summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorahendrickson@chromium.org <ahendrickson@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-04-16 20:22:30 +0000
committerahendrickson@chromium.org <ahendrickson@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-04-16 20:22:30 +0000
commitb4955e7d58c7bb329b6dddc6f33199fe17c7bfa1 (patch)
tree0685b539d6b9b4e438f82d27422d859c35bfb816 /net
parent3a06fa5487850ef494aea79f5b46a97d06d31a4f (diff)
downloadchromium_src-b4955e7d58c7bb329b6dddc6f33199fe17c7bfa1.zip
chromium_src-b4955e7d58c7bb329b6dddc6f33199fe17c7bfa1.tar.gz
chromium_src-b4955e7d58c7bb329b6dddc6f33199fe17c7bfa1.tar.bz2
Refactored to pass the URLSecurityManager via the HttpAuthFactory class to the HttpNetworkSession.
Fixed a bug where the command-line whitelist was not being propagated down to the URLSecurityManager. BUG=29596 TEST=None Review URL: http://codereview.chromium.org/1634005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44811 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/http/http_auth_handler.h8
-rw-r--r--net/http/http_auth_handler_factory.cc15
-rw-r--r--net/http/http_auth_handler_factory.h30
-rw-r--r--net/http/http_auth_handler_negotiate.h9
-rw-r--r--net/http/http_auth_handler_negotiate_posix.cc8
-rw-r--r--net/http/http_auth_handler_negotiate_win.cc23
-rw-r--r--net/http/http_auth_handler_ntlm.h11
-rw-r--r--net/http/http_auth_handler_ntlm_portable.cc13
-rw-r--r--net/http/http_auth_handler_ntlm_win.cc20
-rw-r--r--net/http/http_network_session.cc10
-rw-r--r--net/http/http_network_session.h15
-rw-r--r--net/http/http_network_transaction.cc17
-rw-r--r--net/http/http_network_transaction.h5
-rw-r--r--net/http/url_security_manager.cc13
-rw-r--r--net/http/url_security_manager.h35
-rw-r--r--net/http/url_security_manager_posix.cc24
-rw-r--r--net/http/url_security_manager_win.cc25
17 files changed, 138 insertions, 143 deletions
diff --git a/net/http/http_auth_handler.h b/net/http/http_auth_handler.h
index 663e04a..dc87d34 100644
--- a/net/http/http_auth_handler.h
+++ b/net/http/http_auth_handler.h
@@ -77,12 +77,12 @@ class HttpAuthHandler : public base::RefCounted<HttpAuthHandler> {
// single-round schemes.
virtual bool IsFinalRound() { return true; }
- // Returns whether the authentication scheme supports the use of default
- // credentials. If true, the user does not need to be prompted for
- // username and password to establish credentials.
+ // Returns whether the default credentials may be used for the |origin| passed
+ // into |InitFromChallenge|. If true, the user does not need to be prompted
+ // for username and password to establish credentials.
// NOTE: SSO is a potential security risk.
// TODO(cbentzel): Add a pointer to Firefox documentation about risk.
- virtual bool SupportsDefaultCredentials() { return false; }
+ virtual bool AllowsDefaultCredentials() { return false; }
// Returns whether the canonical DNS name for the origin host needs to be
// resolved. The Negotiate auth scheme typically uses the canonical DNS
diff --git a/net/http/http_auth_handler_factory.cc b/net/http/http_auth_handler_factory.cc
index de7ef59..2921b66 100644
--- a/net/http/http_auth_handler_factory.cc
+++ b/net/http/http_auth_handler_factory.cc
@@ -47,19 +47,12 @@ HttpAuthHandlerRegistryFactory::~HttpAuthHandlerRegistryFactory() {
factory_map_.end());
}
-void HttpAuthHandlerRegistryFactory::SetFilter(const std::string& scheme,
- HttpAuthFilter* filter) {
- HttpAuthHandlerFactory* factory = GetSchemeFactory(scheme);
- if (factory)
- factory->set_filter(filter);
-}
-
-const HttpAuthFilter* HttpAuthHandlerRegistryFactory::GetFilter(
- const std::string& scheme) const {
+void HttpAuthHandlerRegistryFactory::SetURLSecurityManager(
+ const std::string& scheme,
+ const URLSecurityManager* security_manager) {
HttpAuthHandlerFactory* factory = GetSchemeFactory(scheme);
if (factory)
- return factory->filter();
- return NULL;
+ factory->set_url_security_manager(security_manager);
}
void HttpAuthHandlerRegistryFactory::RegisterSchemeFactory(
diff --git a/net/http/http_auth_handler_factory.h b/net/http/http_auth_handler_factory.h
index 587bb30..0b65f1e 100644
--- a/net/http/http_auth_handler_factory.h
+++ b/net/http/http_auth_handler_factory.h
@@ -10,7 +10,7 @@
#include "base/scoped_ptr.h"
#include "net/http/http_auth.h"
-#include "net/http/http_auth_filter.h"
+#include "net/http/url_security_manager.h"
class GURL;
@@ -22,17 +22,19 @@ class HttpAuthHandlerRegistryFactory;
// An HttpAuthHandlerFactory is used to create HttpAuthHandler objects.
class HttpAuthHandlerFactory {
public:
- HttpAuthHandlerFactory() {}
+ HttpAuthHandlerFactory() : url_security_manager_(NULL) {}
virtual ~HttpAuthHandlerFactory() {}
- // Sets an authentication filter.
- void set_filter(HttpAuthFilter* filter) {
- filter_.reset(filter);
+ // Sets an URL security manager. HttpAuthHandlerFactory doesn't own the URL
+ // security manager, and the URL security manager should outlive this object.
+ void set_url_security_manager(
+ const URLSecurityManager* url_security_manager) {
+ url_security_manager_ = url_security_manager;
}
- // Retrieves the associated authentication filter.
- const HttpAuthFilter* filter() const {
- return filter_.get();
+ // Retrieves the associated URL security manager.
+ const URLSecurityManager* url_security_manager() const {
+ return url_security_manager_;
}
// Creates an HttpAuthHandler object based on the authentication
@@ -75,8 +77,8 @@ class HttpAuthHandlerFactory {
static HttpAuthHandlerRegistryFactory* CreateDefault();
private:
- // The authentication filter
- scoped_ptr<HttpAuthFilter> filter_;
+ // The URL security manager
+ const URLSecurityManager* url_security_manager_;
DISALLOW_COPY_AND_ASSIGN(HttpAuthHandlerFactory);
};
@@ -88,11 +90,9 @@ class HttpAuthHandlerRegistryFactory : public HttpAuthHandlerFactory {
HttpAuthHandlerRegistryFactory();
virtual ~HttpAuthHandlerRegistryFactory();
- // Sets an authentication filter into the factory associated with |scheme|.
- void SetFilter(const std::string& scheme, HttpAuthFilter* filter);
-
- // Retrieves the authentication filter associated with |scheme|.
- const HttpAuthFilter* GetFilter(const std::string& scheme) const;
+ // Sets an URL security manager into the factory associated with |scheme|.
+ void SetURLSecurityManager(const std::string& scheme,
+ const URLSecurityManager* url_security_manager);
// Registers a |factory| that will be used for a particular HTTP
// authentication scheme such as Basic, Digest, or Negotiate.
diff --git a/net/http/http_auth_handler_negotiate.h b/net/http/http_auth_handler_negotiate.h
index 3450fc4..7bb9426 100644
--- a/net/http/http_auth_handler_negotiate.h
+++ b/net/http/http_auth_handler_negotiate.h
@@ -20,6 +20,7 @@
namespace net {
class SingleRequestHostResolver;
+class URLSecurityManager;
// Handler for WWW-Authenticate: Negotiate protocol.
//
@@ -78,16 +79,18 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler {
#if defined(OS_WIN)
HttpAuthHandlerNegotiate(SSPILibrary* sspi_library, ULONG max_token_length,
+ const URLSecurityManager* url_security_manager,
bool disable_cname_lookup, bool use_port);
#else
- HttpAuthHandlerNegotiate();
+ explicit HttpAuthHandlerNegotiate(
+ const URLSecurityManager* url_security_manager);
#endif
virtual bool NeedsIdentity();
virtual bool IsFinalRound();
- virtual bool SupportsDefaultCredentials();
+ virtual bool AllowsDefaultCredentials();
virtual bool NeedsCanonicalName();
@@ -124,6 +127,8 @@ class HttpAuthHandlerNegotiate : public HttpAuthHandler {
bool use_port_;
std::wstring spn_;
#endif
+
+ const URLSecurityManager* url_security_manager_;
};
} // namespace net
diff --git a/net/http/http_auth_handler_negotiate_posix.cc b/net/http/http_auth_handler_negotiate_posix.cc
index 7b57853..50ff1c0 100644
--- a/net/http/http_auth_handler_negotiate_posix.cc
+++ b/net/http/http_auth_handler_negotiate_posix.cc
@@ -9,11 +9,15 @@
namespace net {
+// TODO(ahendrickson): Implement via GSSAPI.
+
// TODO(cbentzel): Negotiate authentication protocol is not supported on Posix
// systems currently. These stubs make the main HTTP Authentication code bypass
// Negotiate without requiring conditional compilation.
-HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate() {
+HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
+ const URLSecurityManager* url_security_manager)
+ : url_security_manager_(url_security_manager) {
}
HttpAuthHandlerNegotiate::~HttpAuthHandlerNegotiate() {
@@ -31,7 +35,7 @@ bool HttpAuthHandlerNegotiate::IsFinalRound() {
return false;
}
-bool HttpAuthHandlerNegotiate::SupportsDefaultCredentials() {
+bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() {
NOTREACHED();
LOG(ERROR) << ErrorToString(ERR_NOT_IMPLEMENTED);
return false;
diff --git a/net/http/http_auth_handler_negotiate_win.cc b/net/http/http_auth_handler_negotiate_win.cc
index 6c6e767..4be5923 100644
--- a/net/http/http_auth_handler_negotiate_win.cc
+++ b/net/http/http_auth_handler_negotiate_win.cc
@@ -9,19 +9,23 @@
#include "net/base/host_resolver.h"
#include "net/base/net_errors.h"
#include "net/http/http_auth_filter.h"
+#include "net/http/url_security_manager.h"
namespace net {
-HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(SSPILibrary* library,
- ULONG max_token_length,
- bool disable_cname_lookup,
- bool use_port)
+HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
+ SSPILibrary* library,
+ ULONG max_token_length,
+ const URLSecurityManager* url_security_manager,
+ bool disable_cname_lookup,
+ bool use_port)
: auth_sspi_(library, "Negotiate", NEGOSSP_NAME, max_token_length),
user_callback_(NULL),
ALLOW_THIS_IN_INITIALIZER_LIST(resolve_cname_callback_(
this, &HttpAuthHandlerNegotiate::OnResolveCanonicalName)),
disable_cname_lookup_(disable_cname_lookup),
- use_port_(use_port) {
+ use_port_(use_port),
+ url_security_manager_(url_security_manager) {
}
HttpAuthHandlerNegotiate::~HttpAuthHandlerNegotiate() {
@@ -60,8 +64,12 @@ bool HttpAuthHandlerNegotiate::IsFinalRound() {
return auth_sspi_.IsFinalRound();
}
-bool HttpAuthHandlerNegotiate::SupportsDefaultCredentials() {
- return true;
+bool HttpAuthHandlerNegotiate::AllowsDefaultCredentials() {
+ if (target_ == HttpAuth::AUTH_PROXY)
+ return true;
+ if (!url_security_manager_)
+ return false;
+ return url_security_manager_->CanUseDefaultCredentials(origin_);
}
bool HttpAuthHandlerNegotiate::NeedsCanonicalName() {
@@ -202,6 +210,7 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
// method and only constructing when valid.
scoped_refptr<HttpAuthHandler> tmp_handler(
new HttpAuthHandlerNegotiate(sspi_library_, max_token_length_,
+ url_security_manager(),
disable_cname_lookup_, use_port_));
if (!tmp_handler->InitFromChallenge(challenge, target, origin))
return ERR_INVALID_RESPONSE;
diff --git a/net/http/http_auth_handler_ntlm.h b/net/http/http_auth_handler_ntlm.h
index f027471..1381b02 100644
--- a/net/http/http_auth_handler_ntlm.h
+++ b/net/http/http_auth_handler_ntlm.h
@@ -31,6 +31,8 @@
namespace net {
+class URLSecurityManager;
+
// Code for handling HTTP NTLM authentication.
class HttpAuthHandlerNTLM : public HttpAuthHandler {
public:
@@ -96,14 +98,15 @@ class HttpAuthHandlerNTLM : public HttpAuthHandler {
HttpAuthHandlerNTLM();
#endif
#if defined(NTLM_SSPI)
- HttpAuthHandlerNTLM(SSPILibrary* sspi_library, ULONG max_token_length);
+ HttpAuthHandlerNTLM(SSPILibrary* sspi_library, ULONG max_token_length,
+ const URLSecurityManager* url_security_manager);
#endif
virtual bool NeedsIdentity();
virtual bool IsFinalRound();
- virtual bool SupportsDefaultCredentials();
+ virtual bool AllowsDefaultCredentials();
virtual int GenerateAuthToken(const std::wstring& username,
const std::wstring& password,
@@ -164,6 +167,10 @@ class HttpAuthHandlerNTLM : public HttpAuthHandler {
// The base64-encoded string following "NTLM" in the "WWW-Authenticate" or
// "Proxy-Authenticate" response header.
std::string auth_data_;
+
+#if defined(NTLM_SSPI)
+ const URLSecurityManager* url_security_manager_;
+#endif
};
} // namespace net
diff --git a/net/http/http_auth_handler_ntlm_portable.cc b/net/http/http_auth_handler_ntlm_portable.cc
index 5872131..7c08e14 100644
--- a/net/http/http_auth_handler_ntlm_portable.cc
+++ b/net/http/http_auth_handler_ntlm_portable.cc
@@ -658,7 +658,7 @@ bool HttpAuthHandlerNTLM::IsFinalRound() {
return !auth_data_.empty();
}
-bool HttpAuthHandlerNTLM::SupportsDefaultCredentials() {
+bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
// Default credentials are not supported in the portable implementation of
// NTLM, but are supported in the SSPI implementation.
return false;
@@ -731,16 +731,11 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
HttpAuth::Target target,
const GURL& origin,
scoped_refptr<HttpAuthHandler>* handler) {
- if (filter() && !filter()->IsValid(origin, target)) {
- LOG(INFO) << "URL " << origin
- << "fails filter validation for authentication method "
- << "NTLM";
-
- return ERR_INVALID_AUTH_CREDENTIALS;
- }
// TODO(cbentzel): Move towards model of parsing in the factory
// method and only constructing when valid.
- scoped_refptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM());
+ // NOTE: Default credentials are not supported for the portable implementation
+ // of NTLM.
+ scoped_refptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM);
if (!tmp_handler->InitFromChallenge(challenge, target, origin))
return ERR_INVALID_RESPONSE;
handler->swap(tmp_handler);
diff --git a/net/http/http_auth_handler_ntlm_win.cc b/net/http/http_auth_handler_ntlm_win.cc
index 04c53f3..d3d16ae 100644
--- a/net/http/http_auth_handler_ntlm_win.cc
+++ b/net/http/http_auth_handler_ntlm_win.cc
@@ -14,14 +14,17 @@
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
#include "net/http/http_auth_sspi_win.h"
+#include "net/http/url_security_manager.h"
#pragma comment(lib, "secur32.lib")
namespace net {
-HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(SSPILibrary* sspi_library,
- ULONG max_token_length) :
- auth_sspi_(sspi_library, "NTLM", NTLMSP_NAME, max_token_length) {
+HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
+ SSPILibrary* sspi_library, ULONG max_token_length,
+ const URLSecurityManager* url_security_manager)
+ : auth_sspi_(sspi_library, "NTLM", NTLMSP_NAME, max_token_length),
+ url_security_manager_(url_security_manager) {
}
HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() {
@@ -36,8 +39,12 @@ bool HttpAuthHandlerNTLM::IsFinalRound() {
return auth_sspi_.IsFinalRound();
}
-bool HttpAuthHandlerNTLM::SupportsDefaultCredentials() {
- return true;
+bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
+ if (target_ == HttpAuth::AUTH_PROXY)
+ return true;
+ if (!url_security_manager_)
+ return false;
+ return url_security_manager_->CanUseDefaultCredentials(origin_);
}
int HttpAuthHandlerNTLM::GenerateDefaultAuthToken(
@@ -81,7 +88,8 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
// TODO(cbentzel): Move towards model of parsing in the factory
// method and only constructing when valid.
scoped_refptr<HttpAuthHandler> tmp_handler(
- new HttpAuthHandlerNTLM(sspi_library_, max_token_length_));
+ new HttpAuthHandlerNTLM(sspi_library_, max_token_length_,
+ url_security_manager()));
if (!tmp_handler->InitFromChallenge(challenge, target, origin))
return ERR_INVALID_RESPONSE;
handler->swap(tmp_handler);
diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc
index 90e865f..ea8d1d7 100644
--- a/net/http/http_network_session.cc
+++ b/net/http/http_network_session.cc
@@ -51,16 +51,6 @@ HttpNetworkSession::~HttpNetworkSession() {
network_change_notifier_->RemoveObserver(this);
}
-URLSecurityManager* HttpNetworkSession::GetURLSecurityManager() {
- // Create the URL security manager lazily in the first call.
- // This is called on a single thread.
- if (!url_security_manager_.get()) {
- url_security_manager_.reset(
- URLSecurityManager::Create(http_auth_handler_factory_->filter()));
- }
- return url_security_manager_.get();
-}
-
// static
void HttpNetworkSession::set_max_sockets_per_group(int socket_count) {
DCHECK_LT(0, socket_count);
diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h
index b8ad729..23ba526 100644
--- a/net/http/http_network_session.h
+++ b/net/http/http_network_session.h
@@ -24,7 +24,6 @@ class ClientSocketFactory;
class HttpAuthHandlerFactory;
class SpdySessionPool;
class NetworkChangeNotifier;
-class URLSecurityManager;
// This class holds session objects used by HttpNetworkTransaction objects.
class HttpNetworkSession
@@ -78,14 +77,11 @@ class HttpNetworkSession
return http_auth_handler_factory_;
}
- // Returns a pointer to the URL security manager.
- URLSecurityManager* GetURLSecurityManager();
-
- // Flushes cached data in the HttpNetworkSession.
- void Flush();
-
- // NetworkChangeNotifier::Observer methods:
- virtual void OnIPAddressChanged();
+ // Flushes cached data in the HttpNetworkSession.
+ void Flush();
+
+ // NetworkChangeNotifier::Observer methods:
+ virtual void OnIPAddressChanged();
static void set_max_sockets_per_group(int socket_count);
@@ -127,7 +123,6 @@ class HttpNetworkSession
scoped_refptr<SSLConfigService> ssl_config_service_;
scoped_refptr<SpdySessionPool> spdy_session_pool_;
HttpAuthHandlerFactory* http_auth_handler_factory_;
- scoped_ptr<URLSecurityManager> url_security_manager_;
SpdySettingsStorage spdy_settings_;
};
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index f66cd7d..ef111ea 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1763,18 +1763,6 @@ bool HttpNetworkTransaction::SelectPreemptiveAuth(HttpAuth::Target target) {
return false;
}
-bool HttpNetworkTransaction::CanUseDefaultCredentials(
- HttpAuth::Target target,
- const GURL& auth_origin) const {
- if (target == HttpAuth::AUTH_PROXY)
- return true;
-
- URLSecurityManager* security_manager = session_->GetURLSecurityManager();
- if (!security_manager)
- return false;
- return security_manager->CanUseDefaultCredentials(auth_origin);
-}
-
bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
HttpAuth::Target target,
const GURL& auth_origin) {
@@ -1829,9 +1817,8 @@ bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
// We use default credentials after checking the auth cache so that if
// single sign-on doesn't work, we won't try default credentials for future
// transactions.
- if (auth_handler_[target]->SupportsDefaultCredentials() &&
- !default_credentials_used_ &&
- CanUseDefaultCredentials(target, auth_origin)) {
+ if (!default_credentials_used_ &&
+ auth_handler_[target]->AllowsDefaultCredentials()) {
auth_identity_[target].source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS;
auth_identity_[target].invalid = false;
default_credentials_used_ = true;
diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h
index ed5ff75..3705cf8 100644
--- a/net/http/http_network_transaction.h
+++ b/net/http/http_network_transaction.h
@@ -246,11 +246,6 @@ class HttpNetworkTransaction : public HttpTransaction {
void InvalidateRejectedAuthFromCache(HttpAuth::Target target,
const GURL& auth_origin);
- // Returns true if we can use the default credentials for the
- // authentication.
- bool CanUseDefaultCredentials(HttpAuth::Target target,
- const GURL& auth_origin) const;
-
// Sets auth_identity_[target] to the next identity that the transaction
// should try. It chooses candidates by searching the auth cache
// and the URL for a username:password. Returns true if an identity
diff --git a/net/http/url_security_manager.cc b/net/http/url_security_manager.cc
index 137fd01..78ccdf4 100644
--- a/net/http/url_security_manager.cc
+++ b/net/http/url_security_manager.cc
@@ -4,10 +4,19 @@
#include "net/http/url_security_manager.h"
+#include "net/http/http_auth_filter.h"
+
namespace net {
-URLSecurityManager::URLSecurityManager(const HttpAuthFilter* whitelist)
- : whitelist_(whitelist) {
+URLSecurityManagerWhitelist::URLSecurityManagerWhitelist(
+ HttpAuthFilter* whitelist) : whitelist_(whitelist) {
+}
+
+bool URLSecurityManagerWhitelist::CanUseDefaultCredentials(
+ const GURL& auth_origin) const {
+ if (whitelist_.get())
+ return whitelist_->IsValid(auth_origin, HttpAuth::AUTH_SERVER);
+ return false;
}
} // namespace net
diff --git a/net/http/url_security_manager.h b/net/http/url_security_manager.h
index d4413e4e..2665264 100644
--- a/net/http/url_security_manager.h
+++ b/net/http/url_security_manager.h
@@ -5,6 +5,9 @@
#ifndef NET_HTTP_URL_SECURITY_MANAGER_H_
#define NET_HTTP_URL_SECURITY_MANAGER_H_
+#include "base/scoped_ptr.h"
+#include "base/basictypes.h"
+
class GURL;
namespace net {
@@ -13,27 +16,35 @@ class HttpAuthFilter;
// The URL security manager controls the policies (allow, deny, prompt user)
// regarding URL actions (e.g., sending the default credentials to a server).
-//
-// On Windows, we honor the WinINet/IE settings and group policy related to
-// URL Security Zones. See the Microsoft Knowledge Base article 182569
-// "Internet Explorer security zones registry entries for advanced users"
-// (http://support.microsoft.com/kb/182569) for more info on these registry
-// keys.
class URLSecurityManager {
public:
- // The UrlSecurityManager does not take ownership of the HttpAuthFilter.
- explicit URLSecurityManager(const HttpAuthFilter* whitelist);
- virtual ~URLSecurityManager() {}
+ URLSecurityManager() {}
+ virtual ~URLSecurityManager() {}
// Creates a platform-dependent instance of URLSecurityManager.
- static URLSecurityManager* Create(const HttpAuthFilter* whitelist);
+ // The URLSecurityManager takes ownership of the HttpAuthFilter.
+ static URLSecurityManager* Create(HttpAuthFilter* whitelist);
// Returns true if we can send the default credentials to the server at
// |auth_origin| for HTTP NTLM or Negotiate authentication.
virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const = 0;
- protected:
- const HttpAuthFilter* whitelist_;
+ private:
+ DISALLOW_COPY_AND_ASSIGN(URLSecurityManager);
+};
+
+class URLSecurityManagerWhitelist : public URLSecurityManager {
+ public:
+ // The URLSecurityManagerWhitelist takes ownership of the HttpAuthFilter.
+ explicit URLSecurityManagerWhitelist(HttpAuthFilter* whitelist);
+
+ // URLSecurityManager methods.
+ virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const;
+
+ private:
+ scoped_ptr<HttpAuthFilter> whitelist_;
+
+ DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerWhitelist);
};
} // namespace net
diff --git a/net/http/url_security_manager_posix.cc b/net/http/url_security_manager_posix.cc
index 5a52576..931d9cc 100644
--- a/net/http/url_security_manager_posix.cc
+++ b/net/http/url_security_manager_posix.cc
@@ -2,34 +2,16 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "net/http/http_auth.h"
-#include "net/http/http_auth_filter.h"
#include "net/http/url_security_manager.h"
-#include "googleurl/src/gurl.h"
+#include "net/http/http_auth_filter.h"
namespace net {
-class URLSecurityManagerPosix : public URLSecurityManager {
- public:
- explicit URLSecurityManagerPosix(const HttpAuthFilter* whitelist)
- : URLSecurityManager(whitelist) {}
-
- // URLSecurityManager methods:
- virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const;
-};
-
-bool URLSecurityManagerPosix::CanUseDefaultCredentials(
- const GURL& auth_origin) const {
- if (whitelist_)
- return whitelist_->IsValid(auth_origin, HttpAuth::AUTH_SERVER);
- return false;
-}
-
// static
URLSecurityManager* URLSecurityManager::Create(
- const HttpAuthFilter* whitelist) {
- return new URLSecurityManagerPosix(whitelist);
+ HttpAuthFilter* whitelist) {
+ return new URLSecurityManagerWhitelist(whitelist);
}
} // namespace net
diff --git a/net/http/url_security_manager_win.cc b/net/http/url_security_manager_win.cc
index b3b3988..b563b35 100644
--- a/net/http/url_security_manager_win.cc
+++ b/net/http/url_security_manager_win.cc
@@ -10,28 +10,34 @@
#include "base/scoped_comptr_win.h"
#include "base/string_util.h"
#include "googleurl/src/gurl.h"
-#include "net/http/http_auth_filter.h"
// The Windows implementation of URLSecurityManager uses WinINet/IE's
// URL security zone manager. See the MSDN page "URL Security Zones" at
// http://msdn.microsoft.com/en-us/library/ms537021(VS.85).aspx for more
// info on the Internet Security Manager and Internet Zone Manager objects.
+//
+// On Windows, we honor the WinINet/IE settings and group policy related to
+// URL Security Zones. See the Microsoft Knowledge Base article 182569
+// "Internet Explorer security zones registry entries for advanced users"
+// (http://support.microsoft.com/kb/182569) for more info on these registry
+// keys.
namespace net {
class URLSecurityManagerWin : public URLSecurityManager {
public:
- explicit URLSecurityManagerWin(const HttpAuthFilter* whitelist);
+ URLSecurityManagerWin();
// URLSecurityManager methods:
virtual bool CanUseDefaultCredentials(const GURL& auth_origin) const;
private:
ScopedComPtr<IInternetSecurityManager> security_manager_;
+
+ DISALLOW_COPY_AND_ASSIGN(URLSecurityManagerWin);
};
-URLSecurityManagerWin::URLSecurityManagerWin(const HttpAuthFilter* whitelist)
- : URLSecurityManager(whitelist) {
+URLSecurityManagerWin::URLSecurityManagerWin() {
HRESULT hr = CoInternetCreateSecurityManager(NULL,
security_manager_.Receive(),
NULL);
@@ -41,10 +47,6 @@ URLSecurityManagerWin::URLSecurityManagerWin(const HttpAuthFilter* whitelist)
bool URLSecurityManagerWin::CanUseDefaultCredentials(
const GURL& auth_origin) const {
- // The whitelist overrides everything, if it exists.
- if (whitelist_)
- return whitelist_->IsValid(auth_origin, HttpAuth::AUTH_SERVER);
-
if (!security_manager_) {
NOTREACHED(); // The code in the constructor failed.
return false;
@@ -101,8 +103,11 @@ bool URLSecurityManagerWin::CanUseDefaultCredentials(
// static
URLSecurityManager* URLSecurityManager::Create(
- const HttpAuthFilter* whitelist) {
- return new URLSecurityManagerWin(whitelist);
+ HttpAuthFilter* whitelist) {
+ // If we have a whitelist, just use that.
+ if (whitelist)
+ return new URLSecurityManagerWhitelist(whitelist);
+ return new URLSecurityManagerWin();
}
} // namespace net
generated by cgit v1.1 at 2025-01-31 19:49:55 +0000