[Common-dev] CN-Client: Authentication Fixes
Bob Clark bobclark at real.comThanks for the CR, Henry. Committed to head and 150Cay. --Bob On Thursday, April 21, 2005, at 12:16 PM, Henry Ping wrote: > Looks good to me > > -->Henry > >> -----Original Message----- >> From: common-dev-bounces at helixcommunity.org >> [mailto:common-dev-bounces at helixcommunity.org] On Behalf Of Bob Clark >> Sent: Thursday, April 21, 2005 9:28 AM >> To: dev at client.helixcommunity.org >> Cc: common-dev at helixcommunity.org >> Subject: [Common-dev] CR-Client: Authentication Fixes >> >> Overview: >> This consolidates the diffs from >> <http://lists.helixcommunity.org/pipermail/common-dev/2005-April/ >> 002414.html> and >> <http://lists.helixcommunity.org/pipermail/common-dev/2005-April/ >> 002429.html>. >> The biggest ambiguity about those earlier diffs was >> whether each authentication module should search for >> "WWW-Authenticate" or "Proxy-Authenticate" first. >> This diff adds the "_statuscode" key to the IHXValues that >> is sent to authentication modules. This allows the >> authentication modules to detect whether they need to watch >> for "WWW-Authenticate" or "Proxy-Authenticate" properly -- it >> removes the ambiguity. >> (The "_statuscode" key is analogous to the "_server" and >> "_protocol" >> keys that are manually added by httpfsys and rtspclnt to send >> information to the TLC without adding new IHX interfaces.) >> >> Files Changed: >> common/auth/authmgr/cliauth.cpp >> common/auth/rn5auth/rn5auth.cpp >> client/auth/basicauth/clbascauth.cpp >> protocol/rtsp/rtspclnt.cpp >> filesystem/http/httpfsys.cpp >> >> Branches: >> head >> 150Cay >> >> --Bob >> >> Index: cliauth.cpp >> =================================================================== >> RCS file: /cvsroot/common/auth/authmgr/cliauth.cpp,v >> retrieving revision 1.4 >> diff -u -w -r1.4 cliauth.cpp >> --- cliauth.cpp 9 Jul 2004 18:22:48 -0000 1.4 >> +++ cliauth.cpp 21 Apr 2005 16:02:23 -0000 >> @@ -810,7 +810,16 @@ >> ); >> } >> >> + if (SUCCEEDED(HX_RESULTStatus)) >> + { >> + // if we succeeded then no need to continue iterating through >> + // other plugins. >> + m_ListOfIUnknownIteratorCurrent = >> m_ListOfIUnknownPlugins.end(); >> + } >> + else >> + { >> ++m_ListOfIUnknownIteratorCurrent; >> + } >> >> if(m_ListOfIUnknownIteratorCurrent != >> m_ListOfIUnknownPlugins.end()) >> { >> >> >> >> Index: rn5auth.cpp >> =================================================================== >> RCS file: /cvsroot/common/auth/rn5auth/rn5auth.cpp,v >> retrieving revision 1.2 >> diff -u -w -r1.2 rn5auth.cpp >> --- rn5auth.cpp 21 Aug 2004 07:43:42 -0000 1.2 >> +++ rn5auth.cpp 21 Apr 2005 16:08:06 -0000 >> @@ -339,48 +339,82 @@ >> HX_RESULT Ret = HXR_FAIL; >> IHXBuffer* pChallengeBuf = NULL; >> >> - pChallengeHeaders->GetPropertyCString("WWW-Authenticate", >> pChallengeBuf); >> + UINT32 ulStatusCode = 0; >> + pChallengeHeaders->GetPropertyULONG32("_statuscode", >> ulStatusCode); >> >> - m_bIsProxyAuthentication = FALSE; >> + // be sure that this IHXValues value has been set. >> + // This is how we distinguish between a 401 response status code >> + // (in which case we watch for a WWW-Authenticate header) and a >> + // 407 response status code (in which case we watch for a Proxy- >> + // Authenticate header). >> + HX_ASSERT((ulStatusCode == 401) || (ulStatusCode == 407)); >> + >> + // it is possible to have multiple WWW-Authenticate headers >> + // (or Proxy-Authenticate headers) in a single response, so >> + // we must iterate over all headers to see if we can handle >> + // any of the authentication schemes. >> + >> + BOOL bFoundCompatibleAuthenticationScheme = FALSE; >> + const char* pPropertyName; >> + >> + HX_RESULT res = >> pChallengeHeaders->GetFirstPropertyCString(pPropertyName, >> pChallengeBuf); >> + >> + while (SUCCEEDED(res)) >> + { >> + BOOL bIsAuthenticationHeader = FALSE; >> >> - if (!pChallengeBuf) >> + if ((ulStatusCode == 401 || ulStatusCode == 0) && >> + (strncasecmp(pPropertyName, "WWW-Authenticate", >> 16) == 0)) >> { >> - pChallengeHeaders->GetPropertyCString("Proxy-Authenticate", >> pChallengeBuf); >> + bIsAuthenticationHeader = TRUE; >> + m_bIsProxyAuthentication = FALSE; >> + } >> + else if ((ulStatusCode == 407 || ulStatusCode == 0) && >> + (strncasecmp(pPropertyName, >> "Proxy-Authenticate", 18) == >> 0)) >> + { >> + bIsAuthenticationHeader = TRUE; >> m_bIsProxyAuthentication = TRUE; >> } >> >> - if (pChallengeBuf) >> + if (bIsAuthenticationHeader && pChallengeBuf) >> { >> - const char* sChallenge = (const char*) >> pChallengeBuf->GetBuffer(); >> + const char* pszChallenge = (const >> char*)pChallengeBuf->GetBuffer(); >> >> - if(strncasecmp(sChallenge, "RN5", 3) == 0) >> + if (strncasecmp(pszChallenge, "RN5", 3) == 0) >> { >> + bFoundCompatibleAuthenticationScheme = TRUE; >> + >> IHXCredRequest* pCredRequest = NULL; >> IHXValues* pCredentials = NULL; >> >> - // Set up Prompt, User, Password fields for UI >> _DescribeCredentials(pChallengeHeaders, &pCredentials); >> >> - m_pClientRespondee->QueryInterface(IID_IHXCredRequest, >> - (void **)&pCredRequest); >> + >> m_pClientRespondee->QueryInterface(IID_IHXCredRequest, >> (void**)&pCredRequest); >> >> Ret = pCredRequest->GetCredentials(this, pCredentials); >> - // Flow continues in CredentialsReady() >> + >> + // flow continues in CredentialsReady() >> + >> HX_RELEASE(pCredRequest); >> HX_RELEASE(pCredentials); >> + >> + goto cleanup; >> } >> - else >> - { >> - m_pClientRespondee->ResponseReady(HXR_FAIL, NULL); >> - HX_RELEASE(m_pClientRespondee); >> } >> + HX_RELEASE(pChallengeBuf); >> + >> + res = >> pChallengeHeaders->GetNextPropertyCString(pPropertyName, >> pChallengeBuf); >> } >> - else >> + >> + if (!bFoundCompatibleAuthenticationScheme) >> { >> + // let the respondee know that we did now find a compatible >> authentication scheme >> + >> m_pClientRespondee->ResponseReady(HXR_FAIL, NULL); >> HX_RELEASE(m_pClientRespondee); >> } >> >> +cleanup: >> HX_RELEASE(pChallengeHeaders); >> HX_RELEASE(pChallengeBuf); >> return Ret; >> >> >> >> Index: clbascauth.cpp >> =================================================================== >> RCS file: /cvsroot/client/auth/basicauth/clbascauth.cpp,v >> retrieving revision 1.2 >> diff -u -w -r1.2 clbascauth.cpp >> --- clbascauth.cpp 9 Jul 2004 18:45:28 -0000 1.2 >> +++ clbascauth.cpp 21 Apr 2005 16:09:02 -0000 >> @@ -344,48 +344,82 @@ >> HX_RESULT Ret = HXR_FAIL; >> IHXBuffer* pChallengeBuf = NULL; >> >> - pChallengeHeaders->GetPropertyCString("WWW-Authenticate", >> pChallengeBuf); >> + UINT32 ulStatusCode = 0; >> + pChallengeHeaders->GetPropertyULONG32("_statuscode", >> ulStatusCode); >> >> - m_bIsProxyAuthentication = FALSE; >> + // be sure that this IHXValues value has been set. >> + // This is how we distinguish between a 401 response status code >> + // (in which case we watch for a WWW-Authenticate header) and a >> + // 407 response status code (in which case we watch for a Proxy- >> + // Authenticate header). >> + HX_ASSERT((ulStatusCode == 401) || (ulStatusCode == 407)); >> + >> + // it is possible to have multiple WWW-Authenticate headers >> + // (or Proxy-Authenticate headers) in a single response, so >> + // we must iterate over all headers to see if we can handle >> + // any of the authentication schemes. >> + >> + BOOL bFoundCompatibleAuthenticationScheme = FALSE; >> + const char* pPropertyName; >> + >> + HX_RESULT res = >> pChallengeHeaders->GetFirstPropertyCString(pPropertyName, >> pChallengeBuf); >> + >> + while (SUCCEEDED(res)) >> + { >> + BOOL bIsAuthenticationHeader = FALSE; >> >> - if (!pChallengeBuf) >> + if ((ulStatusCode == 401 || ulStatusCode == 0) && >> + (strncasecmp(pPropertyName, "WWW-Authenticate", >> 16) == 0)) >> { >> - pChallengeHeaders->GetPropertyCString("Proxy-Authenticate", >> pChallengeBuf); >> + bIsAuthenticationHeader = TRUE; >> + m_bIsProxyAuthentication = FALSE; >> + } >> + else if ((ulStatusCode == 407 || ulStatusCode == 0) && >> + (strncasecmp(pPropertyName, >> "Proxy-Authenticate", 18) == >> 0)) >> + { >> + bIsAuthenticationHeader = TRUE; >> m_bIsProxyAuthentication = TRUE; >> } >> >> - if (pChallengeBuf) >> + if (bIsAuthenticationHeader && pChallengeBuf) >> { >> - const char* sChallenge = (const char*) >> pChallengeBuf->GetBuffer(); >> + const char* pszChallenge = (const >> char*)pChallengeBuf->GetBuffer(); >> >> - if(strncasecmp(sChallenge, "Basic", 5) == 0) >> + if (strncasecmp(pszChallenge, "Basic", 5) == 0) >> { >> + bFoundCompatibleAuthenticationScheme = TRUE; >> + >> IHXCredRequest* pCredRequest = NULL; >> IHXValues* pCredentials = NULL; >> >> - // Set up Prompt, User, Password fields for UI >> _DescribeCredentials(pChallengeHeaders, &pCredentials); >> >> - m_pClientRespondee->QueryInterface(IID_IHXCredRequest, >> - (void **)&pCredRequest); >> + >> m_pClientRespondee->QueryInterface(IID_IHXCredRequest, >> (void**)&pCredRequest); >> >> Ret = pCredRequest->GetCredentials(this, pCredentials); >> - // Flow continues in CredentialsReady() >> + >> + // flow continues in CredentialsReady() >> + >> HX_RELEASE(pCredRequest); >> HX_RELEASE(pCredentials); >> + >> + goto cleanup; >> } >> - else >> - { >> - m_pClientRespondee->ResponseReady(HXR_FAIL, NULL); >> - HX_RELEASE(m_pClientRespondee); >> } >> + HX_RELEASE(pChallengeBuf); >> + >> + res = >> pChallengeHeaders->GetNextPropertyCString(pPropertyName, >> pChallengeBuf); >> } >> - else >> + >> + if (!bFoundCompatibleAuthenticationScheme) >> { >> + // let the respondee know that we did now find a compatible >> authentication scheme >> + >> m_pClientRespondee->ResponseReady(HXR_FAIL, NULL); >> HX_RELEASE(m_pClientRespondee); >> } >> >> +cleanup: >> HX_RELEASE(pChallengeHeaders); >> HX_RELEASE(pChallengeBuf); >> return Ret; >> >> >> Index: rtspclnt.cpp >> =================================================================== >> RCS file: /cvsroot/protocol/rtsp/rtspclnt.cpp,v >> retrieving revision 1.148.2.10 >> diff -u -w -r1.148.2.10 rtspclnt.cpp >> --- rtspclnt.cpp 8 Apr 2005 22:35:39 -0000 1.148.2.10 >> +++ rtspclnt.cpp 21 Apr 2005 16:10:36 -0000 >> @@ -8945,6 +8945,10 @@ >> } >> } >> >> + // Add the response status code to the response headers >> because the >> + // client authentication manager needs it >> + >> pIHXValuesResponseHeaders->SetPropertyULONG32("_statuscode", >> pMsg->errorCodeAsUINT32()); >> + >> rc = m_pResp->HandleWWWAuthentication >> ( >> HXR_NOT_AUTHORIZED, >> >> >> Index: httpfsys.cpp >> =================================================================== >> RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v >> retrieving revision 1.72.2.4 >> diff -u -w -r1.72.2.4 httpfsys.cpp >> --- httpfsys.cpp 5 Apr 2005 20:51:11 -0000 1.72.2.4 >> +++ httpfsys.cpp 21 Apr 2005 16:14:38 -0000 >> @@ -4702,6 +4702,8 @@ >> } >> } >> >> + UINT32 ulHTTPStatus = atoi(pMessage->errorCode()); >> + >> // Add the fake _server value that's used >> // in IHXAuthenticationManager2 implementations. >> xxxbobclark >> HX_ASSERT(m_pHost); >> @@ -4711,7 +4713,6 @@ >> (void**)&pServerHeaderBuffer); >> if (SUCCEEDED(retVal)) >> { >> - UINT32 ulHTTPStatus = >> atoi(pMessage->errorCode()); >> if (m_bUseProxy && ulHTTPStatus == 407 && >> m_strProxyHost.GetLength()) >> { >> pServerHeaderBuffer->Set((UCHAR*)(const >> char*)m_strProxyHost, >> @@ -4734,6 +4735,10 @@ >> pResponseHeaders->SetPropertyCString("_protocol", >> pProtocol); >> HX_RELEASE(pProtocol); >> } >> + >> + // Add the response status code to the response headers >> because the >> + // client authentication manager needs it >> + pResponseHeaders->SetPropertyULONG32("_statuscode", >> ulHTTPStatus); >> } >> HX_RELEASE(pResponseHeaders); >> >> >> >> _______________________________________________ >> Common-dev mailing list >> Common-dev at helixcommunity.org >> http://lists.helixcommunity.org/mailman/listinfo/common-dev > >