diff options
| author | cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-14 20:12:45 +0000 |
|---|---|---|
| committer | cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-14 20:12:45 +0000 |
| commit | e5ae96a15b687fffe178eb8c4a7ea79a1ddd679c (patch) | |
| tree | 4ffb7e20097a482248f465eef2a7540d79d58e8f /net/http/http_auth_handler_negotiate.h | |
| parent | da5922762971a646407390f5c8d88a2447b2effc (diff) | |
| download | chromium_src-e5ae96a15b687fffe178eb8c4a7ea79a1ddd679c.zip chromium_src-e5ae96a15b687fffe178eb8c4a7ea79a1ddd679c.tar.gz chromium_src-e5ae96a15b687fffe178eb8c4a7ea79a1ddd679c.tar.bz2 | |
Kerberos uses an SPN (Service Principal Name) to identify a server. This is typically in the form "HTTP/host:port", with the ":port" suffix being optional, and the "HTTP/" prefix is fixed regardless of whether the service is accessed over HTTP or HTTPS.
The issue this is fixing is that the URL host may be an incomplete domain name, a numerical address, or an alias for a canonical DNS name.
By default, Chrome will skip adding the optional port to the SPN, and will use the canonical DNS name for the server (which may be the original server name if it is an A or AAAA record). This matches IE and Firefox's default behavior.
Some intranets are set up so the original host name should be used rather than the canonical name. The canonical name resolution can be disabled with the --disable-spnego-cname-lookup command line flag.
Some intranets are also set up so the optional port should be specified when it is non-standard (non 80 or 443). Use the --enable-spnego-port command line flag.
BUG=29862
TEST=net_unittests.exe --gtest_filter="*CanonicalName*"
Review URL: http://codereview.chromium.org/1535019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44526 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/http/http_auth_handler_negotiate.h')
| -rw-r--r-- | net/http/http_auth_handler_negotiate.h | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/net/http/http_auth_handler_negotiate.h b/net/http/http_auth_handler_negotiate.h index f34664c..3450fc4 100644 --- a/net/http/http_auth_handler_negotiate.h +++ b/net/http/http_auth_handler_negotiate.h @@ -9,6 +9,7 @@ #include <string> +#include "net/base/address_list.h" #include "net/http/http_auth_handler.h" #include "net/http/http_auth_handler_factory.h" @@ -18,6 +19,8 @@ namespace net { +class SingleRequestHostResolver; + // Handler for WWW-Authenticate: Negotiate protocol. // // See http://tools.ietf.org/html/rfc4178 and http://tools.ietf.org/html/rfc4559 @@ -30,6 +33,22 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { Factory(); virtual ~Factory(); + // |disable_cname_lookup()| and |set_disable_cname_lookup()| get/set whether + // the auth handlers generated by this factory should skip looking up the + // canonical DNS name of the the host that they are authenticating to when + // generating the SPN. The default value is false. + bool disable_cname_lookup() const { return disable_cname_lookup_; } + void set_disable_cname_lookup(bool disable_cname_lookup) { + disable_cname_lookup_ = disable_cname_lookup; + } + + // |use_port()| and |set_use_port()| get/set whether the auth handlers + // generated by this factory should include the port number of the server + // they are authenticating to when constructing a Kerberos SPN. The default + // value is false. + bool use_port() const { return use_port_; } + void set_use_port(bool use_port) { use_port_ = use_port; } + virtual int CreateAuthHandler(HttpAuth::ChallengeTokenizer* challenge, HttpAuth::Target target, const GURL& origin, @@ -47,6 +66,8 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { } #endif // defined(OS_WIN) private: + bool disable_cname_lookup_; + bool use_port_; #if defined(OS_WIN) ULONG max_token_length_; bool first_creation_; @@ -56,7 +77,8 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { }; #if defined(OS_WIN) - HttpAuthHandlerNegotiate(SSPILibrary* sspi_library, ULONG max_token_length); + HttpAuthHandlerNegotiate(SSPILibrary* sspi_library, ULONG max_token_length, + bool disable_cname_lookup, bool use_port); #else HttpAuthHandlerNegotiate(); #endif @@ -67,6 +89,8 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { virtual bool SupportsDefaultCredentials(); + virtual bool NeedsCanonicalName(); + virtual int GenerateAuthToken(const std::wstring& username, const std::wstring& password, const HttpRequestInfo* request, @@ -77,6 +101,10 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { const ProxyInfo* proxy, std::string* auth_token); + virtual int ResolveCanonicalName(HostResolver* host_resolver, + CompletionCallback* callback, + const BoundNetLog& net_log); + protected: virtual bool Init(HttpAuth::ChallengeTokenizer* challenge); @@ -84,7 +112,17 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler { ~HttpAuthHandlerNegotiate(); #if defined(OS_WIN) + void OnResolveCanonicalName(int result); + std::wstring CreateSPN(const AddressList& address_list, const GURL& orign); + HttpAuthSSPI auth_sspi_; + AddressList address_list_; + scoped_ptr<SingleRequestHostResolver> single_resolve_; + CompletionCallback* user_callback_; + CompletionCallbackImpl<HttpAuthHandlerNegotiate> resolve_cname_callback_; + bool disable_cname_lookup_; + bool use_port_; + std::wstring spn_; #endif }; |