Chromium Code Reviews Chromium Code Reviews
Issue 6525035:
Invalidate credentials if the server rejects them. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/http/http_auth_controller.cc |
| diff --git a/net/http/http_auth_controller.cc b/net/http/http_auth_controller.cc |
| index f438ea46128bfe898b0de6017773799ce7ed00c1..8a342b82e7e88490fa4628eb240f078f1d4ca566 100644 |
| --- a/net/http/http_auth_controller.cc |
| +++ b/net/http/http_auth_controller.cc |
| @@ -273,26 +273,35 @@ int HttpAuthController::HandleAuthChallenge( |
| case HttpAuth::AUTHORIZATION_RESULT_ACCEPT: |
| break; |
| case HttpAuth::AUTHORIZATION_RESULT_INVALID: |
| - InvalidateCurrentHandler(); |
| + InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS); |
| break; |
| case HttpAuth::AUTHORIZATION_RESULT_REJECT: |
| HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT); |
| - InvalidateCurrentHandler(); |
| + InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS); |
| break; |
| case HttpAuth::AUTHORIZATION_RESULT_STALE: |
| if (http_auth_cache_->UpdateStaleChallenge(auth_origin_, |
| handler_->realm(), |
| handler_->auth_scheme(), |
| challenge_used)) { |
| - handler_.reset(); |
| - identity_ = HttpAuth::Identity(); |
| + InvalidateCurrentHandler(INVALIDATE_HANDLER); |
| } else { |
| // It's possible that a server could incorrectly issue a stale |
| // response when the entry is not in the cache. Just evict the |
| // current value from the cache. |
| - InvalidateCurrentHandler(); |
| + InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS); |
| } |
| break; |
| + case HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM: |
| + // If the server asks for credentials for one realm and then |
| + // rejects them, we remove the credentials from the cache |
| + // unless it was in response to a preemptive authorization |
| + // header. |
|
wtc
2011/02/22 23:17:32
This comment is confusing because it seems self-co
cbentzel
2011/02/23 14:49:54
It means that the server returns a 401 after we pr
asanka
2011/02/23 18:06:40
I'll clarify the comment.
|
| + InvalidateCurrentHandler( |
| + (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP) ? |
| + INVALIDATE_HANDLER : |
| + INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS); |
| + break; |
| default: |
| NOTREACHED(); |
| break; |
| @@ -403,10 +412,12 @@ bool HttpAuthController::HaveAuth() const { |
| return handler_.get() && !identity_.invalid; |
| } |
| -void HttpAuthController::InvalidateCurrentHandler() { |
| +void HttpAuthController::InvalidateCurrentHandler( |
| + InvalidateHandlerAction action) { |
| DCHECK(CalledOnValidThread()); |
| - InvalidateRejectedAuthFromCache(); |
| + if (action == INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS) |
| + InvalidateRejectedAuthFromCache(); |
| handler_.reset(); |
| identity_ = HttpAuth::Identity(); |
| } |
| @@ -415,13 +426,6 @@ void HttpAuthController::InvalidateRejectedAuthFromCache() { |
| DCHECK(CalledOnValidThread()); |
| DCHECK(HaveAuth()); |
| - // TODO(eroman): this short-circuit can be relaxed. If the realm of |
| - // the preemptively used auth entry matches the realm of the subsequent |
| - // challenge, then we can invalidate the preemptively used entry. |
| - // Otherwise as-is we may send the failed credentials one extra time. |
| - if (identity_.source == HttpAuth::IDENT_SRC_PATH_LOOKUP) |
| - return; |
| - |
| // Clear the cache entry for the identity we just failed on. |
| // Note: we require the username/password to match before invalidating |
| // since the entry in the cache may be newer than what we used last time. |
