Back to index

lightning-sunbird  0.9+nobinonly
Public Member Functions | Public Attributes | Private Member Functions
nsHttpNegotiateAuth Class Reference

#include <nsHttpNegotiateAuth.h>

Inheritance diagram for nsHttpNegotiateAuth:
Inheritance graph
[legend]
Collaboration diagram for nsHttpNegotiateAuth:
Collaboration graph
[legend]

List of all members.

Public Member Functions

void challengeReceived (in nsIHttpChannel aChannel, in string aChallenge, in boolean aProxyAuth, inout nsISupports aSessionState, inout nsISupports aContinuationState, out boolean aInvalidatesIdentity)
 Upon receipt of a server challenge, this function is called to determine whether or not the current user identity has been rejected.
string generateCredentials (in nsIHttpChannel aChannel, in string aChallenge, in boolean aProxyAuth, in wstring aDomain, in wstring aUser, in wstring aPassword, inout nsISupports aSessionState, inout nsISupports aContinuationState)
 Called to generate the authentication credentials for a particular server/proxy challenge.

Public Attributes

readonly attribute unsigned long authFlags
 Flags defining various properties of the authenticator.
const unsigned long REQUEST_BASED = (1<<0)
 A request based authentication scheme only authenticates an individual request (or a set of requests under the same authentication domain as defined by RFC 2617).
const unsigned long CONNECTION_BASED = (1<<1)
 A connection based authentication scheme authenticates an individual connection.
const unsigned long REUSABLE_CREDENTIALS = (1<<2)
 The credentials returned from generateCredentials may be reused with any other URLs within "the protection space" as defined by RFC 2617 section 1.2.
const unsigned long REUSABLE_CHALLENGE = (1<<3)
 A challenge may be reused to later generate credentials in anticipation of a duplicate server challenge for URLs within "the protection space" as defined by RFC 2617 section 1.2.
const unsigned long IDENTITY_IGNORED = (1<<10)
 This flag indicates that the identity of the user is not required by this authentication scheme.
const unsigned long IDENTITY_INCLUDES_DOMAIN = (1<<11)
 This flag indicates that the identity of the user includes a domain attribute that the user must supply.

Private Member Functions

PRBool TestBoolPref (const char *pref)
PRBool TestPref (nsIURI *, const char *pref)
PRBool MatchesBaseURI (const nsCSubstring &scheme, const nsCSubstring &host, PRInt32 port, const char *baseStart, const char *baseEnd)
PRBool TestBoolPref (const char *pref)
PRBool TestPref (nsIURI *, const char *pref)
PRBool MatchesBaseURI (const nsCSubstring &scheme, const nsCSubstring &host, PRInt32 port, const char *baseStart, const char *baseEnd)

Detailed Description

Definition at line 51 of file nsHttpNegotiateAuth.h.


Member Function Documentation

void nsIHttpAuthenticator::challengeReceived ( in nsIHttpChannel  aChannel,
in string  aChallenge,
in boolean  aProxyAuth,
inout nsISupports  aSessionState,
inout nsISupports  aContinuationState,
out boolean  aInvalidatesIdentity 
) [inherited]

Upon receipt of a server challenge, this function is called to determine whether or not the current user identity has been rejected.

If true, then the user will be prompted by the channel to enter (or revise) their identity. Following this, generateCredentials will be called.

If the IDENTITY_IGNORED auth flag is set, then the aInvalidateIdentity return value will be ignored, and user prompting will be suppressed.

Parameters:
aChannelthe http channel that received the challenge.
aChallengethe challenge from the WWW-Authenticate/Proxy-Authenticate server response header. (possibly from the auth cache.)
aProxyAuthflag indicating whether or not aChallenge is from a proxy.
aSessionStatesee description below for generateCredentials.
aContinuationStatesee description below for generateCredentials.
aInvalidateIdentityreturn value indicating whether or not to prompt the user for a revised identity.
string nsIHttpAuthenticator::generateCredentials ( in nsIHttpChannel  aChannel,
in string  aChallenge,
in boolean  aProxyAuth,
in wstring  aDomain,
in wstring  aUser,
in wstring  aPassword,
inout nsISupports  aSessionState,
inout nsISupports  aContinuationState 
) [inherited]

Called to generate the authentication credentials for a particular server/proxy challenge.

This is the value that will be sent back to the server via an Authorization/Proxy-Authorization header.

This function may be called using a cached challenge provided the authenticator sets the REUSABLE_CHALLENGE flag.

Parameters:
aChannelthe http channel requesting credentials
aChallengethe challenge from the WWW-Authenticate/Proxy-Authenticate server response header. (possibly from the auth cache.)
aProxyAuthflag indicating whether or not aChallenge is from a proxy.
aDomainstring containing the domain name (if appropriate)
aUserstring containing the user name
aPasswordstring containing the password
aSessionStatestate stored along side the user's identity in the auth cache for the lifetime of the browser session. if a new auth cache entry is created for this challenge, then this parameter will be null. on return, the result will be stored in the new auth cache entry. this parameter is non-null when an auth cache entry is being reused.
aContinuationStatestate held by the channel between consecutive calls to generateCredentials, assuming multiple calls are required to authenticate. this state is held for at most the lifetime of the channel.
PRBool nsHttpNegotiateAuth::MatchesBaseURI ( const nsCSubstring scheme,
const nsCSubstring host,
PRInt32  port,
const char *  baseStart,
const char *  baseEnd 
) [private]
PRBool nsHttpNegotiateAuth::MatchesBaseURI ( const nsCSubstring scheme,
const nsCSubstring host,
PRInt32  port,
const char *  baseStart,
const char *  baseEnd 
) [private]

Definition at line 390 of file nsHttpNegotiateAuth.cpp.

{
    // check if scheme://host:port matches baseURI

    // parse the base URI
    const char *hostStart, *schemeEnd = strstr(baseStart, "://");
    if (schemeEnd) {
        // the given scheme must match the parsed scheme exactly
        if (!matchScheme.Equals(Substring(baseStart, schemeEnd)))
            return PR_FALSE;
        hostStart = schemeEnd + 3;
    }
    else
        hostStart = baseStart;

    // XXX this does not work for IPv6-literals
    const char *hostEnd = strchr(hostStart, ':');
    if (hostEnd && hostEnd <= baseEnd) {
        // the given port must match the parsed port exactly
        int port = atoi(hostEnd + 1);
        if (matchPort != (PRInt32) port)
            return PR_FALSE;
    }
    else
        hostEnd = baseEnd;


    // if we didn't parse out a host, then assume we got a match.
    if (hostStart == hostEnd)
        return PR_TRUE;

    PRUint32 hostLen = hostEnd - hostStart;

    // matchHost must either equal host or be a subdomain of host
    if (matchHost.Length() < hostLen)
        return PR_FALSE;

    const char *end = matchHost.EndReading();
    if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) {
        // if matchHost ends with host from the base URI, then make sure it is
        // either an exact match, or prefixed with a dot.  we don't want
        // "foobar.com" to match "bar.com"
        if (matchHost.Length() == hostLen ||
            *(end - hostLen) == '.' ||
            *(end - hostLen - 1) == '.')
            return PR_TRUE;
    }

    return PR_FALSE;
}

Here is the call graph for this function:

Here is the caller graph for this function:

PRBool nsHttpNegotiateAuth::TestBoolPref ( const char *  pref) [private]
PRBool nsHttpNegotiateAuth::TestBoolPref ( const char *  pref) [private]

Definition at line 321 of file nsHttpNegotiateAuth.cpp.

{
    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
    if (!prefs)
        return PR_FALSE;

    PRBool val;
    nsresult rv = prefs->GetBoolPref(pref, &val);
    if (NS_FAILED(rv))
        return PR_FALSE;

    return val;
}

Here is the call graph for this function:

PRBool nsHttpNegotiateAuth::TestPref ( nsIURI uri,
const char *  pref 
) [private]

Definition at line 336 of file nsHttpNegotiateAuth.cpp.

{
    nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
    if (!prefs)
        return PR_FALSE;

    nsCAutoString scheme, host;
    PRInt32 port;

    if (NS_FAILED(uri->GetScheme(scheme)))
        return PR_FALSE;
    if (NS_FAILED(uri->GetAsciiHost(host)))
        return PR_FALSE;
    if (NS_FAILED(uri->GetPort(&port)))
        return PR_FALSE;

    char *hostList;
    if (NS_FAILED(prefs->GetCharPref(pref, &hostList)) || !hostList)
        return PR_FALSE;

    // pseudo-BNF
    // ----------
    //
    // url-list       base-url ( base-url "," LWS )*
    // base-url       ( scheme-part | host-part | scheme-part host-part )
    // scheme-part    scheme "://"
    // host-part      host [":" port]
    //
    // for example:
    //   "https://, http://office.foo.com"
    //

    char *start = hostList, *end;
    for (;;) {
        // skip past any whitespace
        while (*start == ' ' || *start == '\t')
            ++start;
        end = strchr(start, ',');
        if (!end)
            end = start + strlen(start);
        if (start == end)
            break;
        if (MatchesBaseURI(scheme, host, port, start, end))
            return PR_TRUE;
        if (*end == '\0')
            break;
        start = end + 1;
    }
    
    nsMemory::Free(hostList);
    return PR_FALSE;
}

Here is the call graph for this function:

PRBool nsHttpNegotiateAuth::TestPref ( nsIURI ,
const char *  pref 
) [private]

Member Data Documentation

readonly attribute unsigned long nsIHttpAuthenticator::authFlags [inherited]

Flags defining various properties of the authenticator.

Definition at line 134 of file nsIHttpAuthenticator.idl.

const unsigned long nsIHttpAuthenticator::CONNECTION_BASED = (1<<1) [inherited]

A connection based authentication scheme authenticates an individual connection.

Multiple requests may be issued over the connection without repeating the authentication steps. Connection based authentication schemes can associate state with the connection being authenticated via the aContinuationState parameter (see generateCredentials).

Definition at line 151 of file nsIHttpAuthenticator.idl.

const unsigned long nsIHttpAuthenticator::IDENTITY_IGNORED = (1<<10) [inherited]

This flag indicates that the identity of the user is not required by this authentication scheme.

Definition at line 173 of file nsIHttpAuthenticator.idl.

This flag indicates that the identity of the user includes a domain attribute that the user must supply.

Definition at line 179 of file nsIHttpAuthenticator.idl.

const unsigned long nsIHttpAuthenticator::REQUEST_BASED = (1<<0) [inherited]

A request based authentication scheme only authenticates an individual request (or a set of requests under the same authentication domain as defined by RFC 2617).

BASIC and DIGEST are request based authentication schemes.

Definition at line 142 of file nsIHttpAuthenticator.idl.

const unsigned long nsIHttpAuthenticator::REUSABLE_CHALLENGE = (1<<3) [inherited]

A challenge may be reused to later generate credentials in anticipation of a duplicate server challenge for URLs within "the protection space" as defined by RFC 2617 section 1.2.

Definition at line 167 of file nsIHttpAuthenticator.idl.

const unsigned long nsIHttpAuthenticator::REUSABLE_CREDENTIALS = (1<<2) [inherited]

The credentials returned from generateCredentials may be reused with any other URLs within "the protection space" as defined by RFC 2617 section 1.2.

If this flag is not set, then generateCredentials must be called for each request within the protection space. REUSABLE_CREDENTIALS implies REUSABLE_CHALLENGE.

Definition at line 160 of file nsIHttpAuthenticator.idl.


The documentation for this class was generated from the following files: