From eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c Mon Sep 17 00:00:00 2001 From: "cbentzel@chromium.org" Date: Sat, 11 Sep 2010 14:03:30 +0000 Subject: Fix multi-round authentication. In the case of Negotiate, authentication can look like C: GET S: 401, WWW-Authenticate: Negotiate C: GET, WWW-Authorization: Negotiate S: 401, WWW-Authenticate: Negotiate C: GET, WWW-Authorization: Negotiate S: 401, WWW-Authenticate: Negotiate on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned. This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough. BUG=53282 TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild. Review URL: http://codereview.chromium.org/3360017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98 --- net/socket_stream/socket_stream.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'net/socket_stream') diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index ce82c9b..382571a 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -930,10 +930,11 @@ int SocketStream::HandleAuthChallenge(const HttpResponseHeaders* headers) { LOG(INFO) << "The proxy " << auth_origin << " requested auth"; - // The auth we tried just failed, hence it can't be valid. - // Remove it from the cache so it won't be used again. - if (auth_handler_.get() && !auth_identity_.invalid && - auth_handler_->IsFinalRound()) { + // TODO(cbentzel): Since SocketStream only suppports basic authentication + // right now, another challenge is always treated as a rejection. + // Ultimately this should be converted to use HttpAuthController like the + // HttpNetworkTransaction has. + if (auth_handler_.get() && !auth_identity_.invalid) { if (auth_identity_.source != HttpAuth::IDENT_SRC_PATH_LOOKUP) auth_cache_.Remove(auth_origin, auth_handler_->realm(), -- cgit v1.1