summaryrefslogtreecommitdiffstats
path: root/net/http/http_auth_sspi_win.cc
Commit message (Collapse)AuthorAgeFilesLines
* Use AuthCredentials throughout the network stack instead of username/password.cbentzel@chromium.org2011-10-281-11/+6
| | | | | | | | This is a refactor only - no behavior change should happen. Review URL: http://codereview.chromium.org/8340026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107766 0039d316-1c4b-4281-b951-d872f2087c98
* Don't try to use explicit credentials with schemes that don't support it.asanka@chromium.org2011-08-311-1/+5
| | | | | | | | | | | BUG=94617 TEST=net_unittests --gtest_filter=HttpAuthControllerTest.NoExplicitCredentialsAllowed. Review URL: http://codereview.chromium.org/7748033 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98965 0039d316-1c4b-4281-b951-d872f2087c98
* Add logging for ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS on ↵cbentzel@chromium.org2011-02-081-1/+4
| | | | | | | | | | | | | AcquireCredentialsHandle. This was being done for InitSecurityContext, but duplicated here. BUG=72126 TEST=None Review URL: http://codereview.chromium.org/6449004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@74142 0039d316-1c4b-4281-b951-d872f2087c98
* Support specifying the GSSAPI library that will be used.danno@chromium.org2010-11-121-65/+0
| | | | | | | | | | | | This preference can be set either via command-line or via group policy. BUG=53625 TEST=unittests: ConfigurationPolicyPrefStore*; net_unittests: HttpAuthHandlerNegotiateTest.*:HttpAuthGSSAPIPOSIXTest.*; manually: start Chrome with command-line switch --gssapi-library-name=XYZ and see if this results in the Chrome process loading /usr/lib/whatever/XYZ as soon as an authenticated HTTP site is encountered. Review URL: http://codereview.chromium.org/4560001 Patch from Jakob Kummerow <jkummerow@google.com>. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65939 0039d316-1c4b-4281-b951-d872f2087c98
* Convert LOG(INFO) to VLOG(1) - net/.pkasting@chromium.org2010-10-161-4/+4
| | | | | | | | | | Also converts COOKIE_DLOG (since VLOG can be toggled on a granular basis), removes some unneeded "endl"s and {}s, aligns "<<"s per style guide, and changes KeygenHandler::GenKeyAndSignChallenge() to avoid using "goto". BUG=none TEST=none Review URL: http://codereview.chromium.org/3846001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62831 0039d316-1c4b-4281-b951-d872f2087c98
* Extract name-value pair parsing from http_auth.cc (ChallengeTokenizer) into ↵erikwright@chromium.org2010-09-301-5/+3
| | | | | | | | | | http_util.cc (NameValuePairsIterator). In preparation for re-use of name-value pair parsing in ChromeFrame (for X-UA-Compatible header). BUG=None TEST=net_unittests (HttpAuth* and HttpUtilTest.NameValuePairs*) Review URL: http://codereview.chromium.org/3525004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61061 0039d316-1c4b-4281-b951-d872f2087c98
* Even more status reporting for SSPI functions.cbentzel@chromium.org2010-09-251-71/+89
| | | | | | | | | | | | | These functions have not been problematic, but it makes it more consistent with the rest of the file. Also, the log output of the underlying SECURITY_STATUS codes are output in hex. BUG=53850 TEST=None Review URL: http://codereview.chromium.org/3319011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60576 0039d316-1c4b-4281-b951-d872f2087c98
* Fix multi-round authentication.cbentzel@chromium.org2010-09-111-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | In the case of Negotiate, authentication can look like C: GET S: 401, WWW-Authenticate: Negotiate C: GET, WWW-Authorization: Negotiate <client_token_1> S: 401, WWW-Authenticate: Negotiate <server_token_1> C: GET, WWW-Authorization: Negotiate <client_token_2> S: 401, WWW-Authenticate: Negotiate <server_token_2> on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned. This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough. BUG=53282 TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild. Review URL: http://codereview.chromium.org/3360017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98
* Improved error reporting for GSSAPI statuses.cbentzel@chromium.org2010-09-081-4/+4
| | | | | | | | | | | Also, remove the OnFirstRound carried over from the SSPI implementation. BUG=53850 TEST=None Review URL: http://codereview.chromium.org/3345007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58895 0039d316-1c4b-4281-b951-d872f2087c98
* Summary of changes:cbentzel@chromium.org2010-09-021-9/+14
| | | | | | | | | | | | | | - ERR_UNMAPPED_SSPI_ERROR was renamed to ERR_UNEXPECTED_SSPI_STATUS, and reflects documented but unexpected SSPI return codes. - ERR_UNDOCUMENTED_SSPI_STATUS is used in case there are any undocumented SSPI return codes. - SEC_E_INVALID_HANDLE is mapped to ERR_INVALID_HANDLE. - SEC_E_LOGON_DENIED is mapped to ERR_ACCESS_DENIED BUG=53850 TEST=None Review URL: http://codereview.chromium.org/3332002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58349 0039d316-1c4b-4281-b951-d872f2087c98
* Map SECURITY_STATUS from InitializeSecurityContext to net error codes.cbentzel@chromium.org2010-08-311-8/+46
| | | | | | | | | | | The SSPI implementation of Negotiate+NTLM used to have too many ways to generate an ERR_UNEXPECTED return code, which made it difficult to diagnose user reported issues. BUG=53850 TEST=net_unittests Review URL: http://codereview.chromium.org/3234007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57979 0039d316-1c4b-4281-b951-d872f2087c98
* Add support for delegated kerberos tickets to Negotiate authentication.cbentzel@chromium.org2010-08-271-10/+18
| | | | | | | | | | | This is controlled by the --auth-negotiate-delegate-whitelist command line. By default no servers are delegated to. BUG=50076 TEST=net_unittests, go to an IIS server specified in --auth-negotiate-delegate-whitelist and see if this works correctly. Review URL: http://codereview.chromium.org/3155046 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57695 0039d316-1c4b-4281-b951-d872f2087c98
* Net: Convert username and password to string16.thestig@chromium.org2010-07-291-14/+15
| | | | | | | | BUG=none TEST=none Review URL: http://codereview.chromium.org/3040016 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@54101 0039d316-1c4b-4281-b951-d872f2087c98
* Make the Negotiate Authentication Handler a state machine.cbentzel@chromium.org2010-07-011-9/+10
| | | | | | | | | | | | | | Now that the HttpNetworkTransaction correctly handles asynchronous auth token generation, HttpAuthHandlerNegotiate can be turned into a state machine. This also removes the need for the externally exposed "Resolve Canonical Name" details to users of this handler. BUG=42222 TEST=net_unittests Review URL: http://codereview.chromium.org/2867022 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@51387 0039d316-1c4b-4281-b951-d872f2087c98
* Async support for HttpAuthHandler::GenerateAuthToken.cbentzel@chromium.org2010-06-101-1/+0
| | | | | | | | | | | | | | This CL changes the signature of GenerateAuthToken to support an async completion of GenerateAuthToken. At this point, all of the implementations complete synchronously, but a future version will change Negotiate to complete asynchronously. TEST=net_unittests BUG=42222 Review URL: http://codereview.chromium.org/2671001 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49398 0039d316-1c4b-4281-b951-d872f2087c98
* Kerberos uses an SPN (Service Principal Name) to identify a server. This is ↵cbentzel@chromium.org2010-04-141-11/+4
| | | | | | | | | | | | | | | | | | | typically in the form "HTTP/host:port", with the ":port" suffix being optional, and the "HTTP/" prefix is fixed regardless of whether the service is accessed over HTTP or HTTPS. The issue this is fixing is that the URL host may be an incomplete domain name, a numerical address, or an alias for a canonical DNS name. By default, Chrome will skip adding the optional port to the SPN, and will use the canonical DNS name for the server (which may be the original server name if it is an A or AAAA record). This matches IE and Firefox's default behavior. Some intranets are set up so the original host name should be used rather than the canonical name. The canonical name resolution can be disabled with the --disable-spnego-cname-lookup command line flag. Some intranets are also set up so the optional port should be specified when it is non-standard (non 80 or 443). Use the --enable-spnego-port command line flag. BUG=29862 TEST=net_unittests.exe --gtest_filter="*CanonicalName*" Review URL: http://codereview.chromium.org/1535019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44526 0039d316-1c4b-4281-b951-d872f2087c98
* Added SSPILibrary interface so unit tests can mock SSPI calls.cbentzel@chromium.org2010-02-251-25/+101
| | | | | | | | | BUG=None TEST=net_unittests.exe --gtest_filter="*HttpAuthSSPI*" Review URL: http://codereview.chromium.org/650164 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40021 0039d316-1c4b-4281-b951-d872f2087c98
* Validate that an SSPI scheme is supported before generating a handler.cbentzel@chromium.org2010-02-221-9/+6
| | | | | | | | | | | | | | | | | When SSPI is used (for Windows builds), the NTLM and Negotiate handler factories determine the maximum token length the first time it is used. The SSPI call to determinine the maximum length also returns an error code if the scheme is unsupported. The factories remember if the scheme is unsupported and will not attempt to create any handlers. If the token length is found, it is remembered. If a different error occurs, don't create a handler this round, but try again in the future. BUG=None TEST=Manually used an incorrect auth scheme and validated that it worked. Working on a mock SSPI Library I can use for unit testing. Review URL: http://codereview.chromium.org/600129 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39600 0039d316-1c4b-4281-b951-d872f2087c98
* Added factories for HttpAuthHandler.cbentzel@chromium.org2010-02-151-21/+10
| | | | | | | | | | | | | | | | | | | The driving rationale for this change was to prevent choosing an AuthHandler when it is not supported on the system due to a missing runtime component (such as not being able to locate a gssapi shared library when seeing a Negotiate scheme). It also has the advantage (currently unused) of determining some per-auth-scheme properties only the first time that a challenge for that scheme is seen (such as maximum token length for the SSPI implementation of NTLM). Finally, it may make unit tests easier to generate since the factory can be easily mocked. BUG=34795 TEST=New unit test for HttpAuthHandlerDispatchFactory. Review URL: http://codereview.chromium.org/582007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39065 0039d316-1c4b-4281-b951-d872f2087c98
* Add Single Sign On support to HTTP Authentication handlers.cbentzel@chromium.org2010-02-051-68/+147
| | | | | | | | | | | | | | | Currently this is implemented on Windows for the NTLM and Negotiate schemes. This CL does not introduce the hooks to actually use Single Sign On in response to a 401/407 request - that will come in a later CL. This behavior is disabled for now as well. BUG=29862 TEST=Ran unittests, and Chrome against a server with authentication challenges. Review URL: http://codereview.chromium.org/555174 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38227 0039d316-1c4b-4281-b951-d872f2087c98
* Added WWW-Authenticate Negotate support using shared HttpAuthSspi.cbentzel@chromium.org2010-01-211-0/+209
| | | | | | | | | BUG=29862 TEST=None Review URL: http://codereview.chromium.org/551015 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36785 0039d316-1c4b-4281-b951-d872f2087c98
* Abstracted and moved common SSPI functionality.cbentzel@chromium.org2010-01-081-0/+77
The NTLM and Negotiate authentication schemes follow very similar code paths when using the SSPI API on Windows. BUG=29862 TEST=New unittest, plus manual NTLM Authentication testing. Review URL: http://codereview.chromium.org/505048 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35791 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-02-10 02:23:18 +0000