Question about implementing URLLoader::OnAuthRequired()

53 views
Skip to first unread message

jun...@chromium.org

unread,
Jan 19, 2018, 8:54:54 PM1/19/18
to network-service-dev
I am working on the following issue:
and it seems that in NetworkServiceClient (on the browser process) I need to create a LoginHandler:
and its constructor takes two arguments:
(net::AuthChallengeInfo* auth_info, net::URLRequest* request)
The net::AuthChallengeInfo can be passed from URLLoader in the network side using mojom typemapping, but it seems the URLRequest is not possible to typemap. Any suggestion of how to solve this problem? Thanks a lot!

jun...@chromium.org

unread,
Jan 19, 2018, 9:26:58 PM1/19/18
to network-service-dev

Matt Menke

unread,
Jan 20, 2018, 12:03:24 AM1/20/18
to jun...@chromium.org, network-service-dev
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).  That is presumably not something we want the network process doing, so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.
 To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/833a94d7-893f-4e5b-903d-9fb9a6144e6c%40chromium.org.

jun...@chromium.org

unread,
Jan 26, 2018, 3:44:19 PM1/26/18
to network-service-dev, jun...@chromium.org
I wrote a design doc:

Suggestions and comments are welcome!

John Abd-El-Malek

unread,
Jan 30, 2018, 12:08:03 PM1/30/18
to jun...@chromium.org, network-service-dev
On Fri, Jan 26, 2018 at 12:44 PM, <jun...@chromium.org> wrote:
I wrote a design doc:

Suggestions and comments are welcome!

On Friday, January 19, 2018 at 9:03:24 PM UTC-8, Matt Menke wrote:
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

+1, you can follow the pattern you used for URLLoader::OnCertificateRequested.


There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).

To make sure I'm following, are you referring to the gssapi_library_name_ code on posix?
 
  That is presumably not something we want the network process doing,

Who writes the GSSAPI library? It looks like it can be used on ChromeOS, so does that mean that if we're not the authors, we understand its dependencies pretty well?

so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.
On Fri, Jan 19, 2018 at 9:26 PM, <jun...@chromium.org> wrote:
And this is the draft CL:
https://chromium-review.googlesource.com/c/chromium/src/+/877512

On Friday, January 19, 2018 at 5:54:54 PM UTC-8, jun...@chromium.org wrote:
I am working on the following issue:
and it seems that in NetworkServiceClient (on the browser process) I need to create a LoginHandler:
and its constructor takes two arguments:
(net::AuthChallengeInfo* auth_info, net::URLRequest* request)
The net::AuthChallengeInfo can be passed from URLLoader in the network side using mojom typemapping, but it seems the URLRequest is not possible to typemap. Any suggestion of how to solve this problem? Thanks a lot!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

Chris Bentzel

unread,
Jan 30, 2018, 12:13:04 PM1/30/18
to John Abd-El-Malek, asa...@chromium.org, jun...@chromium.org, network-service-dev
+Asanka Herath who knows a lot about GSSAPI libraries.

To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CALhVsw2T1JSspxcVRiiwq1A-_3ZMd438BBeC6s7ZGhpc8JSW_Q%40mail.gmail.com.

Asanka Herath

unread,
Jan 30, 2018, 8:34:18 PM1/30/18
to Chris Bentzel, John Abd-El-Malek, jun...@chromium.org, network-service-dev
On Tue, Jan 30, 2018 at 12:13 PM Chris Bentzel <cben...@chromium.org> wrote:
+Asanka Herath who knows a lot about GSSAPI libraries.

On Tue, Jan 30, 2018 at 12:08 PM John Abd-El-Malek <j...@chromium.org> wrote:
On Fri, Jan 26, 2018 at 12:44 PM, <jun...@chromium.org> wrote:
I wrote a design doc:

Suggestions and comments are welcome!

On Friday, January 19, 2018 at 9:03:24 PM UTC-8, Matt Menke wrote:
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

+1, you can follow the pattern you used for URLLoader::OnCertificateRequested.


There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).

To make sure I'm following, are you referring to the gssapi_library_name_ code on posix?
 
  That is presumably not something we want the network process doing,

Who writes the GSSAPI library? It looks like it can be used on ChromeOS, so does that mean that if we're not the authors, we understand its dependencies pretty well?

The GSSAPI library is typically what's installed and configured on the local system. On Linux it could be either Heimdal or the MIT Kerberos library depending on what the user chose to install. On Mac it is Heimdal, which is part of the system. On ChromeOS we now bundle MIT Keberos as apart of the Chrome AD effort.

so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.

Negotiate can use explicit credentials as well as ambient credentials.

John Abd-El-Malek

unread,
Jan 31, 2018, 11:02:39 AM1/31/18
to Asanka Herath, Chris Bentzel, jun...@chromium.org, network-service-dev
On Tue, Jan 30, 2018 at 5:34 PM, Asanka Herath <asa...@chromium.org> wrote:


On Tue, Jan 30, 2018 at 12:13 PM Chris Bentzel <cben...@chromium.org> wrote:
+Asanka Herath who knows a lot about GSSAPI libraries.

On Tue, Jan 30, 2018 at 12:08 PM John Abd-El-Malek <j...@chromium.org> wrote:
On Fri, Jan 26, 2018 at 12:44 PM, <jun...@chromium.org> wrote:
I wrote a design doc:

Suggestions and comments are welcome!

On Friday, January 19, 2018 at 9:03:24 PM UTC-8, Matt Menke wrote:
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

+1, you can follow the pattern you used for URLLoader::OnCertificateRequested.


There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).

To make sure I'm following, are you referring to the gssapi_library_name_ code on posix?
 
  That is presumably not something we want the network process doing,

Who writes the GSSAPI library? It looks like it can be used on ChromeOS, so does that mean that if we're not the authors, we understand its dependencies pretty well?

The GSSAPI library is typically what's installed and configured on the local system. On Linux it could be either Heimdal or the MIT Kerberos library depending on what the user chose to install. On Mac it is Heimdal, which is part of the system. On ChromeOS we now bundle MIT Keberos as apart of the Chrome AD effort.

Thanks. The good part is that these are open source. The unknown part is how sandboxable they are, but hopefully the former makes it easier to figure this out.
 

so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.

Negotiate can use explicit credentials as well as ambient credentials.
On Fri, Jan 19, 2018 at 9:26 PM, <jun...@chromium.org> wrote:
And this is the draft CL:
https://chromium-review.googlesource.com/c/chromium/src/+/877512

On Friday, January 19, 2018 at 5:54:54 PM UTC-8, jun...@chromium.org wrote:
I am working on the following issue:
and it seems that in NetworkServiceClient (on the browser process) I need to create a LoginHandler:
and its constructor takes two arguments:
(net::AuthChallengeInfo* auth_info, net::URLRequest* request)
The net::AuthChallengeInfo can be passed from URLLoader in the network side using mojom typemapping, but it seems the URLRequest is not possible to typemap. Any suggestion of how to solve this problem? Thanks a lot!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsub...@chromium.org.
To post to this group, send email to network-service-dev@chromium.org.

John Abd-El-Malek

unread,
Jan 31, 2018, 11:03:37 AM1/31/18
to Asanka Herath, Tom Sepez, Chris Bentzel, jun...@chromium.org, network-service-dev
On Wed, Jan 31, 2018 at 8:02 AM, John Abd-El-Malek <j...@chromium.org> wrote:


On Tue, Jan 30, 2018 at 5:34 PM, Asanka Herath <asa...@chromium.org> wrote:


On Tue, Jan 30, 2018 at 12:13 PM Chris Bentzel <cben...@chromium.org> wrote:
+Asanka Herath who knows a lot about GSSAPI libraries.

On Tue, Jan 30, 2018 at 12:08 PM John Abd-El-Malek <j...@chromium.org> wrote:
On Fri, Jan 26, 2018 at 12:44 PM, <jun...@chromium.org> wrote:
I wrote a design doc:

Suggestions and comments are welcome!

On Friday, January 19, 2018 at 9:03:24 PM UTC-8, Matt Menke wrote:
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

+1, you can follow the pattern you used for URLLoader::OnCertificateRequested.


There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).

To make sure I'm following, are you referring to the gssapi_library_name_ code on posix?
 
  That is presumably not something we want the network process doing,

Who writes the GSSAPI library? It looks like it can be used on ChromeOS, so does that mean that if we're not the authors, we understand its dependencies pretty well?

The GSSAPI library is typically what's installed and configured on the local system. On Linux it could be either Heimdal or the MIT Kerberos library depending on what the user chose to install. On Mac it is Heimdal, which is part of the system. On ChromeOS we now bundle MIT Keberos as apart of the Chrome AD effort.

Thanks. The good part is that these are open source. The unknown part is how sandboxable they are, but hopefully the former makes it easier to figure this out.

+Tom explicitly 

Also one other question: do we have any integration tests that depend on the GSSAPI library being loaded?

 

so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.

Negotiate can use explicit credentials as well as ambient credentials.
On Fri, Jan 19, 2018 at 9:26 PM, <jun...@chromium.org> wrote:
And this is the draft CL:
https://chromium-review.googlesource.com/c/chromium/src/+/877512

On Friday, January 19, 2018 at 5:54:54 PM UTC-8, jun...@chromium.org wrote:
I am working on the following issue:
and it seems that in NetworkServiceClient (on the browser process) I need to create a LoginHandler:
and its constructor takes two arguments:
(net::AuthChallengeInfo* auth_info, net::URLRequest* request)
The net::AuthChallengeInfo can be passed from URLLoader in the network side using mojom typemapping, but it seems the URLRequest is not possible to typemap. Any suggestion of how to solve this problem? Thanks a lot!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.

To post to this group, send email to network-service-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service-dev+unsubscribe...@chromium.org.

Asanka Herath

unread,
Jan 31, 2018, 11:27:25 AM1/31/18
to John Abd-El-Malek, Tom Sepez, Chris Bentzel, jun...@chromium.org, network-service-dev
On Wed, Jan 31, 2018 at 11:03 AM John Abd-El-Malek <j...@chromium.org> wrote:
On Wed, Jan 31, 2018 at 8:02 AM, John Abd-El-Malek <j...@chromium.org> wrote:


On Tue, Jan 30, 2018 at 5:34 PM, Asanka Herath <asa...@chromium.org> wrote:


On Tue, Jan 30, 2018 at 12:13 PM Chris Bentzel <cben...@chromium.org> wrote:
+Asanka Herath who knows a lot about GSSAPI libraries.

On Tue, Jan 30, 2018 at 12:08 PM John Abd-El-Malek <j...@chromium.org> wrote:
On Fri, Jan 26, 2018 at 12:44 PM, <jun...@chromium.org> wrote:
I wrote a design doc:

Suggestions and comments are welcome!

On Friday, January 19, 2018 at 9:03:24 PM UTC-8, Matt Menke wrote:
Right, we can only pass back some metadata about the request (URL, request ID, auth challenge, etc), and then have the login handler use that to generate a reply.

+1, you can follow the pattern you used for URLLoader::OnCertificateRequested.


There's another problem here:
We need to load a dll in the network process to handle some forms of auth (See IOThread::CreateDefaultAuthHandlerFactory).

To make sure I'm following, are you referring to the gssapi_library_name_ code on posix?
 
  That is presumably not something we want the network process doing,

Who writes the GSSAPI library? It looks like it can be used on ChromeOS, so does that mean that if we're not the authors, we understand its dependencies pretty well?

The GSSAPI library is typically what's installed and configured on the local system. On Linux it could be either Heimdal or the MIT Kerberos library depending on what the user chose to install. On Mac it is Heimdal, which is part of the system. On ChromeOS we now bundle MIT Keberos as apart of the Chrome AD effort.

Thanks. The good part is that these are open source. The unknown part is how sandboxable they are, but hopefully the former makes it easier to figure this out.

+Tom explicitly 

Also one other question: do we have any integration tests that depend on the GSSAPI library being loaded?

None whatsoever.

Part of the problem is that in order to verify whether we are loading and invoking the library correctly, we'd need to use it to talk to a real KDC and get it to handle a real handshake. Such automated tests don't currently exist. Incidentally, this is what we are trying to address with the CEL project.
  

so we'll need an API for the browser process to provide that information.  I don't think we're going to want two completely separate paths for the different types of auth (NTLM/Negotiate where we use system credentials and that dll, and digest/basic where we prompt for a password), so I think we're going to need some reworking of net before we're ready for this.

Negotiate can use explicit credentials as well as ambient credentials.
On Fri, Jan 19, 2018 at 9:26 PM, <jun...@chromium.org> wrote:
And this is the draft CL:
https://chromium-review.googlesource.com/c/chromium/src/+/877512

On Friday, January 19, 2018 at 5:54:54 PM UTC-8, jun...@chromium.org wrote:
I am working on the following issue:
and it seems that in NetworkServiceClient (on the browser process) I need to create a LoginHandler:
and its constructor takes two arguments:
(net::AuthChallengeInfo* auth_info, net::URLRequest* request)
The net::AuthChallengeInfo can be passed from URLLoader in the network side using mojom typemapping, but it seems the URLRequest is not possible to typemap. Any suggestion of how to solve this problem? Thanks a lot!

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To post to this group, send email to network-s...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CALhVsw1VK5xfcn1c_C5y5%2Bt-dFY3B_sbdQ4nkGiWSCYJYJVRkw%40mail.gmail.com.

26tra...@flaschools.org

unread,
Mar 6, 2018, 11:48:21 AM3/6/18
to network-service-dev
Reply all
Reply to author
Forward
0 new messages