Invalidate credentials if the server rejects them.

net/http/http_auth_controller.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/metrics/histogram.h"
 #include "base/string_util.h"
 #include "base/threading/platform_thread.h"
 #include "base/utf_string_conversions.h"
@@ skipping 255 matching lines @@
   // challenge appeared to be rejected, or is using a stale nonce in the Digest
   // case.
   if (HaveAuth()) {
     std::string challenge_used;
     HttpAuth::AuthorizationResult result = HttpAuth::HandleChallengeResponse(
         handler_.get(), headers, target_, disabled_schemes_, &challenge_used);
     switch (result) {
       case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
         break;
       case HttpAuth::AUTHORIZATION_RESULT_INVALID:
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
       case HttpAuth::AUTHORIZATION_RESULT_REJECT:
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
       case HttpAuth::AUTHORIZATION_RESULT_STALE:
         if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
                                                    handler_->realm(),
                                                    handler_->auth_scheme(),
                                                    challenge_used)) {
-          handler_.reset();
-          identity_ = HttpAuth::Identity();
+          InvalidateCurrentHandler(INVALIDATE_HANDLER);
         } else {
           // It's possible that a server could incorrectly issue a stale
           // response when the entry is not in the cache. Just evict the
           // current value from the cache.
-          InvalidateCurrentHandler();
+          InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         }
         break;
+      case HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM:
+        // If the server asks for credentials for one realm and then
+        // rejects them, we remove the credentials from the cache
+        // unless it was in response to a preemptive authorization
+        // header.

[wtc, 2011/02/22 23:17:32]

This comment is confusing because it seems self-contradictory.

If the server asks for credentials, that means our authorization
header is NOT preemptive.

Also, the server does more than just "rejects them", right?
It should also give a different realm in the new challenge.

[cbentzel, 2011/02/23 14:49:54]

It means that the server returns a 401 after we provided preemptive
authorization headers during the GET. 
for this particular case, it means that a new realm was provided. In the case of
HttpAuth::AUTHORIZATION_RESULT_REJECT, it likely means that the challenge had
the same realm.

[asanka, 2011/02/23 18:06:40]

I'll clarify the comment.

+        InvalidateCurrentHandler(
+            (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP) ?
+            INVALIDATE_HANDLER :
+            INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
+        break;
       default:
         NOTREACHED();
         break;
     }
   }
 
   identity_.invalid = true;
 
   bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
                         !do_not_send_server_auth);
@@ skipping 90 matching lines @@
 }
 
 bool HttpAuthController::HaveAuthHandler() const {
   return handler_.get() != NULL;
 }
 
 bool HttpAuthController::HaveAuth() const {
   return handler_.get() && !identity_.invalid;
 }
 
-void HttpAuthController::InvalidateCurrentHandler() {
+void HttpAuthController::InvalidateCurrentHandler(
+    InvalidateHandlerAction action) {
   DCHECK(CalledOnValidThread());
 
-  InvalidateRejectedAuthFromCache();
+  if (action == INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS)
+    InvalidateRejectedAuthFromCache();
   handler_.reset();
   identity_ = HttpAuth::Identity();
 }
 
 void HttpAuthController::InvalidateRejectedAuthFromCache() {
   DCHECK(CalledOnValidThread());
   DCHECK(HaveAuth());
 
-  // TODO(eroman): this short-circuit can be relaxed. If the realm of
-  // the preemptively used auth entry matches the realm of the subsequent
-  // challenge, then we can invalidate the preemptively used entry.
-  // Otherwise as-is we may send the failed credentials one extra time.
-  if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP)
-    return;
-
   // Clear the cache entry for the identity we just failed on.
   // Note: we require the username/password to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
   http_auth_cache_->Remove(auth_origin_, handler_->realm(),
                            handler_->auth_scheme(), identity_.username,
                            identity_.password);
 }
 
 bool HttpAuthController::SelectNextAuthIdentityToTry() {
   DCHECK(CalledOnValidThread());
@@ skipping 83 matching lines @@
   DCHECK(CalledOnValidThread());
   return disabled_schemes_.find(scheme) != disabled_schemes_.end();
 }
 
 void HttpAuthController::DisableAuthScheme(HttpAuth::Scheme scheme) {
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 }  // namespace net