Invalidate credentials if the server rejects them.

net/http/http_auth_controller.cc

Index: net/http/http_auth_controller.cc
diff --git a/net/http/http_auth_controller.cc b/net/http/http_auth_controller.cc
index f438ea46128bfe898b0de6017773799ce7ed00c1..b1090cd25d6d1029fac63dc84d8e33f6253ce89d 100644
--- a/net/http/http_auth_controller.cc
+++ b/net/http/http_auth_controller.cc
@@ -273,11 +273,11 @@ int HttpAuthController::HandleAuthChallenge(
       case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:

[cbentzel, 2011/02/16 16:13:05]

Would it be cleaner if the new realm was done in HandleChallengeResponse, and
return a new AUTHORIZATION_RESULT_DIFFERENT_REALM which simply does
handler_.reset() and identity_ = HttpAuth::Identity() without rejecting from
cache?

One downside is that it does mean the following sequence would result in cache
credentials for realm=foo to be stored.

-> GET /resource
<- 401, WWW-Authenticate:Basic realm=foo

-> GET /resource, Authorization: Basic XUHHFC
<- 401, WWW-Authenticate:Basic realm=bar

Should you write a simple server and see how other browsers handle the nested
realm case? 

         break;
       case HttpAuth::AUTHORIZATION_RESULT_INVALID:
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(headers.get());
         break;
       case HttpAuth::AUTHORIZATION_RESULT_REJECT:
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
-        InvalidateCurrentHandler();
+        InvalidateCurrentHandler(headers.get());
         break;
       case HttpAuth::AUTHORIZATION_RESULT_STALE:
         if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
@@ -290,7 +290,7 @@ int HttpAuthController::HandleAuthChallenge(
           // It's possible that a server could incorrectly issue a stale
           // response when the entry is not in the cache. Just evict the
           // current value from the cache.
-          InvalidateCurrentHandler();
+          InvalidateCurrentHandler(headers.get());
         }
         break;
       default:
@@ -403,15 +403,17 @@ bool HttpAuthController::HaveAuth() const {
   return handler_.get() && !identity_.invalid;
 }
 
-void HttpAuthController::InvalidateCurrentHandler() {
+void HttpAuthController::InvalidateCurrentHandler(
+    const HttpResponseHeaders* headers) {
   DCHECK(CalledOnValidThread());
 
-  InvalidateRejectedAuthFromCache();
+  InvalidateRejectedAuthFromCache(headers);
   handler_.reset();
   identity_ = HttpAuth::Identity();
 }
 
-void HttpAuthController::InvalidateRejectedAuthFromCache() {
+void HttpAuthController::InvalidateRejectedAuthFromCache(
+    const HttpResponseHeaders* headers) {
   DCHECK(CalledOnValidThread());
   DCHECK(HaveAuth());
 
@@ -419,7 +421,10 @@ void HttpAuthController::InvalidateRejectedAuthFromCache() {
   // the preemptively used auth entry matches the realm of the subsequent
   // challenge, then we can invalidate the preemptively used entry.
   // Otherwise as-is we may send the failed credentials one extra time.
-  if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP)
+  if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP &&
+      !HttpAuth::ShouldInvalidateRejectedAuth(headers,
+                                              target_,
+                                              handler_.get()))
     return;
 
   // Clear the cache entry for the identity we just failed on.