HTTP authentication
As specified in RFC 2617, HTTP supports authentication using the WWW-Authenticate request headers and the Authorization response headers (and the Proxy-Authenticate and Proxy-Authorization headers for proxy authentication).

 
Supported authentication schemes
 
Chrome supports four authentication schemes: Basic, Digest, NTLM, and Negotiate. Basic, Digest, and NTLM are supported on all platforms by default. Negotiate is supported on all platforms except Chrome OS by default.
 
The Basic and Digest schemes are specified in RFC 2617. NTLM is a Microsoft proprietary protocol. The Negotiate (or SPNEGO) scheme is specified in RFC 4559 and can be used to negotiate multiple authentication schemes, but typically defaults to either Kerberos or NTLM.
 
The list of supported authentication schemes may be overridden using the AuthSchemes policy. See this page for details on using administrative policies.
 
Choosing an authentication scheme
 

When a server or proxy accepts multiple authentication schemes, our network stack selects the authentication scheme with the highest score:

  • Basic: 1
  • Digest: 2
  • NTLM: 3
  • Negotiate: 4
The Basic scheme has the lowest score because it sends the username/password unencrypted to the server or proxy.
 
So we choose the most secure scheme, and we ignore the server or proxy's preference, indicated by the order in which the schemes are listed in the WWW-Authenticate or Proxy-Authenticate response headers. This could be a source of compatibility problems because MSDN documents that "WinInet chooses the first method it recognizes." Note: In IE7 or later, WinInet chooses the first non-Basic method it recognizes.
 
Integrated Authentication
 
With Integrated Authentication, Chrome can authenticate the user to an Intranet server or proxy without prompting the user for a username or password. It does this by using cached credentials which are established when the user initially logs in to the machine that the Chrome browser is running on. Integrated Authentication is supported for Negotiate and NTLM challenges only.
 
Due to potential attacks, Integrated Authentication is only enabled when Chrome receives an authentication challenge from a proxy, or when it receives a challenge from a server which is in the permitted list.
 
This list is passed in to Chrome using a comma-separated list of URLs to Chrome via the AuthServerWhitelist policy setting. For example, if the AuthServerWhitelist policy setting was:
 
*example.com,*foobar.com,*baz

 
then Chrome would consider that any URL ending in either 'example.com', 'foobar.com', or 'baz' is in the permitted list.  Without the '*' prefix, the URL has to match exactly.
 
In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers in the Local Machine or Local Intranet security zone (for example, when the host in the URL includes a "." character it is outside the Local Intranet security zone), which is the behavior present in IE. Treating servers that bypass proxies as being in the intranet zone is not currently supported.
 
If a challenge comes from a server outside of the permitted list, the user will need to enter the username and password.
 
Kerberos SPN generation
 
When a server or proxy presents Chrome with a Negotiate challenge, Chrome tries to generate a Kerberos SPN (Service Principal Name) based on the host and port of the original URI. Unfortunately, the server does not indicate what the SPN should be as part of the authentication challenge, so Chrome (and other browsers) have to guess what it should be based on standard conventions. 
 
The default SPN is: HTTP/<host name>, where <host name> is the canonical DNS name of the server. This mirrors the SPN generation logic of IE and Firefox.
 
The SPN generation can be customized via policy settings:
  • DisableAuthNegotiateCnameLookup determines whether the original hostname in the URL is used rather than the canonical name. If left unset or set to false, Chrome uses the canonical name.
  • EnableAuthNegotiatePort determines whether the port is appended to the SPN if it is a non-standard (not 80 or 443) port. If set to true, the port is appended. Otherwise (or if left unset) the port is not used.
For example, assume that an intranet has a DNS configuration like
 
auth-a.example.com       IN CNAME auth-server.example.com
auth-server.example.com  IN A     10.0.5.3
 
 URL  Default SPN   With DisableAuthNegotiateCnameLookup  With EnableAuthNegotiatePort 
 http://auth-a  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a  HTTP/auth-server.example.com  HTTP/auth-a   HTTP/auth-server.example.com
 http://auth-a:80  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a:443  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 http://auth-a:4678  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com:4678
 http://auth-a.example.com  HTTP/auth-server.example.com  HTTP/auth-a.example.com  HTTP/auth-server.example.com
 http://auth-server  HTTP/auth-server.example.com  HTTP/auth-server  HTTP/auth-server.example.com
 http://auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com
 
 
Kerberos Credentials Delegation (Forwardable Tickets)
 
Some services require delegation of the users identity (for example, an IIS server accessing a MSSQL database). By default, Chrome does not allow this. You can use the AuthNegotiateDelegateWhitelist policy to enable it for the servers. 
 
Delegation does not work for proxy authentication.
 

Negotiate external libraries

On Windows, Negotiate is implemented using the SSPI libraries and depends on code in secur32.dll. 
 

On Android, Negotiate is implemented using an external Authentication app provided by third parties. Details are given in Writing a SPNEGO Authenticator for Chrome on Android. The AuthAndroidNegotiateAccountType policy is used to tell Chrome the Android account type provided by the app, hence letting it find the app.

 
On other platforms, Negotiate is implemented using the system GSSAPI libraries. The first time a Negotiate challenge is seen, Chrome tries to dlopen one of several possible shared libraries. If it is unable to find an appropriate library, Chrome remembers for the session and all Negotiate challenges are ignored for lower priority challenges. 
 
The GSSAPILibraryName policy can be used to specify the path to a GSSAPI library that Chrome should use.
 
Otherwise, Chrome tries to dlopen/dlsym each of the following fixed names in the order specified:
  • OSX: libgssapi_krb5.dylib
  • Linux: libgssapi_krb5.so.2, libgssapi.so.4, libgssapi.so.2, libgssapi.so.1

Chrome OS follows the Linux behavior, but does not have a system gssapi library, so all Negotiate challenges are ignored.

 
Remaining work
  • Support NTLMv2 on Mac and Linux. Our portable NTLM code supports NTLMv1 only.
  • Support GSSAPI on Windows [for MIT Kerberos for Windows or Heimdal]
  • Warn about Basic authentication scheme over unencrypted channels.
Questions?
 

Please feel free to send mail to net-dev@chromium.org

Network Stack‎ : HTTP authentication的更多相关文章

  1. Network Stack

    Network Stack 目录 1 Overview 2 Code Layout 3 Anatomy of a Network Request (focused on HTTP) 3.1 URLRe ...

  2. Queueing in the Linux Network Stack !!!!!!!!!!!!!!!

    https://www.coverfire.com/articles/queueing-in-the-linux-network-stack/ Queueing in the Linux Networ ...

  3. Contiki Network Stack

    一.协议栈 主要有两大网络协议栈,uIP和Rime这两大协议栈(network stack): The uIP TCP/IP stack, which provides us with IPv4 ne ...

  4. Network Stack‎ : HTTP Cache

    HTTP Cache 目录 1 Operation 2 Sparse Entries 3 Truncated Entries 4 Byte-Range Requests 5 HttpCache::Tr ...

  5. Network Stack‎ : CookieMonster

    CookieMonster   The CookieMonster is the class in Chromium which handles in-browser storage, managem ...

  6. Network Stack‎ : Disk Cache

    Disk Cache 目录 1 Overview 2 External Interface 3 Disk Structure 3.1 Cache Address 3.2 Index File Stru ...

  7. XV6学习(16)Lab net: Network stack

    最后一个实验了,代码在Github上. 这一个实验其实挺简单的,就是要实现网卡的e1000_transmit和e1000_recv函数.不过看以前的实验好像还要实现上层socket相关的代码,今年就只 ...

  8. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  9. Security arrangements for extended USB protocol stack of a USB host system

    Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provi ...

随机推荐

  1. C++虚函数与纯虚函数用法与区别

    1. 虚函数和纯虚函数可以定义在同一个类(class)中,含有纯虚函数的类被称为抽象类(abstract class),而只含有虚函数的类(class)不能被称为抽象类(abstract class) ...

  2. [转载]深入Java单例模式

    在GoF的23种设计模式中,单例模式是比较简单的一种.然而,有时候越是简单的东西越容易出现问题.下面就单例设计模式详细的探讨一下.   所谓单例模式,简单来说,就是在整个应用中保证只有一个类的实例存在 ...

  3. 2015 Multi-University Training Contest 1 y sequence

    Y sequence Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)Total ...

  4. poj3134 Power Calculus IDA*

    好端端的一道搜索题目,,,硬生生的被我弄成了乱搞题,,,枚举当前的maxd,深搜结果,然而想到的剪枝方法都没有太好的效果,,,最后用一个贪心乱搞弄出来了,,, 贪心:每次必用上一次做出来的数字与其他数 ...

  5. HDU 4756 Install Air Conditioning(次小生成树)

    题目大意:给你n个点然后让你求出去掉一条边之后所形成的最小生成树. 比較基础的次小生成树吧. ..先prime一遍求出最小生成树.在dfs求出次小生成树. Install Air Conditioni ...

  6. 使用IR2101半桥驱动电机的案例

    作为一个电机驱动开发方面的菜鸟,近日研究了一下通过MOS管对整流后的电源斩波用以驱动直流电机进行调速的方案. 在驱动的过程中,遇到了很多问题,当然也有很多的收获. 写下来以供自己将来查阅,也为其他菜鸟 ...

  7. HDOJ 2828 Lamp DLX反复覆盖

    DLX反复覆盖模版题: 每一个开关两个状态.但仅仅能选一个,建2m×n的矩阵跑DLX模版.. .. Lamp Time Limit: 2000/1000 MS (Java/Others)    Mem ...

  8. Android中的跨进程通信方法实例及特点分析(一):AIDL Service

    转载请注明出处:http://blog.csdn.net/bettarwang/article/details/40947481 近期有一个需求就是往程序中增加大数据的採集点,可是由于我们的Andro ...

  9. 使用 init-runonce脚本创建一个 openstack云项目

    source /etc/kolla/admin-openrc.sh cd /usr/share/kolla-ansible ./init-runonce 报错内容 Traceback (most re ...

  10. caioj 1074 动态规划入门(中链式1:最小交换合并问题)

    经典的石子合并问题!!! 设f[i][j]为从i到j的最大值 然后我们先枚举区间大小,然后枚举起点终点来更新 f[i][j] = min(f[i][k] + f[k+1][j] + sum(i, j) ...