version 1.25, 2003/10/13 17:55:56
|
version 1.26, 2003/10/16 21:52:10
|
|
|
enableAuthentication | enableAuthentication |
) | ) |
{ | { |
|
#ifdef PEGASUS_KERBEROS_AUTHENTICATION |
|
// The presence of a Security Association indicates that Kerberos is being |
|
// used. |
|
CIMKerberosSecurityAssociation *sa = httpMessage->authInfo->getSecurityAssociation(); |
|
if (sa) |
|
{ |
|
sa->setClientSentAuthorization(true); |
|
} |
|
#endif |
// | // |
// Do http authentication if not authenticated already | // Do http authentication if not authenticated already |
// | // |
|
|
} // "Authorization" header check | } // "Authorization" header check |
| |
#ifdef PEGASUS_KERBEROS_AUTHENTICATION | #ifdef PEGASUS_KERBEROS_AUTHENTICATION |
|
// The presence of a Security Association indicates that Kerberos is being |
|
// used. |
|
CIMKerberosSecurityAssociation *sa = httpMessage->authInfo->getSecurityAssociation(); |
|
|
|
// This will process a request with no content. |
|
if (sa && authenticated) |
|
{ |
|
if (sa->getServerToken().size()) |
|
{ |
|
// This will handle the scenario where client did not send data (content) but |
|
// is authenticated. After the client receives the success it should will |
|
// send the request. For mutual authentication the client may choose not to |
|
// send request data until the context is fully established. |
|
// Note: if mutual authentication wass not requested by the client then |
|
// no server token will be available. |
|
if (contentLength == 0) |
|
{ |
|
String authResp = |
|
_authenticationManager->getHttpAuthResponseHeader(httpMessage->authInfo); |
|
if (!String::equal(authResp, String::EMPTY)) |
|
{ |
|
_sendSuccess(queueId, authResp); |
|
} |
|
else |
|
{ |
|
_sendError(queueId, "Invalid Request"); |
|
} |
|
|
|
PEG_METHOD_EXIT(); |
|
return; |
|
} |
|
} |
|
} |
|
|
|
// This will process a request without an authorization record. |
|
if (sa && !authenticated) |
|
{ |
|
// Not authenticated can result from the client not sending an authorization |
|
// record due to a previous authentication. In this scenario the client |
|
// was previous authenticated but chose not to send an authorization |
|
// record. The Security Association maintains state so a request will not |
|
// be processed unless the Security association thinks the client is authenticated. |
|
|
|
// This will handle the scenario where the client was authenticated in the |
|
// previous request but choose not to send an authorization record. |
|
if (sa->getClientAuthenticated()) |
|
{ |
|
authenticated = true; |
|
} |
|
} |
|
|
// The following is processing to unwrap (unencrypt) the message received from the | // The following is processing to unwrap (unencrypt) the message received from the |
// client when using kerberos authentication. | // client when using kerberos authentication. |
// For Kerberos there should always be an "Authorization" record sent with the request | // For Kerberos there should always be an "Authorization" record sent with the request |
|
|
// client can't be authenticated. The "Authorization" record was processed above | // client can't be authenticated. The "Authorization" record was processed above |
// and if the "Authorization" record was successfully processed then the client | // and if the "Authorization" record was successfully processed then the client |
// is authenticated. | // is authenticated. |
CIMKerberosSecurityAssociation *sa = httpMessage->authInfo->getSecurityAssociation(); |
|
if (sa && authenticated) | if (sa && authenticated) |
{ | { |
Uint32 rc; // return code for the wrap | Uint32 rc; // return code for the wrap |
|
|
final_buffer.remove(final_buffer.size()); // "\n" | final_buffer.remove(final_buffer.size()); // "\n" |
final_buffer.remove(final_buffer.size()); // "\r" | final_buffer.remove(final_buffer.size()); // "\r" |
| |
// Build the WWW_Authenticate record with token. SPNEGO negotiation |
// Build the WWW_Authenticate record with token. |
// requires that a WWW_Authenticate record is always sent. |
|
String authResp = | String authResp = |
_authenticationManager->getHttpAuthResponseHeader(httpMessage->authInfo); | _authenticationManager->getHttpAuthResponseHeader(httpMessage->authInfo); |
// error occurred on wrap so the final_buffer needs to be built | // error occurred on wrap so the final_buffer needs to be built |