HTTP authentication
As specified in RFC 2617, HTTP supports authentication using the WWW-Authenticate request headers and the Authorization response headers (and the Proxy-Authenticate and Proxy-Authorization headers for proxy authentication).

 
Supported authentication schemes
 
Chrome supports four authentication schemes: Basic, Digest, NTLM, and Negotiate. Basic, Digest, and NTLM are supported on all platforms by default. Negotiate is supported on all platforms except Chrome OS by default.
 
The Basic and Digest schemes are specified in RFC 2617. NTLM is a Microsoft proprietary protocol. The Negotiate (or SPNEGO) scheme is specified in RFC 4559 and can be used to negotiate multiple authentication schemes, but typically defaults to either Kerberos or NTLM.
 
The list of supported authentication schemes may be overridden using the AuthSchemes policy. See this page for details on using administrative policies.
 
Choosing an authentication scheme
 

When a server or proxy accepts multiple authentication schemes, our network stack selects the authentication scheme with the highest score:

  • Basic: 1
  • Digest: 2
  • NTLM: 3
  • Negotiate: 4
The Basic scheme has the lowest score because it sends the username/password unencrypted to the server or proxy.
 
So we choose the most secure scheme, and we ignore the server or proxy's preference, indicated by the order in which the schemes are listed in the WWW-Authenticate or Proxy-Authenticate response headers. This could be a source of compatibility problems because MSDN documents that "WinInet chooses the first method it recognizes." Note: In IE7 or later, WinInet chooses the first non-Basic method it recognizes.
 
Integrated Authentication
 
With Integrated Authentication, Chrome can authenticate the user to an Intranet server or proxy without prompting the user for a username or password. It does this by using cached credentials which are established when the user initially logs in to the machine that the Chrome browser is running on. Integrated Authentication is supported for Negotiate and NTLM challenges only.
 
Due to potential attacks, Integrated Authentication is only enabled when Chrome receives an authentication challenge from a proxy, or when it receives a challenge from a server which is in the permitted list.
 
This list is passed in to Chrome using a comma-separated list of URLs to Chrome via the AuthServerWhitelist policy setting. For example, if the AuthServerWhitelist policy setting was:
 
*example.com,*foobar.com,*baz

 
then Chrome would consider that any URL ending in either 'example.com', 'foobar.com', or 'baz' is in the permitted list.  Without the '*' prefix, the URL has to match exactly.
 
In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers in the Local Machine or Local Intranet security zone (for example, when the host in the URL includes a "." character it is outside the Local Intranet security zone), which is the behavior present in IE. Treating servers that bypass proxies as being in the intranet zone is not currently supported.
 
If a challenge comes from a server outside of the permitted list, the user will need to enter the username and password.
 
Kerberos SPN generation
 
When a server or proxy presents Chrome with a Negotiate challenge, Chrome tries to generate a Kerberos SPN (Service Principal Name) based on the host and port of the original URI. Unfortunately, the server does not indicate what the SPN should be as part of the authentication challenge, so Chrome (and other browsers) have to guess what it should be based on standard conventions. 
 
The default SPN is: HTTP/<host name>, where <host name> is the canonical DNS name of the server. This mirrors the SPN generation logic of IE and Firefox.
 
The SPN generation can be customized via policy settings:
  • DisableAuthNegotiateCnameLookup determines whether the original hostname in the URL is used rather than the canonical name. If left unset or set to false, Chrome uses the canonical name.
  • EnableAuthNegotiatePort determines whether the port is appended to the SPN if it is a non-standard (not 80 or 443) port. If set to true, the port is appended. Otherwise (or if left unset) the port is not used.
For example, assume that an intranet has a DNS configuration like
 
auth-a.example.com       IN CNAME auth-server.example.com
auth-server.example.com  IN A     10.0.5.3
 
 URL  Default SPN   With DisableAuthNegotiateCnameLookup  With EnableAuthNegotiatePort 
 http://auth-a  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a  HTTP/auth-server.example.com  HTTP/auth-a   HTTP/auth-server.example.com
 http://auth-a:80  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 https://auth-a:443  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com
 http://auth-a:4678  HTTP/auth-server.example.com  HTTP/auth-a  HTTP/auth-server.example.com:4678
 http://auth-a.example.com  HTTP/auth-server.example.com  HTTP/auth-a.example.com  HTTP/auth-server.example.com
 http://auth-server  HTTP/auth-server.example.com  HTTP/auth-server  HTTP/auth-server.example.com
 http://auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com  HTTP/auth-server.example.com
 
 
Kerberos Credentials Delegation (Forwardable Tickets)
 
Some services require delegation of the users identity (for example, an IIS server accessing a MSSQL database). By default, Chrome does not allow this. You can use the AuthNegotiateDelegateWhitelist policy to enable it for the servers. 
 
Delegation does not work for proxy authentication.
 

Negotiate external libraries

On Windows, Negotiate is implemented using the SSPI libraries and depends on code in secur32.dll. 
 

On Android, Negotiate is implemented using an external Authentication app provided by third parties. Details are given in Writing a SPNEGO Authenticator for Chrome on Android. The AuthAndroidNegotiateAccountType policy is used to tell Chrome the Android account type provided by the app, hence letting it find the app.

 
On other platforms, Negotiate is implemented using the system GSSAPI libraries. The first time a Negotiate challenge is seen, Chrome tries to dlopen one of several possible shared libraries. If it is unable to find an appropriate library, Chrome remembers for the session and all Negotiate challenges are ignored for lower priority challenges. 
 
The GSSAPILibraryName policy can be used to specify the path to a GSSAPI library that Chrome should use.
 
Otherwise, Chrome tries to dlopen/dlsym each of the following fixed names in the order specified:
  • OSX: libgssapi_krb5.dylib
  • Linux: libgssapi_krb5.so.2, libgssapi.so.4, libgssapi.so.2, libgssapi.so.1

Chrome OS follows the Linux behavior, but does not have a system gssapi library, so all Negotiate challenges are ignored.

 
Remaining work
  • Support NTLMv2 on Mac and Linux. Our portable NTLM code supports NTLMv1 only.
  • Support GSSAPI on Windows [for MIT Kerberos for Windows or Heimdal]
  • Warn about Basic authentication scheme over unencrypted channels.
Questions?
 

Please feel free to send mail to net-dev@chromium.org

Network Stack‎ : HTTP authentication的更多相关文章

  1. Network Stack

    Network Stack 目录 1 Overview 2 Code Layout 3 Anatomy of a Network Request (focused on HTTP) 3.1 URLRe ...

  2. Queueing in the Linux Network Stack !!!!!!!!!!!!!!!

    https://www.coverfire.com/articles/queueing-in-the-linux-network-stack/ Queueing in the Linux Networ ...

  3. Contiki Network Stack

    一.协议栈 主要有两大网络协议栈,uIP和Rime这两大协议栈(network stack): The uIP TCP/IP stack, which provides us with IPv4 ne ...

  4. Network Stack‎ : HTTP Cache

    HTTP Cache 目录 1 Operation 2 Sparse Entries 3 Truncated Entries 4 Byte-Range Requests 5 HttpCache::Tr ...

  5. Network Stack‎ : CookieMonster

    CookieMonster   The CookieMonster is the class in Chromium which handles in-browser storage, managem ...

  6. Network Stack‎ : Disk Cache

    Disk Cache 目录 1 Overview 2 External Interface 3 Disk Structure 3.1 Cache Address 3.2 Index File Stru ...

  7. XV6学习(16)Lab net: Network stack

    最后一个实验了,代码在Github上. 这一个实验其实挺简单的,就是要实现网卡的e1000_transmit和e1000_recv函数.不过看以前的实验好像还要实现上层socket相关的代码,今年就只 ...

  8. Network Load Balancing Technical Overview--reference

    http://technet.microsoft.com/en-us/library/bb742455.aspx Abstract Network Load Balancing, a clusteri ...

  9. Security arrangements for extended USB protocol stack of a USB host system

    Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provi ...

随机推荐

  1. numpy学习笔记 - numpy数组的常见用法

    # -*- coding: utf-8 -*- """ 主要记录代码,相关说明采用注释形势,供日常总结.查阅使用,不定时更新. Created on Mon Aug 20 ...

  2. 【codeforces 340B】Maximal Area Quadrilateral

    [题目链接]:http://codeforces.com/problemset/problem/340/B [题意] 给你n个点,让你在这里面找4个点构成一个四边形; 求出最大四边形的面积; [题解] ...

  3. BNUOJ 34990 Justice String

    Justice String Time Limit: 2000ms Memory Limit: 65536KB 64-bit integer IO format: %lld      Java cla ...

  4. Qt之图形(绘制漂亮的圆弧)

    简述 综合前面对二维绘图的介绍,想必我们对一些基本绘图有了深入的了解,下面我们来实现一些漂亮的图形绘制. 简述 圆形 效果 源码 弧形 效果 源码 文本 效果 源码 旋转 效果 源码 圆形 经常地,我 ...

  5. G4Studio+extjs+highcharts 下在ext4j的panel中放入hightCharts图表

    在G4Studio+extjs下.创建一个panel,然后将highCharts图表放入panel中.实现方法例如以下: 首先简单给出的部分代码: Ext.onReady(function() { v ...

  6. &lt;九度 OJ&gt;题目1545:奇怪的连通图

    题目描写叙述: 已知一个无向带权图,求最小整数k.使仅使用权值小于等于k的边,节点1能够与节点n连通. 输入: 输入包括多组測试用例.每组測试用例的开头为一个整数n(1 <= n <= 1 ...

  7. ural 1989(树状数组+多项式hash)

    题意:给出一个字符串.有两种操作,一个是p a b,问字符串从位置a到位置b的子串是否是一个回文子串.还有一个操作 c a b,把字符串位置a的字符替换为b. 题解:由于字符串长度为1e5且问的次数也 ...

  8. cocos2d-x中的二段构造模式

    学习cocos2d-x的过程中,会发现很多对象都通过一个静态函数create来创建.比方以下的一个样例 #define CREATE_FUNC (__TYPE__) \ static __TYPE__ ...

  9. 大话html5应用与app应用优缺点

    在这个app横飞的年代,对于整个产品研发团队来讲,高速的迭代,爆炸式的功能追加已经成为了互联网行业的时代标签,以小时甚至分钟为单位的进度度量成为了常态.在这个市场大环境下,浪里淘沙的不单单是商业模式. ...

  10. [Project Euler 409] Nim Extreme 解题报告 (统计方案数)

    题目链接:https://projecteuler.net/problem=409 题目: 题解: 题目问你必胜态的数目,我们考虑用总的方案数减去必败态的方案数(NIM游戏没有平局这个操作) 必败态的 ...