Fix multi-round authentication.

In the case of Negotiate, authentication can look like C: GET S: 401, WWW-Authenticate: Negotiate C: GET, WWW-Authorization: Negotiate <client_token_1> S: 401, WWW-Authenticate: Negotiate <server_token_1> C: GET, WWW-Authorization: Negotiate <client_token_2> S: 401, WWW-Authenticate: Negotiate <server_token_2> on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned. This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough. BUG=53282 TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild. Review URL: http://codereview.chromium.org/3360017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98
author: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-11 14:03:30 +0000
committer: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-11 14:03:30 +0000
commit: eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c (patch)
tree: ae0368388f38766781c5ddff86c9e0e2c0c9c362 /net/http/http_auth.h
parent: 4630db4630bc415cc3b7be70bce87160559810df (diff)
download: chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.zip
chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.gz
chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.bz2
1 files changed, 29 insertions, 11 deletions
diff --git a/net/http/http_auth.h b/net/http/http_auth.h
index 347bdec..d7d0347 100644
--- a/net/http/http_auth.h
+++ b/net/http/http_auth.h
@@ -25,7 +25,6 @@ class HttpResponseHeaders;
 // Utility class for http authentication.
 class HttpAuth {
  public:
-
   // Http authentication can be done the the proxy server, origin server,
   // or both. This enum tracks who the target is.
   enum Target {
@@ -37,6 +36,24 @@ class HttpAuth {
     AUTH_NUM_TARGETS = 2,
   };
 
+  // What the HTTP WWW-Authenticate/Proxy-Authenticate headers indicate about
+  // the previous authorization attempt.
+  enum AuthorizationResult {
+    AUTHORIZATION_RESULT_ACCEPT,   // The authorization attempt was accepted,
+                                   // although there still may be additional
+                                   // rounds of challenges.
+
+    AUTHORIZATION_RESULT_REJECT,   // The authorization attempt was rejected.
+
+    AUTHORIZATION_RESULT_STALE,    // (Digest) The nonce used in the
+                                   // authorization attempt is stale, but
+                                   // otherwise the attempt was valid.
+
+    AUTHORIZATION_RESULT_INVALID,  // The authentication challenge headers are
+                                   // poorly formed (the authorization attempt
+                                   // itself may have been fine).
+  };
+
   // Describes where the identity used for authentication came from.
   enum IdentitySource {
     // Came from nowhere -- the identity is not initialized.
@@ -88,19 +105,13 @@ class HttpAuth {
 
   // Iterate through the challenge headers, and pick the best one that
   // we support. Obtains the implementation class for handling the challenge,
-  // and passes it back in |*handler|. If the existing handler in |*handler|
-  // should continue to be used (such as for the NTLM authentication scheme),
-  // |*handler| is unchanged. If no supported challenge was found, |*handler|
-  // is set to NULL.
+  // and passes it back in |*handler|. If no supported challenge was found,
+  // |*handler| is set to NULL.
   //
   // |disabled_schemes| is the set of schemes that we should not use.
   //
-  // |origin| is used by the NTLM authentication scheme to construct the
-  // service principal name.  It is ignored by other schemes.
-  //
-  // TODO(wtc): Continuing to use the existing handler in |*handler| (for
-  // NTLM) is new behavior.  Rename ChooseBestChallenge to fully encompass
-  // what it does now.
+  // |origin| is used by the NTLM and Negotiation authentication scheme to
+  // construct the service principal name.  It is ignored by other schemes.
   static void ChooseBestChallenge(
       HttpAuthHandlerFactory* http_auth_handler_factory,
       const HttpResponseHeaders* headers,
@@ -110,6 +121,13 @@ class HttpAuth {
       const BoundNetLog& net_log,
       scoped_ptr<HttpAuthHandler>* handler);
 
+  // Handle a response to a previous authentication attempt.
+  static AuthorizationResult HandleChallengeResponse(
+      HttpAuthHandler* handler,
+      const HttpResponseHeaders* headers,
+      Target target,
+      const std::set<std::string>& disabled_schemes);
+
   // ChallengeTokenizer breaks up a challenge string into the the auth scheme
   // and parameter list, according to RFC 2617 Sec 1.2:
   //    challenge = auth-scheme 1*SP 1#auth-param
author	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-11 14:03:30 +0000
committer	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-11 14:03:30 +0000
commit	eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c (patch)
tree	ae0368388f38766781c5ddff86c9e0e2c0c9c362 /net/http/http_auth.h
parent	4630db4630bc415cc3b7be70bce87160559810df (diff)
download	chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.zip chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.gz chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.bz2