HTTP authentication
As specified in RFC 2617, HTTP supports authentication using the WWW-Authenticate request headers and the Authorization response headers (and the Proxy-Authenticate and Proxy-Authorization headers for proxy authentication).

 
Supported authentication schemes
 
Chrome supports four authentication schemes: Basic, Digest, NTLM, and Negotiate. Basic, Digest, and NTLM are supported on all platforms by default. Negotiate is supported on all platforms except Chrome OS by default.
 
The Basic and Digest schemes are specified in RFC 2617. NTLM is a Microsoft proprietary protocol. The Negotiate (or SPNEGO) scheme is specified in RFC 4559 and can be used to negotiate multiple authentication schemes, but typically defaults to either Kerberos or NTLM.
 
The list of supported authentication schemes may be overridden using the AuthSchemes policy. See this page for details on using administrative policies.
 
Choosing an authentication scheme
 

When a server or proxy accepts multiple authentication schemes, our network stack selects the authentication scheme with the highest score:

  • Basic: 1
  • Digest: 2
  • NTLM: 3
  • Negotiate: 4
The Basic scheme has the lowest score because it sends the username/password unencrypted to the server or proxy.
 
So we choose the most secure scheme, and we ignore the server or proxy's preference, indicated by the order in which the schemes are listed in the WWW-Authenticate or Proxy-Authenticate response headers. This could be a source of compatibility problems because MSDN documents that "WinInet chooses the first method it recognizes." Note: In IE7 or later, WinInet chooses the first non-Basic method it recognizes.
 
Integrated Authentication
 
With Integrated Authentication, Chrome can authenticate the user to an Intranet server or proxy without prompting the user for a username or password. It does this by using cached credentials which are established when the user initially logs in to the machine that the Chrome browser is running on. Integrated Authentication is supported for Negotiate and NTLM challenges only.
 
Due to potential attacks, Integrated Authentication is only enabled when Chrome receives an authentication challenge from a proxy, or when it receives a challenge from a server which is in the permitted list.
 
This list is passed in to Chrome using a comma-separated list of URLs to Chrome via the AuthServerWhitelist policy setting. For example, if the AuthServerWhitelist policy setting was:
 
*example.com,*foobar.com,*baz

 
then Chrome would consider that any URL ending in either 'example.com', 'foobar.com', or 'baz' is in the permitted list.  Without the '*' prefix, the URL has to match exactly.
 
In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers in the Local Machine or Local Intranet security zone (for example, when the host in the URL includes a "." character it is outside the Local Intranet security zone), which is the behavior present in IE. Treating servers that bypass proxies as being in the intranet zone is not currently supported.
 
If a challenge comes from a server outside of the permitted list, the user will need to enter the username and password.
 
Kerberos SPN generation
 
When a server or proxy presents Chrome with a Negotiate challenge, Chrome tries to generate a Kerberos SPN (Service Principal Name) based on the host and port of the original URI. Unfortunately, the server does not indicate what the SPN should be as part of the authentication challenge, so Chrome (and other browsers) have to guess what it should be based on standard conventions. 
 
The default SPN is: HTTP/<host name>, where <host name> is the canonical DNS name of the server. This mirrors the SPN generation logic of IE and Firefox.
 
The SPN generation can be customized via policy settings:
  • DisableAuthNegotiateCnameLookup determines whether the original hostname in the URL is used rather than the canonical name. If left unset or set to false, Chrome uses the canonical name.
  • EnableAuthNegotiatePort determines whether the port is appended to the SPN if it is a non-standard (not 80 or 443) port. If set to true, the port is appended. Otherwise (or if left unset) the port is not used.
For example, assume that an intranet has a DNS configuration like
 
auth-a.example.com       IN CNAME auth-server.example.com
auth-server.example.com  IN A     10.0.5.3
 
 URL  Default SPN   With DisableAuthNegotiateCnameLookup  With EnableAuthNegotiatePort 
 http://auth-a  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a  HTTP/auth-server.example.com  HTTP/auth-a   HTTP/auth-server.example.com
 http://auth-a:80  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a:443  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 http://auth-a:4678  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com:4678
 http://auth-a.example.com  HTTP/auth-server.example.com  HTTP/auth-a.example.com  HTTP/auth-server.example.com
 http://auth-server  HTTP/auth-server.example.com  HTTP/auth-server  HTTP/auth-server.example.com
 http://auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com
 
 
Kerberos Credentials Delegation (Forwardable Tickets)
 
Some services require delegation of the users identity (for example, an IIS server accessing a MSSQL database). By default, Chrome does not allow this. You can use the AuthNegotiateDelegateWhitelist policy to enable it for the servers. 
 
Delegation does not work for proxy authentication.
 

Negotiate external libraries

On Windows, Negotiate is implemented using the SSPI libraries and depends on code in secur32.dll. 
 

On Android, Negotiate is implemented using an external Authentication app provided by third parties. Details are given in Writing a SPNEGO Authenticator for Chrome on Android. The AuthAndroidNegotiateAccountType policy is used to tell Chrome the Android account type provided by the app, hence letting it find the app.

 
On other platforms, Negotiate is implemented using the system GSSAPI libraries. The first time a Negotiate challenge is seen, Chrome tries to dlopen one of several possible shared libraries. If it is unable to find an appropriate library, Chrome remembers for the session and all Negotiate challenges are ignored for lower priority challenges. 
 
The GSSAPILibraryName policy can be used to specify the path to a GSSAPI library that Chrome should use.
 
Otherwise, Chrome tries to dlopen/dlsym each of the following fixed names in the order specified:
  • OSX: libgssapi_krb5.dylib
  • Linux: libgssapi_krb5.so.2, libgssapi.so.4, libgssapi.so.2, libgssapi.so.1

Chrome OS follows the Linux behavior, but does not have a system gssapi library, so all Negotiate challenges are ignored.

 
Remaining work
  • Support NTLMv2 on Mac and Linux. Our portable NTLM code supports NTLMv1 only.
  • Support GSSAPI on Windows [for MIT Kerberos for Windows or Heimdal]
  • Warn about Basic authentication scheme over unencrypted channels.
Questions?
 

Please feel free to send mail to net-dev@chromium.org

Network Stack‎ : HTTP authentication的更多相关文章

  1. Network Stack

    Network Stack 目录 1 Overview 2 Code Layout 3 Anatomy of a Network Request (focused on HTTP) 3.1 URLRe ...

  2. Queueing in the Linux Network Stack !!!!!!!!!!!!!!!

    https://www.coverfire.com/articles/queueing-in-the-linux-network-stack/ Queueing in the Linux Networ ...

  3. Contiki Network Stack

    一.协议栈 主要有两大网络协议栈,uIP和Rime这两大协议栈(network stack): The uIP TCP/IP stack, which provides us with IPv4 ne ...

  4. Network Stack‎ : HTTP Cache

    HTTP Cache 目录 1 Operation 2 Sparse Entries 3 Truncated Entries 4 Byte-Range Requests 5 HttpCache::Tr ...

  5. Network Stack‎ : CookieMonster

    CookieMonster   The CookieMonster is the class in Chromium which handles in-browser storage, managem ...

  6. Network Stack‎ : Disk Cache

    Disk Cache 目录 1 Overview 2 External Interface 3 Disk Structure 3.1 Cache Address 3.2 Index File Stru ...

  7. XV6学习(16)Lab net: Network stack

    最后一个实验了,代码在Github上. 这一个实验其实挺简单的,就是要实现网卡的e1000_transmit和e1000_recv函数.不过看以前的实验好像还要实现上层socket相关的代码,今年就只 ...

  8. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  9. Security arrangements for extended USB protocol stack of a USB host system

    Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provi ...

随机推荐

  1. 【图灵杯 A】谷神的赌博游戏

    [题目链接]:http://oj.acmclub.cn/problem.php?cid=1164&pid=0 [题意] [题解] 把每个数字都%3处理; 会发现最后1的个数为n+1 2和0的个 ...

  2. 国庆 day 7 上午

    思路:模拟,set记录一下. #include<set> #include<cstdio> #include<cstring> #include<iostre ...

  3. 10.29 工作笔记 ndk编译C++,提示找不到头文件(ndk-build error: string: No such file or directory)

    ndk编译C++.提示找不到头文件(ndk-build error: string: No such file or directory) 被这个问题弄得愁眉苦脸啊.心想为啥一个string都找不到呢 ...

  4. 好记性不如烂笔头86-spring3学习(7)-ApplicationContext中bean的生命周期

    假设使用ApplicationContext来生成.管理Bean, 一个Bean从建立到销毁,会历经几个运行阶段. 我个人理解一般的bean的生命周期主要包含:建立,初始化,使用阶段,销毁四个核心阶段 ...

  5. iPad iOS8.0升级和Xcode 6.0.1公布了,附Xcode 6.0.1下载地址

    今天上午把iPad mini升级到了iOS 8.0,升级提示须要6.7G空间,无奈仅仅好把一些大的App删掉腾冲空间,然后開始升级,3小时后最终升级成功了. 下午试着把我们的App通过xcode 5 ...

  6. Find or Query Data with C# Driver

    https://docs.mongodb.com/getting-started/csharp/query/ Overview You can use the Find and FindAsync m ...

  7. spark 数据预处理 特征标准化 归一化模块

    #We will also standardise our data as we have done so far when performing distance-based clustering. ...

  8. CentOS7下安装二进制MYSQL8

    早看到MySQL8发布, 性能相比MySQL7提升2倍,今天准备安装下试试看 1.先卸载当前系统中已安装的mariadb rpm -qa | grep mariadb rpm -e mysql*/ma ...

  9. Android-加载大图避免OOM

    高效加载大图片 我们在编写Android程序的时候经常要用到许多图片,不同图片总是会有不同的形状.不同的大小,但在大多数情况下,这些图片都会大于我们程序所需要的大小.比如说系统图片库里展示的图片大都是 ...

  10. Bayes++ Library入门学习之熟悉class-Bayesian_filter_base(1)

    在对Bayes++库的名称空间有了一个大概的了解之后,我们开始学习该名称空间下的第一个子类Bayesian_filter::Bayes_filter_base. 该类与其子类的继承关系图如下图所示. ...