diff options
| author | Guido Guenther <agx@sigxcpu.org> | 2016-03-02 15:20:16 +0100 |
|---|---|---|
| committer | Tomas Popela <tpopela@redhat.com> | 2016-03-14 15:04:35 +0100 |
| commit | 6a8826f0d25459c943719b88f22619f22b81c547 (patch) | |
| tree | fa00e8597a05356e07a8978fe01ec4fc921769d3 /examples | |
| parent | 595a20a0e574923a26079ab40713d9a32d09f888 (diff) | |
| download | libsoup-6a8826f0d25459c943719b88f22619f22b81c547.tar.gz | |
Bug 587145 - Add GSS-Negotiate support
If a "WWW-Authenticate: Negotiate" HTTP header is spotted libsoup will check if
the host is on blacklist and the authentication fails if so. Otherwise the host
is compared against a trusted URIs (if the trusted URIs list is not set all
the HTTPS requests are trusted by default) and then processed. The trusted URIs
list and blacklist are both created when a SoupNegotiateAuth is created. The
trusted URIs list (blacklist) is parsed from the SOUP_GSSAPI_TRUSTED_URIS (
SOUP_GSSAPI_BLACKLIST_URIS) environment variable that expects the URIs be comma
separated (e.g. "http://www.example.com,https://www.test.com:80"). Then the
request is processed by the GSS library (the SPNEGO mechanism is used) which
produces a token that is send back to the server in the next request. The reply
is then again processed by the GSS library and the authentication succeeds by
receiving the GSS_S_COMPLETE status or we continue negotiating when the
GSS_S_CONTINUE_NEEDED is received.
The SoupAuth object is marked as not authenticated if a user will try to call
the soup_auth_authenticate() with the credentials provided as this is not
supported.
If the libsoup is configured with GSS-Negotiate support, a Kerberos library with
GSSAPI support needs to be available on the system (MIT Kerberos was tested
while working on this). Developers can check whether the libsoup was
compiled with the GSS-Negotiate support enabled by checking the
soup_auth_negotiate_supported() function.
To easily test the GSS-Negotiate functionality a new argument "N" was added to
the examples/get utility.
A support for NTLMSSP is provided by this patch given that a Kerberos library
supports NTLMSSP mechanism via GSSAPI. For MIT Kerberos one can use gss-ntlmssp
module, https://fedorahosted.org/gss-ntlmssp/.
Co-Authored-By: Tomas Popela <tpopela@redhat.com>
Co-Authored-By: David Woodhouse <dwmw2@infradead.org>
Co-Authored-By: Dan Winship <danw@gnome.org>
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/get.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/examples/get.c b/examples/get.c index a8888d49..df052892 100644 --- a/examples/get.c +++ b/examples/get.c @@ -4,6 +4,10 @@ * Copyright (C) 2013 Igalia, S.L. */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + #include <stdio.h> #include <stdlib.h> @@ -90,6 +94,7 @@ get_url (const char *url) static const char *ca_file, *proxy; static gboolean synchronous, ntlm; +static gboolean negotiate; static GOptionEntry entries[] = { { "ca-file", 'c', 0, @@ -119,6 +124,13 @@ static GOptionEntry entries[] = { { NULL } }; +static GOptionEntry negotiate_entries[] = { + { "negotiate", 'N', 0, + G_OPTION_ARG_NONE, &negotiate, + "Use Negotiate authentication", NULL }, + { NULL } +}; + int main (int argc, char **argv) { @@ -130,6 +142,8 @@ main (int argc, char **argv) opts = g_option_context_new (NULL); g_option_context_add_main_entries (opts, entries, NULL); + if (soup_auth_negotiate_supported()) + g_option_context_add_main_entries (opts, negotiate_entries, NULL); if (!g_option_context_parse (opts, &argc, &argv, &error)) { g_printerr ("Could not parse arguments: %s\n", error->message); @@ -183,6 +197,13 @@ main (int argc, char **argv) soup_uri_free (proxy_uri); } +#ifdef LIBSOUP_HAVE_GSSAPI + if (negotiate) { + soup_session_add_feature_by_type (session, + SOUP_TYPE_AUTH_NEGOTIATE); + } +#endif /* LIBSOUP_HAVE_GSSAPI */ + if (!synchronous) loop = g_main_loop_new (NULL, TRUE); |