| blob | 9cc57de35aadec7396d8c383bc6584f93bc1fb90 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
27 // Returns a log message for all the response headers related to the auth
28 // challenge.
36 }
42 }
44 // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
45 // authentication with a "Proxy-Support: Session-Based-Authentication"
46 // response header.
51 }
54 }
58 AUTH_EVENT_REJECT,
59 AUTH_EVENT_MAX,
60 };
64 AUTH_TARGET_SECURE_PROXY,
65 AUTH_TARGET_SERVER,
66 AUTH_TARGET_SECURE_SERVER,
67 AUTH_TARGET_MAX,
68 };
75 else
80 else
85 }
86 }
88 // Records the number of authentication events per authentication scheme.
90 #if !defined(NDEBUG)
91 // Note: The on-same-thread check is intentionally not using a lock
92 // to protect access to first_thread. This method is meant to be only
93 // used on the same thread, in which case there are no race conditions. If
94 // there are race conditions (say, a read completes during a partial write),
95 // the DCHECK will correctly fail.
99 #endif
104 // Record start and rejection events for authentication.
105 //
106 // The results map to:
107 // Basic Start: 0
108 // Basic Reject: 1
109 // Digest Start: 2
110 // Digest Reject: 3
111 // NTLM Start: 4
112 // NTLM Reject: 5
113 // Negotiate Start: 6
114 // Negotiate Reject: 7
120 kEventBucketsEnd);
122 // Record the target of the authentication.
123 //
124 // The results map to:
125 // Basic Proxy: 0
126 // Basic Secure Proxy: 1
127 // Basic Server: 2
128 // Basic Secure Server: 3
129 // Digest Proxy: 4
130 // Digest Secure Proxy: 5
131 // Digest Server: 6
132 // Digest Secure Server: 7
133 // NTLM Proxy: 8
134 // NTLM Secure Proxy: 9
135 // NTLM Server: 10
136 // NTLM Secure Server: 11
137 // Negotiate Proxy: 12
138 // Negotiate Secure Proxy: 13
139 // Negotiate Server: 14
140 // Negotiate Secure Server: 15
149 kTargetBucketsEnd);
150 }
167 }
171 }
193 else
196 }
203 // Don't do preemptive authorization if the URL contains a username:password,
204 // since we must first be challenged in order to use the URL's identity.
208 // SelectPreemptiveAuth() is on the critical path for each request, so it
209 // is expected to be fast. LookupByPath() is fast in the common case, since
210 // the number of http auth cache entries is expected to be very small.
211 // (For most users in fact, it will be 0.)
217 // Try to create a handler using the previous auth challenge.
221 auth_origin_,
227 // Set the state
233 }
239 // auth_token_ can be empty if we encountered a permanent error with
240 // the auth scheme and want to retry.
245 }
246 }
260 // Give the existing auth handler first try at the authentication headers.
261 // This will also evict the entry in the HttpAuthCache if the previous
262 // challenge appeared to be rejected, or is using a stale nonce in the Digest
263 // case.
269 target_,
270 disabled_schemes_,
286 challenge_used)) {
289 // It's possible that a server could incorrectly issue a stale
290 // response when the entry is not in the cache. Just evict the
291 // current value from the cache.
293 }
296 // If the server changes the authentication realm in a
297 // subsequent challenge, invalidate cached credentials for the
298 // previous realm. If the server rejects a preemptive
299 // authorization and requests credentials for a different
300 // realm, we keep the cached credentials.
303 INVALIDATE_HANDLER :
304 INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
309 }
310 }
319 // Find the best authentication challenge that we support.
322 target_,
323 auth_origin_,
324 disabled_schemes_,
325 net_log,
329 }
338 // We are establishing a tunnel, we can't show the error page because an
339 // active network attacker could control its contents. Instead, we just
340 // fail to establish the tunnel.
343 }
344 // We found no supported challenge -- let the transaction continue so we
345 // end up displaying the error page.
347 }
350 // Pick a new auth identity to try, by looking to the URL and auth cache.
351 // If an identity to try is found, it is saved to identity_.
354 // Proceed with the existing identity or a null identity.
356 }
358 // From this point on, we are restartable.
361 // We have exhausted all identity possibilities.
363 // If the handler doesn't accept explicit credentials, then we need to
364 // choose a different auth scheme.
368 // Pass the challenge information back to the client.
370 }
373 }
375 // If we get here and we don't have a handler_, that's because we
376 // invalidated it due to not having any viable identities to use with it. Go
377 // back and try again.
378 // TODO(asanka): Instead we should create a priority list of
379 // <handler,identity> and iterate through that.
382 }
389 // Update the credentials.
393 }
397 // Add the auth entry to the cache before restarting. We don't know whether
398 // the identity is valid yet, but if it is valid we want other transactions
399 // to know about it. If an entry for (origin, handler->realm()) already
400 // exists, we update it.
401 //
402 // If identity_.source is HttpAuth::IDENT_SRC_NONE or
403 // HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS, identity_ contains no
404 // identity because identity is not required yet or we're using default
405 // credentials.
406 //
407 // TODO(wtc): For NTLM_SSPI, we add the same auth entry to the cache in
408 // round 1 and round 2, which is redundant but correct. It would be nice
409 // to add an auth entry to the cache only once, preferrably in round 1.
410 // See http://crbug.com/21015.
420 }
421 }
425 }
429 }
432 InvalidateHandlerAction action) {
442 }
448 // Clear the cache entry for the identity we just failed on.
449 // Note: we require the credentials to match before invalidating
450 // since the entry in the cache may be newer than what we used last time.
453 }
460 // Try to use the username:password encoded into the URL first.
465 // Extract the username:password from the URL.
471 // TODO(eroman): If the password is blank, should we also try combining
472 // with a password from the cache?
475 }
477 // Check the auth cache for a realm entry.
487 }
489 // Use default credentials (single sign on) if this is the first attempt
490 // at identity. Do not allow multiple times as it will infinite loop.
491 // We use default credentials after checking the auth cache so that if
492 // single sign-on doesn't work, we won't try default credentials for future
493 // transactions.
499 }
502 }
507 // Populates response_.auth_challenge with the authentication challenge info.
508 // This info is consumed by URLRequestHttpJob::GetAuthChallengeInfo().
515 }
521 // Occurs with GSSAPI, if the user has not already logged in.
524 // Can occur with GSSAPI or SSPI if the underlying library reports
525 // a permanent error.
528 // These two error codes represent failures we aren't handling.
532 // Can be returned by SSPI if the authenticating authority or
533 // target is not known.
536 // In these cases, disable the current scheme as it cannot
537 // succeed.
544 }
545 }
555 }
556 }
561 }
566 }
571 }
576 }