// Check to see if we should use default credentials for this host or proxy. static bool CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel, bool isProxyAuth) { nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); if (!prefs) return false; if (isProxyAuth) { bool val; if (NS_FAILED(prefs->GetBoolPref(kAllowProxies, &val))) val = false; LOG(("Default credentials allowed for proxy: %d\n", val)); return val; } nsCOMPtr<nsIURI> uri; channel->GetURI(getter_AddRefs(uri)); bool allowNonFqdn; if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn))) allowNonFqdn = false; if (allowNonFqdn && uri && IsNonFqdn(uri)) { LOG(("Host is non-fqdn, default credentials are allowed\n")); return true; } bool isTrustedHost = (uri && TestPref(uri, kTrustedURIs)); LOG(("Default credentials allowed for host: %d\n", isTrustedHost)); return isTrustedHost; }
// Check to see if we should use default credentials for this host or proxy. static PRBool CanUseDefaultCredentials(nsIHttpChannel *channel, PRBool isProxyAuth) { nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); if (!prefs) return PR_FALSE; if (isProxyAuth) { PRBool val; if (NS_FAILED(prefs->GetBoolPref(kAllowProxies, &val))) val = PR_FALSE; LOG(("Default credentials allowed for proxy: %d\n", val)); return val; } nsCOMPtr<nsIURI> uri; channel->GetURI(getter_AddRefs(uri)); PRBool isTrustedHost = (uri && TestPref(uri, kTrustedURIs)); LOG(("Default credentials allowed for host: %d\n", isTrustedHost)); return isTrustedHost; }
// // Always set *identityInvalid == FALSE here. This // will prevent the browser from popping up the authentication // prompt window. Because GSSAPI does not have an API // for fetching initial credentials (ex: A Kerberos TGT), // there is no correct way to get the users credentials. // NS_IMETHODIMP nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel, const char *challenge, bool isProxyAuth, nsISupports **sessionState, nsISupports **continuationState, bool *identityInvalid) { nsIAuthModule *module = (nsIAuthModule *) *continuationState; *identityInvalid = false; if (module) return NS_OK; nsresult rv; nsCOMPtr<nsIURI> uri; rv = authChannel->GetURI(getter_AddRefs(uri)); if (NS_FAILED(rv)) return rv; PRUint32 req_flags = nsIAuthModule::REQ_DEFAULT; nsCAutoString service; if (isProxyAuth) { if (!TestBoolPref(kNegotiateAuthAllowProxies)) { LOG(("nsHttpNegotiateAuth::ChallengeReceived proxy auth blocked\n")); return NS_ERROR_ABORT; } nsCOMPtr<nsIProxyInfo> proxyInfo; authChannel->GetProxyInfo(getter_AddRefs(proxyInfo)); NS_ENSURE_STATE(proxyInfo); proxyInfo->GetHost(service); } else { bool allowed = TestNonFqdn(uri) || TestPref(uri, kNegotiateAuthTrustedURIs); if (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n")); return NS_ERROR_ABORT; } bool delegation = TestPref(uri, kNegotiateAuthDelegationURIs); if (delegation) { LOG((" using REQ_DELEGATE\n")); req_flags |= nsIAuthModule::REQ_DELEGATE; } rv = uri->GetAsciiHost(service); if (NS_FAILED(rv)) return rv; } LOG((" service = %s\n", service.get())); // // The correct service name for IIS servers is "HTTP/f.q.d.n", so // construct the proper service name for passing to "gss_import_name". // // TODO: Possibly make this a configurable service name for use // with non-standard servers that use stuff like "khttp/f.q.d.n" // instead. // service.Insert("HTTP@", 0); const char *contractID; if (TestBoolPref(kNegotiateAuthSSPI)) { LOG((" using negotiate-sspi\n")); contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-sspi"; } else { LOG((" using negotiate-gss\n")); contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-gss"; } rv = CallCreateInstance(contractID, &module); if (NS_FAILED(rv)) { LOG((" Failed to load Negotiate Module \n")); return rv; } rv = module->Init(service.get(), req_flags, nullptr, nullptr, nullptr); if (NS_FAILED(rv)) { NS_RELEASE(module); return rv; } *continuationState = module; return NS_OK; }