// Check to see if we should use default credentials for this host or proxy.
static bool
CanUseDefaultCredentials(nsIHttpAuthenticableChannel *channel,
bool isProxyAuth)
{
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
if (!prefs)
return false;
if (isProxyAuth) {
bool val;
if (NS_FAILED(prefs->GetBoolPref(kAllowProxies, &val)))
val = false;
LOG(("Default credentials allowed for proxy: %d\n", val));
return val;
}
nsCOMPtr<nsIURI> uri;
channel->GetURI(getter_AddRefs(uri));
bool allowNonFqdn;
if (NS_FAILED(prefs->GetBoolPref(kAllowNonFqdn, &allowNonFqdn)))
allowNonFqdn = false;
if (allowNonFqdn && uri && IsNonFqdn(uri)) {
LOG(("Host is non-fqdn, default credentials are allowed\n"));
return true;
}
bool isTrustedHost = (uri && TestPref(uri, kTrustedURIs));
LOG(("Default credentials allowed for host: %d\n", isTrustedHost));
return isTrustedHost;
}
// Check to see if we should use default credentials for this host or proxy.
static PRBool
CanUseDefaultCredentials(nsIHttpChannel *channel, PRBool isProxyAuth)
{
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
if (!prefs)
return PR_FALSE;
if (isProxyAuth) {
PRBool val;
if (NS_FAILED(prefs->GetBoolPref(kAllowProxies, &val)))
val = PR_FALSE;
LOG(("Default credentials allowed for proxy: %d\n", val));
return val;
}
nsCOMPtr<nsIURI> uri;
channel->GetURI(getter_AddRefs(uri));
PRBool isTrustedHost = (uri && TestPref(uri, kTrustedURIs));
LOG(("Default credentials allowed for host: %d\n", isTrustedHost));
return isTrustedHost;
}
//
// Always set *identityInvalid == FALSE here. This
// will prevent the browser from popping up the authentication
// prompt window. Because GSSAPI does not have an API
// for fetching initial credentials (ex: A Kerberos TGT),
// there is no correct way to get the users credentials.
//
NS_IMETHODIMP
nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
const char *challenge,
bool isProxyAuth,
nsISupports **sessionState,
nsISupports **continuationState,
bool *identityInvalid)
{
nsIAuthModule *module = (nsIAuthModule *) *continuationState;
*identityInvalid = false;
if (module)
return NS_OK;
nsresult rv;
nsCOMPtr<nsIURI> uri;
rv = authChannel->GetURI(getter_AddRefs(uri));
if (NS_FAILED(rv))
return rv;
PRUint32 req_flags = nsIAuthModule::REQ_DEFAULT;
nsCAutoString service;
if (isProxyAuth) {
if (!TestBoolPref(kNegotiateAuthAllowProxies)) {
LOG(("nsHttpNegotiateAuth::ChallengeReceived proxy auth blocked\n"));
return NS_ERROR_ABORT;
}
nsCOMPtr<nsIProxyInfo> proxyInfo;
authChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
NS_ENSURE_STATE(proxyInfo);
proxyInfo->GetHost(service);
}
else {
bool allowed = TestNonFqdn(uri) ||
TestPref(uri, kNegotiateAuthTrustedURIs);
if (!allowed) {
LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
return NS_ERROR_ABORT;
}
bool delegation = TestPref(uri, kNegotiateAuthDelegationURIs);
if (delegation) {
LOG((" using REQ_DELEGATE\n"));
req_flags |= nsIAuthModule::REQ_DELEGATE;
}
rv = uri->GetAsciiHost(service);
if (NS_FAILED(rv))
return rv;
}
LOG((" service = %s\n", service.get()));
//
// The correct service name for IIS servers is "HTTP/f.q.d.n", so
// construct the proper service name for passing to "gss_import_name".
//
// TODO: Possibly make this a configurable service name for use
// with non-standard servers that use stuff like "khttp/f.q.d.n"
// instead.
//
service.Insert("HTTP@", 0);
const char *contractID;
if (TestBoolPref(kNegotiateAuthSSPI)) {
LOG((" using negotiate-sspi\n"));
contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-sspi";
}
else {
LOG((" using negotiate-gss\n"));
contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-gss";
}
rv = CallCreateInstance(contractID, &module);
if (NS_FAILED(rv)) {
LOG((" Failed to load Negotiate Module \n"));
return rv;
}
rv = module->Init(service.get(), req_flags, nullptr, nullptr, nullptr);
if (NS_FAILED(rv)) {
NS_RELEASE(module);
return rv;
}
*continuationState = module;
return NS_OK;
}
