Attempt to back off from Kerberos authentication if we don't have credentials.

If the user has a stale TGT, or is unable to generate a TGS for the server they are trying to communicate to, then generating an authentication token fails.
Rather than fail the entire network transaction in that case, we resend the request with an empty Authenticate (or Proxy-Authenticate) header, and remember that the Negotiate scheme is not a valid option for this particular transaction.

If the server responds back with headers like

WWW-Authenticate: Negotiate
WWW-Authenticate: Digest realm=foo

then the digest scheme is chosen in the next round.

BUG=33033
TEST=None

Review URL: http://codereview.chromium.org/3010010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@53002 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 5 insertions, 0 deletions

diff --git a/net/http/http_auth.h b/net/http/http_auth.h
index 09b6f369..01afcc0 100644
--- a/net/http/http_auth.h
+++ b/net/http/http_auth.h
@@ -5,6 +5,8 @@
 #ifndef NET_HTTP_HTTP_AUTH_H_
 #define NET_HTTP_HTTP_AUTH_H_
 
+#include <set>
+
 #include "base/scoped_ptr.h"
 #include "net/http/http_util.h"
 
@@ -89,6 +91,8 @@ class HttpAuth {
   // |*handler| is unchanged. If no supported challenge was found, |*handler|
   // is set to NULL.
   //
+  // |disabled_schemes| is the set of schemes that we should not use.
+  //
   // |origin| is used by the NTLM authentication scheme to construct the
   // service principal name.  It is ignored by other schemes.
   //
@@ -100,6 +104,7 @@ class HttpAuth {
       const HttpResponseHeaders* headers,
       Target target,
       const GURL& origin,
+      const std::set<std::string>& disabled_schemes,
       const BoundNetLog& net_log,
       scoped_ptr<HttpAuthHandler>* handler);