diff options
| -rw-r--r-- | chrome/browser/io_thread.cc | 61 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.cc | 12 | ||||
| -rw-r--r-- | chrome/common/chrome_switches.h | 2 | ||||
| -rw-r--r-- | net/http/http_auth_handler_factory.cc | 46 | ||||
| -rw-r--r-- | net/http/http_auth_handler_factory.h | 25 |
5 files changed, 95 insertions, 51 deletions
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc index 54aaab2..4f9a244 100644 --- a/chrome/browser/io_thread.cc +++ b/chrome/browser/io_thread.cc @@ -24,7 +24,6 @@ #include "net/base/net_util.h" #include "net/http/http_auth_filter.h" #include "net/http/http_auth_handler_factory.h" -#include "net/http/http_auth_handler_negotiate.h" namespace { @@ -245,63 +244,35 @@ void IOThread::CleanUpAfterMessageLoopDestruction() { net::HttpAuthHandlerFactory* IOThread::CreateDefaultAuthHandlerFactory( net::HostResolver* resolver) { - net::HttpAuthFilterWhitelist* auth_filter = NULL; + const CommandLine& command_line = *CommandLine::ForCurrentProcess(); // Get the whitelist information from the command line, create an // HttpAuthFilterWhitelist, and attach it to the HttpAuthHandlerFactory. - const CommandLine& command_line = *CommandLine::ForCurrentProcess(); - + net::HttpAuthFilterWhitelist* auth_filter = NULL; if (command_line.HasSwitch(switches::kAuthServerWhitelist)) { std::string auth_server_whitelist = command_line.GetSwitchValueASCII(switches::kAuthServerWhitelist); - // Create a whitelist filter. auth_filter = new net::HttpAuthFilterWhitelist(); auth_filter->SetWhitelist(auth_server_whitelist); } - - // Set the flag that enables or disables the Negotiate auth handler. - static const bool kNegotiateAuthEnabledDefault = true; - - bool negotiate_auth_enabled = kNegotiateAuthEnabledDefault; - if (command_line.HasSwitch(switches::kExperimentalEnableNegotiateAuth)) { - std::string enable_negotiate_auth = command_line.GetSwitchValueASCII( - switches::kExperimentalEnableNegotiateAuth); - // Enabled if no value, or value is 'true'. Disabled otherwise. - negotiate_auth_enabled = - enable_negotiate_auth.empty() || - (StringToLowerASCII(enable_negotiate_auth) == "true"); - } - - net::HttpAuthHandlerRegistryFactory* registry_factory = - net::HttpAuthHandlerFactory::CreateDefault(); - globals_->url_security_manager.reset( net::URLSecurityManager::Create(auth_filter)); - // Add the security manager to the auth factories that need it. - registry_factory->SetURLSecurityManager("ntlm", - globals_->url_security_manager.get()); - registry_factory->SetURLSecurityManager("negotiate", - globals_->url_security_manager.get()); - if (negotiate_auth_enabled) { - // Configure the Negotiate settings for the Kerberos SPN. - // TODO(cbentzel): Read the related IE registry settings on Windows builds. - // TODO(cbentzel): Ugly use of static_cast here. - net::HttpAuthHandlerNegotiate::Factory* negotiate_factory = - static_cast<net::HttpAuthHandlerNegotiate::Factory*>( - registry_factory->GetSchemeFactory("negotiate")); - DCHECK(negotiate_factory); - negotiate_factory->set_host_resolver(resolver); - if (command_line.HasSwitch(switches::kDisableAuthNegotiateCnameLookup)) - negotiate_factory->set_disable_cname_lookup(true); - if (command_line.HasSwitch(switches::kEnableAuthNegotiatePort)) - negotiate_factory->set_use_port(true); - } else { - // Disable the Negotiate authentication handler. - registry_factory->RegisterSchemeFactory("negotiate", NULL); - } - return registry_factory; + // Determine which schemes are supported. + std::string csv_auth_schemes = "basic,digest,ntlm,negotiate"; + if (command_line.HasSwitch(switches::kAuthSchemes)) + csv_auth_schemes = StringToLowerASCII( + command_line.GetSwitchValueASCII(switches::kAuthSchemes)); + std::vector<std::string> supported_schemes; + SplitString(csv_auth_schemes, ',', &supported_schemes); + + return net::HttpAuthHandlerRegistryFactory::Create( + supported_schemes, + globals_->url_security_manager.get(), + resolver, + command_line.HasSwitch(switches::kDisableAuthNegotiateCnameLookup), + command_line.HasSwitch(switches::kEnableAuthNegotiatePort)); } void IOThread::InitNetworkPredictorOnIOThread( diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc index ab89509..4897923 100644 --- a/chrome/common/chrome_switches.cc +++ b/chrome/common/chrome_switches.cc @@ -63,7 +63,13 @@ const char kAppsNoThrob[] = "apps-no-throb"; // Whether to display the "Debug" link for app launch behavior. const char kAppsDebug[] = "apps-debug"; -// Authentication white list for servers +// HTTP authentication schemes to enable. This is a comma separated list +// of authentication schemes (basic, digest, ntlm, and negotiate). By default +// all schemes are enabled. The primary use of this command line flag is to help +// triage autentication-related issues reported by end-users. +const char kAuthSchemes[] = "auth-schemes"; + +// Authentication white list for servers. const char kAuthServerWhitelist[] = "auth-server-whitelist"; // The value of this switch tells the app to listen for and broadcast @@ -504,10 +510,6 @@ const char kEnableWin7Location[] = "enable-win7-location"; // Disable WebKit's XSSAuditor. The XSSAuditor mitigates reflective XSS. const char kEnableXSSAuditor[] = "enable-xss-auditor"; -// Enables the experimental Negotiate authentication protocol. -const char kExperimentalEnableNegotiateAuth[] = - "experimental-enable-negotiate-auth"; - // Enables experimental features for Spellchecker. Right now, the first // experimental feature is auto spell correct, which corrects words which are // misppelled by typing the word with two consecutive letters swapped. The diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h index 8f181b8..6d1d796 100644 --- a/chrome/common/chrome_switches.h +++ b/chrome/common/chrome_switches.h @@ -33,6 +33,7 @@ extern const char kAppsDebug[]; extern const char kAppsPanel[]; extern const char kAppsGalleryURL[]; extern const char kAppsNoThrob[]; +extern const char kAuthSchemes[]; extern const char kAuthServerWhitelist[]; extern const char kAutomationClientChannelID[]; extern const char kBlockNonSandboxedPlugins[]; @@ -159,7 +160,6 @@ extern const char kEnableWatchdog[]; extern const char kEnableWin7Location[]; extern const char kEnableXSSAuditor[]; // Experimental features. -extern const char kExperimentalEnableNegotiateAuth[]; extern const char kExperimentalSpellcheckerFeatures[]; // End experimental features. extern const char kExplicitlyAllowedPorts[]; diff --git a/net/http/http_auth_handler_factory.cc b/net/http/http_auth_handler_factory.cc index c2d011b..c9e0fb9 100644 --- a/net/http/http_auth_handler_factory.cc +++ b/net/http/http_auth_handler_factory.cc @@ -53,6 +53,52 @@ HttpAuthHandlerRegistryFactory* HttpAuthHandlerFactory::CreateDefault() { return registry_factory; } +namespace { + +bool IsSupportedScheme(const std::vector<std::string>& supported_schemes, + const std::string& scheme) { + std::vector<std::string>::const_iterator it = std::find( + supported_schemes.begin(), supported_schemes.end(), scheme); + return it != supported_schemes.end(); +} + +} + +// static +HttpAuthHandlerRegistryFactory* HttpAuthHandlerRegistryFactory::Create( + const std::vector<std::string>& supported_schemes, + URLSecurityManager* security_manager, + HostResolver* host_resolver, + bool negotiate_disable_cname_lookup, + bool negotiate_enable_port) { + HttpAuthHandlerRegistryFactory* registry_factory = + new HttpAuthHandlerRegistryFactory(); + if (IsSupportedScheme(supported_schemes, "basic")) + registry_factory->RegisterSchemeFactory( + "basic", new HttpAuthHandlerBasic::Factory()); + if (IsSupportedScheme(supported_schemes, "digest")) + registry_factory->RegisterSchemeFactory( + "digest", new HttpAuthHandlerDigest::Factory()); + if (IsSupportedScheme(supported_schemes, "ntlm")) { + HttpAuthHandlerNTLM::Factory* ntlm_factory = + new HttpAuthHandlerNTLM::Factory(); + ntlm_factory->set_url_security_manager(security_manager); + registry_factory->RegisterSchemeFactory("ntlm", ntlm_factory); + } + if (IsSupportedScheme(supported_schemes, "negotiate")) { + HttpAuthHandlerNegotiate::Factory* negotiate_factory = + new HttpAuthHandlerNegotiate::Factory(); + negotiate_factory->set_url_security_manager(security_manager); + DCHECK(host_resolver != NULL || negotiate_disable_cname_lookup); + negotiate_factory->set_host_resolver(host_resolver); + negotiate_factory->set_disable_cname_lookup(negotiate_disable_cname_lookup); + negotiate_factory->set_use_port(negotiate_enable_port); + registry_factory->RegisterSchemeFactory("negotiate", negotiate_factory); + } + + return registry_factory; +} + HttpAuthHandlerRegistryFactory::HttpAuthHandlerRegistryFactory() { } diff --git a/net/http/http_auth_handler_factory.h b/net/http/http_auth_handler_factory.h index c4e2115..887c6cd 100644 --- a/net/http/http_auth_handler_factory.h +++ b/net/http/http_auth_handler_factory.h @@ -8,6 +8,7 @@ #include <map> #include <string> +#include <vector> #include "base/scoped_ptr.h" #include "net/http/http_auth.h" @@ -18,6 +19,7 @@ class GURL; namespace net { class BoundNetLog; +class HostResolver; class HttpAuthHandler; class HttpAuthHandlerRegistryFactory; @@ -152,6 +154,29 @@ class HttpAuthHandlerRegistryFactory : public HttpAuthHandlerFactory { const BoundNetLog& net_log, scoped_ptr<HttpAuthHandler>* handler); + // Creates an HttpAuthHandlerRegistryFactory. + // + // |supported_schemes| is a list of authentication schemes. Valid values + // include "basic", "digest", "ntlm", and "negotiate", where case matters. + // + // |security_manager| is used by the NTLM and Negotiate authenticators + // to determine which servers Integrated Authentication can be used with. If + // NULL, Integrated Authentication will not be used with any server. + // + // |host_resolver| is used by the Negotiate authentication handler to perform + // CNAME lookups to generate a Kerberos SPN for the server. If the "negotiate" + // scheme is used and |negotiate_disable_cname_lookup| is false, + // |host_resolver| must not be NULL. + // + // |negotiate_disable_cname_lookup| and |negotiate_enable_port| both control + // how Negotiate does SPN generation, by default these should be false. + static HttpAuthHandlerRegistryFactory* Create( + const std::vector<std::string>& supported_schemes, + URLSecurityManager* security_manager, + HostResolver* host_resolver, + bool negotiate_disable_cname_lookup, + bool negotiate_enable_port); + private: typedef std::map<std::string, HttpAuthHandlerFactory*> FactoryMap; |