch (result) {
+ case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
+ break;
+ case HttpAuth::AUTHORIZATION_RESULT_INVALID:
+ case HttpAuth::AUTHORIZATION_RESULT_REJECT:
+ InvalidateCurrentHandler();
+ break;
+ case HttpAuth::AUTHORIZATION_RESULT_STALE:
+ // TODO(cbentzel): Support "stale" invalidation in HttpAuthCache.
+ // Right now this does the same invalidation as before.
+ InvalidateCurrentHandler();
+ break;
+ default:
+ NOTREACHED();
+ break;
+ }
}
identity_.invalid = true;
- if (target_ != HttpAuth::AUTH_SERVER || !do_not_send_server_auth) {
+ bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
+ !do_not_send_server_auth);
+ if (!handler_.get() && can_send_auth) {
// Find the best authentication challenge that we support.
HttpAuth::ChooseBestChallenge(session_->http_auth_handler_factory(),
headers, target_, auth_origin_,
@@ -203,9 +217,6 @@
SelectNextAuthIdentityToTry();
} else {
// Proceed with the existing identity or a null identity.
- //
- // TODO(wtc): Add a safeguard against infinite transaction restarts, if
- // the server keeps returning "NTLM".
identity_.invalid = false;
}
@@ -263,6 +274,12 @@
}
}
+void HttpAuthController::InvalidateCurrentHandler() {
+ InvalidateRejectedAuthFromCache();
+ handler_.reset();
+ identity_ = HttpAuth::Identity();
+}
+
void HttpAuthController::InvalidateRejectedAuthFromCache() {
DCHECK(HaveAuth());
@@ -302,8 +319,8 @@
// Check the auth cache for a realm entry.
HttpAuthCache::Entry* entry =
- session_->auth_cache()->Lookup(auth_origin_, handler_->realm(),
- handler_->scheme());
+ session_->auth_cache()->Lookup(auth_origin_, handler_->realm(),
+ handler_->scheme());
if (entry) {
identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
« no previous file with comments | « net/http/http_auth_controller.h ('k') | net/http/http_auth_gssapi_posix.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698