gnustep/libs-base
0
0
Fork 0
mirror of https://github.com/gnustep/libs-base.git synced 2025-06-01 09:02:01 +00:00
Code Issues Projects Releases Packages Wiki Activity

Improve authentication handling ... only send authentication information in

Browse source 
response to a challenge from the server.


git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@23123 72102866-910b-0410-8b05-ffd578937521
This commit is contained in:
rfm 2006-07-04 10:54:12 +00:00
parent 5ee10ff9c7
commit a35bf27851
5 changed files with 322 additions and 266 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -1,6 +1,11 @@
2006-07-04 Richard Frith-Macdonald <rfm@gnu.org> 2006-07-04 Richard Frith-Macdonald <rfm@gnu.org>
* Source/NSTask.m: On mingw32 create subtask with CREATE_NO_WINDOW * Source/NSTask.m: On mingw32 create subtask with CREATE_NO_WINDOW
* Source/GSURLPrivate.h: Generalise GSHTTPAuthentication
* Source/GSHTTPAuthentication.m: Generalise to support Basic auth
* Source/NSURLProtectionSpace.m: Optimise a little.
* Source/GSHTTPURLHandle.m: Changes for GSHTTPAuthentication update.
Don't send basic authentication info unless challenged by server.
2006-07-02 Richard Frith-Macdonald <rfm@gnu.org> 2006-07-02 Richard Frith-Macdonald <rfm@gnu.org>

77
Source/GSHTTPAuthentication.m
View file

@ -86,17 +86,19 @@ static GSMimeParser *mimeParser = nil;
} }
} }
+ (GSHTTPAuthentication *) digestWithCredential: (NSURLCredential*)credential + (GSHTTPAuthentication *) authenticationWithCredential:
(NSURLCredential*)credential
inProtectionSpace: (NSURLProtectionSpace*)space inProtectionSpace: (NSURLProtectionSpace*)space
{ {
NSMutableDictionary *cDict; NSMutableDictionary *cDict = nil;
NSURLProtectionSpace *known; NSURLProtectionSpace *known = nil;
GSHTTPAuthentication *digest = nil; GSHTTPAuthentication *authentication = nil;
[storeLock lock]; [storeLock lock];
/* /*
* Keep track of known protection spaces so we don't make lots of * Keep track of known protection spaces so we don't make lots of
* duplicate copies, but share one copy between digest objects. * duplicate copies, but share one copy between authentication objects.
*/ */
known = [spaces member: space]; known = [spaces member: space];
if (known == nil) if (known == nil)
@ -112,19 +114,21 @@ static GSMimeParser *mimeParser = nil;
[store setObject: cDict forKey: space]; [store setObject: cDict forKey: space];
RELEASE(cDict); RELEASE(cDict);
} }
digest = [cDict objectForKey: credential]; authentication = [cDict objectForKey: credential];
if (digest == nil)
if (authentication == nil)
{ {
digest = [[GSHTTPAuthentication alloc] initWithCredential: credential authentication = [[GSHTTPAuthentication alloc]
initWithCredential: credential
inProtectionSpace: space]; inProtectionSpace: space];
[cDict setObject: digest forKey: [digest credential]]; [cDict setObject: authentication forKey: [authentication credential]];
} }
else else
{ {
RETAIN(digest); RETAIN(authentication);
} }
[storeLock unlock]; [storeLock unlock];
return AUTORELEASE(digest); return AUTORELEASE(authentication);
} }
+ (NSURLProtectionSpace*) protectionSpaceForAuthentication: (NSString*)auth + (NSURLProtectionSpace*) protectionSpaceForAuthentication: (NSString*)auth
@ -187,7 +191,7 @@ static GSMimeParser *mimeParser = nil;
* found for the URL, assume that it is unchanged. * found for the URL, assume that it is unchanged.
*/ */
if ([[space realm] isEqualToString: realm] if ([[space realm] isEqualToString: realm]
&& [[space authenticationMethod] isEqualToString: method]) && [space authenticationMethod] == method)
{ {
return space; return space;
} }
@ -337,6 +341,11 @@ static GSMimeParser *mimeParser = nil;
method: (NSString*)method method: (NSString*)method
path: (NSString*)path path: (NSString*)path
{ {
NSMutableString *authorisation;
if ([self->_space authenticationMethod]
== NSURLAuthenticationMethodHTTPDigest)
{
NSString *realm = nil; NSString *realm = nil;
NSString *qop = nil; NSString *qop = nil;
NSString *nonce = nil; NSString *nonce = nil;
@ -347,7 +356,6 @@ static GSMimeParser *mimeParser = nil;
NSString *HA1; NSString *HA1;
NSString *HA2; NSString *HA2;
NSString *response; NSString *response;
NSMutableString *authorisation;
int nc; int nc;
if (authentication != nil) if (authentication != nil)
@ -366,12 +374,14 @@ static GSMimeParser *mimeParser = nil;
{ {
if ([sc scanString: @"=" intoString: 0] == NO) if ([sc scanString: @"=" intoString: 0] == NO)
{ {
NSDebugMLog(@"Missing '=' in HTTP digest '%@'", authentication); NSDebugMLog(@"Missing '=' in HTTP digest '%@'",
authentication);
return nil; // Bad name=value specification return nil; // Bad name=value specification
} }
if ((val = [mimeParser scanToken: sc]) == nil) if ((val = [mimeParser scanToken: sc]) == nil)
{ {
NSDebugMLog(@"Missing value in HTTP digest '%@'", authentication); NSDebugMLog(@"Missing value in HTTP digest '%@'",
authentication);
return nil; // Bad name=value specification return nil; // Bad name=value specification
} }
if ([key caseInsensitiveCompare: @"realm"] == NSOrderedSame) if ([key caseInsensitiveCompare: @"realm"] == NSOrderedSame)
@ -426,7 +436,8 @@ static GSMimeParser *mimeParser = nil;
authentication); authentication);
return nil; return nil;
} }
if (![[qop componentsSeparatedByString: @","] containsObject: @"auth"]) if (![[qop componentsSeparatedByString: @","]
containsObject: @"auth"])
{ {
NSDebugMLog(@"Unsupported/missing HTTP digest qop in '%@'", NSDebugMLog(@"Unsupported/missing HTTP digest qop in '%@'",
authentication); authentication);
@ -472,7 +483,8 @@ static GSMimeParser *mimeParser = nil;
authorisation = [NSMutableString stringWithCapacity: 512]; authorisation = [NSMutableString stringWithCapacity: 512];
[authorisation appendFormat: @"Digest realm=\"%@\"", realm]; [authorisation appendFormat: @"Digest realm=\"%@\"", realm];
[authorisation appendFormat: @",username=\"%@\"", [self->_credential user]]; [authorisation appendFormat: @",username=\"%@\"",
[self->_credential user]];
[authorisation appendFormat: @",nonce=\"%@\"", nonce]; [authorisation appendFormat: @",nonce=\"%@\"", nonce];
[authorisation appendFormat: @",uri=\"%@\"", path]; [authorisation appendFormat: @",uri=\"%@\"", path];
[authorisation appendFormat: @",response=\"%@\"", response]; [authorisation appendFormat: @",response=\"%@\"", response];
@ -485,7 +497,38 @@ static GSMimeParser *mimeParser = nil;
} }
[self->_lock unlock]; [self->_lock unlock];
}
else
{
NSString *toEncode;
// FIXME ... should support other methods
if (authentication != nil)
{
NSScanner *sc;
sc = [NSScanner scannerWithString: authentication];
if ([sc scanString: @"Basic" intoString: 0] == NO)
{
NSDebugMLog(@"Bad format HTTP basic in '%@'", authentication);
return nil; // Not a basic authentication
}
}
authorisation = [NSMutableString stringWithCapacity: 64];
if ([[self->_credential password] length] > 0)
{
toEncode = [NSString stringWithFormat: @"%@:%@",
[self->_credential user], [self->_credential password]];
}
else
{
toEncode = [NSString stringWithFormat: @"%@",
[self->_credential user]];
}
[authorisation appendFormat: @"Basic %@",
[GSMimeDocument encodeBase64String: toEncode]];
}
return authorisation; return authorisation;
} }

71
Source/GSHTTPURLHandle.m
View file

@ -418,23 +418,19 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
} }
if ((id)NSMapGet(wProperties, (void*)@"Authorization") == nil) if ((id)NSMapGet(wProperties, (void*)@"Authorization") == nil)
{ {
if ([u user] != nil)
{
NSString *auth = nil;
NSURLProtectionSpace *space; NSURLProtectionSpace *space;
/* /*
* If the URL we are loading is in a digest authentication space * If we have username/password stored in the URL, and there is a
* we try to create an authorization header using any existing * known protection space for that URL, we generate an authentication
* cached information so that we can avoid the wasteful * header.
* challenge/response dialogue.
*/ */
space = [GSHTTPAuthentication protectionSpaceForURL: u]; if ([u user] != nil
if (space != nil && [[space authenticationMethod] isEqual: && (space = [GSHTTPAuthentication protectionSpaceForURL: u]) != nil)
NSURLAuthenticationMethodHTTPDigest] == YES)
{ {
NSString *auth;
GSHTTPAuthentication *authentication;
NSURLCredential *cred; NSURLCredential *cred;
GSHTTPAuthentication *digest;
NSString *method; NSString *method;
/* /*
@ -446,13 +442,10 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
password: [u password] password: [u password]
persistence: NSURLCredentialPersistenceForSession]; persistence: NSURLCredentialPersistenceForSession];
/* authentication = [GSHTTPAuthentication
* Get the digest object and ask it for a header authenticationWithCredential: cred
* to use for authorisation.
*/
digest = [GSHTTPAuthentication
digestWithCredential: cred
inProtectionSpace: space]; inProtectionSpace: space];
RELEASE(cred); RELEASE(cred);
method = [request objectForKey: GSHTTPPropertyMethodKey]; method = [request objectForKey: GSHTTPPropertyMethodKey];
@ -467,30 +460,11 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
method = @"GET"; method = @"GET";
} }
} }
auth = [digest authorizationForAuthentication: nil
auth = [authentication authorizationForAuthentication: nil
method: method method: method
path: [u path]]; path: [u path]];
}
if (auth == nil)
{
/*
* Not able to do a digest authentication,
* so do a basic authentication in case the
* server accepts it.
*/
if ([[u password] length] > 0)
{
auth = [NSString stringWithFormat: @"%@:%@",
[u user], [u password]];
}
else
{
auth = [NSString stringWithFormat: @"%@", [u user]];
}
auth = [NSString stringWithFormat: @"Basic %@",
[GSMimeDocument encodeBase64String: auth]];
}
NSMapInsert(wProperties, (void*)@"Authorization", (void*)auth); NSMapInsert(wProperties, (void*)@"Authorization", (void*)auth);
} }
} }
@ -632,25 +606,21 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
val = [info objectForKey: NSHTTPPropertyStatusCodeKey]; val = [info objectForKey: NSHTTPPropertyStatusCodeKey];
if ([val intValue] == 401 && self->challenged < 2) if ([val intValue] == 401 && self->challenged < 2)
{ {
NSString *a;
GSMimeHeader *ah; GSMimeHeader *ah;
self->challenged++; // Prevent repeated challenge/auth self->challenged++; // Prevent repeated challenge/auth
a = (id)NSMapGet(wProperties, (void*)@"Authorization");
if ((ah = [document headerNamed: @"WWW-Authenticate"]) != nil) if ((ah = [document headerNamed: @"WWW-Authenticate"]) != nil)
{ {
NSURLProtectionSpace *space; NSURLProtectionSpace *space;
NSString *ac; NSString *ac;
NSURLCredential *cred;
GSHTTPAuthentication *authentication;
NSString *method;
NSString *a;
ac = [ah value]; ac = [ah value];
space = [GSHTTPAuthentication space = [GSHTTPAuthentication
protectionSpaceForAuthentication: ac requestURL: url]; protectionSpaceForAuthentication: ac requestURL: url];
if (space != nil)
{
NSURLCredential *cred;
GSHTTPAuthentication *digest;
NSString *method;
NSString *a;
/* /*
* Create credential from user and password * Create credential from user and password
@ -665,9 +635,10 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
* Get the digest object and ask it for a header * Get the digest object and ask it for a header
* to use for authorisation. * to use for authorisation.
*/ */
digest = [GSHTTPAuthentication authentication = [GSHTTPAuthentication
digestWithCredential: cred authenticationWithCredential: cred
inProtectionSpace: space]; inProtectionSpace: space];
RELEASE(cred); RELEASE(cred);
method = [request objectForKey: GSHTTPPropertyMethodKey]; method = [request objectForKey: GSHTTPPropertyMethodKey];
@ -682,7 +653,8 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
method = @"GET"; method = @"GET";
} }
} }
a = [digest authorizationForAuthentication: ac
a = [authentication authorizationForAuthentication: ac
method: method method: method
path: [url path]]; path: [url path]];
if (a != nil) if (a != nil)
@ -693,7 +665,6 @@ static void debugWrite(GSHTTPURLHandle *handle, NSData *data)
} }
} }
} }
}
if (val != nil) if (val != nil)
{ {
[pageInfo setObject: val forKey: NSHTTPPropertyStatusCodeKey]; [pageInfo setObject: val forKey: NSHTTPPropertyStatusCodeKey];

4
Source/GSURLPrivate.h
View file

@ -82,8 +82,10 @@
/* /*
* Return the object for the specified credential/protection space. * Return the object for the specified credential/protection space.
*/ */
+ (GSHTTPAuthentication *) digestWithCredential: (NSURLCredential*)credential + (GSHTTPAuthentication *) authenticationWithCredential:
(NSURLCredential*)credential
inProtectionSpace: (NSURLProtectionSpace*)space; inProtectionSpace: (NSURLProtectionSpace*)space;
/* /*
* Create/return the protection space involved in the specified authentication * Create/return the protection space involved in the specified authentication
* header returned in a response to a request sent to the URL. * header returned in a response to a request sent to the URL.

57
Source/NSURLProtectionSpace.m
View file

@ -43,8 +43,8 @@ typedef struct {
int port; int port;
NSString *protocol; NSString *protocol;
NSString *realm; NSString *realm;
NSString *proxyType; NSString *proxyType; // Not retained
NSString *authenticationMethod; NSString *authenticationMethod; // Not retained
BOOL isProxy; BOOL isProxy;
} Internal; } Internal;
@ -90,7 +90,7 @@ typedef struct {
if (o != nil) if (o != nil)
{ {
inst->isProxy = this->isProxy; inst->isProxy = this->isProxy;
ASSIGN(inst->proxyType, this->proxyType); inst->proxyType = this->proxyType;
} }
return o; return o;
} }
@ -102,9 +102,7 @@ typedef struct {
{ {
RELEASE(this->host); RELEASE(this->host);
RELEASE(this->protocol); RELEASE(this->protocol);
RELEASE(this->proxyType);
RELEASE(this->realm); RELEASE(this->realm);
RELEASE(this->authenticationMethod);
NSZoneFree([self zone], this); NSZoneFree([self zone], this);
} }
[super dealloc]; [super dealloc];
@ -114,7 +112,7 @@ typedef struct {
{ {
return [[self host] hash] + [self port] return [[self host] hash] + [self port]
+ [[self realm] hash] + [[self protocol] hash] + [[self realm] hash] + [[self protocol] hash]
+ [[self proxyType] hash] + [[self authenticationMethod] hash]; + (uintptr_t)this->proxyType + (uintptr_t)this->authenticationMethod;
} }
- (NSString *) host - (NSString *) host
@ -133,7 +131,25 @@ authenticationMethod: (NSString *)authenticationMethod
this->host = [host copy]; this->host = [host copy];
this->protocol = [protocol copy]; this->protocol = [protocol copy];
this->realm = [realm copy]; this->realm = [realm copy];
this->authenticationMethod = [authenticationMethod copy]; if ([authenticationMethod isEqualToString:
NSURLAuthenticationMethodHTMLForm] == YES)
{
this->authenticationMethod = NSURLAuthenticationMethodHTMLForm;
}
else if ([authenticationMethod isEqualToString:
NSURLAuthenticationMethodHTTPBasic] == YES)
{
this->authenticationMethod = NSURLAuthenticationMethodHTTPBasic;
}
else if ([authenticationMethod isEqualToString:
NSURLAuthenticationMethodHTTPDigest] == YES)
{
this->authenticationMethod = NSURLAuthenticationMethodHTTPDigest;
}
else
{
this->authenticationMethod = NSURLAuthenticationMethodDefault;
}
this->port = port; this->port = port;
this->proxyType = nil; this->proxyType = nil;
this->isProxy = NO; this->isProxy = NO;
@ -155,9 +171,28 @@ authenticationMethod: (NSString *)authenticationMethod
if (self != nil) if (self != nil)
{ {
this->isProxy = YES; this->isProxy = YES;
ASSIGNCOPY(this->proxyType, type); if ([type isEqualToString: NSURLProtectionSpaceFTPProxy] == YES)
{
this->proxyType = NSURLProtectionSpaceFTPProxy;
} }
return NO; else if ([type isEqualToString: NSURLProtectionSpaceHTTPProxy] == YES)
{
this->proxyType = NSURLProtectionSpaceHTTPProxy;
}
else if ([type isEqualToString: NSURLProtectionSpaceHTTPSProxy] == YES)
{
this->proxyType = NSURLProtectionSpaceHTTPSProxy;
}
else if ([type isEqualToString: NSURLProtectionSpaceSOCKSProxy] == YES)
{
this->proxyType = NSURLProtectionSpaceSOCKSProxy;
}
else
{
DESTROY(self); // Bad proxy type.
}
}
return self;
} }
- (BOOL) isEqual: (id)other - (BOOL) isEqual: (id)other
@ -237,13 +272,13 @@ authenticationMethod: (NSString *)authenticationMethod
- (BOOL) receivesCredentialSecurely - (BOOL) receivesCredentialSecurely
{ {
if ([this->authenticationMethod isEqual: NSURLAuthenticationMethodHTTPDigest]) if (this->authenticationMethod == NSURLAuthenticationMethodHTTPDigest)
{ {
return YES; return YES;
} }
if (this->isProxy) if (this->isProxy)
{ {
if ([this->proxyType isEqual: NSURLProtectionSpaceHTTPSProxy] == YES) if (this->proxyType == NSURLProtectionSpaceHTTPSProxy)
{ {
return YES; return YES;
} }