Invalidate credentials if the server rejects them.

net/http/http_auth_controller.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/metrics/histogram.h"
 #include "base/string_util.h"
 #include "base/threading/platform_thread.h"
 #include "base/utf_string_conversions.h"
@@ skipping 252 matching lines @@
 
   // Give the existing auth handler first try at the authentication headers.
   // This will also evict the entry in the HttpAuthCache if the previous
   // challenge appeared to be rejected, or is using a stale nonce in the Digest
   // case.
   if (HaveAuth()) {
     std::string challenge_used;
     HttpAuth::AuthorizationResult result = HttpAuth::HandleChallengeResponse(
         handler_.get(), headers, target_, disabled_schemes_, &challenge_used);
     switch (result) {
       case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:

[cbentzel, 2011/02/16 16:13:05]

Would it be cleaner if the new realm was done in HandleChallengeResponse, and
return a new AUTHORIZATION_RESULT_DIFFERENT_REALM which simply does
handler_.reset() and identity_ = HttpAuth::Identity() without rejecting from
cache?

One downside is that it does mean the following sequence would result in cache
credentials for realm=foo to be stored.

-> GET /resource
<- 401, WWW-Authenticate:Basic realm=foo

-> GET /resource, Authorization: Basic XUHHFC
<- 401, WWW-Authenticate:Basic realm=bar

Should you write a simple server and see how other browsers handle the nested
realm case? 

         break;
       case HttpAuth::AUTHORIZATION_RESULT_INVALID:
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(headers.get());
         break;
       case HttpAuth::AUTHORIZATION_RESULT_REJECT:
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(headers.get());
         break;
       case HttpAuth::AUTHORIZATION_RESULT_STALE:
         if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
                                                    handler_->realm(),
                                                    handler_->auth_scheme(),
                                                    challenge_used)) {
           handler_.reset();
           identity_ = HttpAuth::Identity();
         } else {
           // It's possible that a server could incorrectly issue a stale
           // response when the entry is not in the cache. Just evict the
           // current value from the cache.
-          InvalidateCurrentHandler();
+          InvalidateCurrentHandler(headers.get());
         }
         break;
       default:
         NOTREACHED();
         break;
     }
   }
 
   identity_.invalid = true;
 
@@ skipping 92 matching lines @@
 }
 
 bool HttpAuthController::HaveAuthHandler() const {
   return handler_.get() != NULL;
 }
 
 bool HttpAuthController::HaveAuth() const {
   return handler_.get() && !identity_.invalid;
 }
 
-void HttpAuthController::InvalidateCurrentHandler() {
+void HttpAuthController::InvalidateCurrentHandler(
+    const HttpResponseHeaders* headers) {
   DCHECK(CalledOnValidThread());
 
-  InvalidateRejectedAuthFromCache();
+  InvalidateRejectedAuthFromCache(headers);
   handler_.reset();
   identity_ = HttpAuth::Identity();
 }
 
-void HttpAuthController::InvalidateRejectedAuthFromCache() {
+void HttpAuthController::InvalidateRejectedAuthFromCache(
+    const HttpResponseHeaders* headers) {
   DCHECK(CalledOnValidThread());
   DCHECK(HaveAuth());
 
   // TODO(eroman): this short-circuit can be relaxed. If the realm of
   // the preemptively used auth entry matches the realm of the subsequent
   // challenge, then we can invalidate the preemptively used entry.
   // Otherwise as-is we may send the failed credentials one extra time.
-  if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP)
+  if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP &&
+      !HttpAuth::ShouldInvalidateRejectedAuth(headers,
+                                              target_,
+                                              handler_.get()))
     return;
 
   // Clear the cache entry for the identity we just failed on.
   // Note: we require the username/password to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
   http_auth_cache_->Remove(auth_origin_, handler_->realm(),
                            handler_->auth_scheme(), identity_.username,
                            identity_.password);
 }
 
@@ skipping 85 matching lines @@
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 }
 
 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 }  // namespace net