Don't do Negotiate with GSSAPI if default credentials are not allowed.

GSSAPI does not provide a mechanism for the user to specify username/password to obtain a TGT. If default credentials are not allowed for an end site, skip negotiate and use a different scheme.

Arguably in this case it may make sense to simply prompt the user whether they want to use their existing Kerberos credentials to authenticate to the server and use the existing TGT, but we'll need UI changes.

BUG=33033
TEST=net_unittests, try to authenticate to a Kerberized server which is not in the whitelist.

Review URL: http://codereview.chromium.org/3013003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@52943 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 16 insertions, 0 deletions

diff --git a/net/http/url_security_manager.h b/net/http/url_security_manager.h
index 5f68e3a..cd80a7d 100644
--- a/net/http/url_security_manager.h
+++ b/net/http/url_security_manager.h
@@ -47,6 +47,22 @@ class URLSecurityManagerWhitelist : public URLSecurityManager {
   DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerWhitelist);
 };
 
+#if defined(UNIT_TEST)
+// An URLSecurityManager which always allows default credentials.
+class URLSecurityManagerAllow : public URLSecurityManager {
+ public:
+  URLSecurityManagerAllow() {}
+  virtual ~URLSecurityManagerAllow() {}
+
+  virtual bool CanUseDefaultCredentials(const GURL& auth_origin) {
+    return true;
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerAllow);
+};
+#endif  // defined(UNIT_TEST)
+
 }  // namespace net
 
 #endif  // NET_HTTP_URL_SECURITY_MANAGER_H_