Bug 428482 Add support for Kerberised LDAP to extensions/auth. r=bienvenu,sr=dmose,a1.9=beltzner
--- a/extensions/auth/nsAuthGSSAPI.cpp
+++ b/extensions/auth/nsAuthGSSAPI.cpp
@@ -352,17 +352,18 @@ nsAuthGSSAPI::Reset()
nsAuthGSSAPI::Shutdown()
{
if (gssLibrary) {
PR_UnloadLibrary(gssLibrary);
gssLibrary = nsnull;
}
}
-NS_IMPL_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
+/* Limitations apply to this class's thread safety. See the header file */
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
NS_IMETHODIMP
nsAuthGSSAPI::Init(const char *serviceName,
PRUint32 serviceFlags,
const PRUnichar *domain,
const PRUnichar *username,
const PRUnichar *password)
{
@@ -441,17 +442,20 @@ nsAuthGSSAPI::GetNextToken(const void *i
return NS_ERROR_UNEXPECTED;
}
#if defined(XP_MACOSX)
// Suppress Kerberos prompts to get credentials. See bug 240643.
// We can only use Mac OS X specific kerb functions if we are using
// the native lib
KLBoolean found;
- PRBool doingMailTask = mServiceName.Find("imap@") || mServiceName.Find("pop@") || mServiceName.Find("smtp@");
+ PRBool doingMailTask = mServiceName.Find("imap@") ||
+ mServiceName.Find("pop@") ||
+ mServiceName.Find("smtp@") ||
+ mServiceName.Find("ldap@");
if (!doingMailTask && (gssNativeImp &&
(KLCacheHasValidTickets_ptr(NULL, kerberosVersion_V5, &found, NULL, NULL) != klNoErr || !found)))
{
major_status = GSS_S_FAILURE;
minor_status = 0;
}
else
--- a/extensions/auth/nsAuthGSSAPI.h
+++ b/extensions/auth/nsAuthGSSAPI.h
@@ -47,16 +47,33 @@
#define GSS_USE_FUNCTION_POINTERS 1
#include "gssapi.h"
// The nsAuthGSSAPI class provides responses for the GSS-API Negotiate method
// as specified by Microsoft in draft-brezak-spnego-http-04.txt
+/* Some remarks on thread safety ...
+ *
+ * The thread safety of this class depends largely upon the thread safety of
+ * the underlying GSSAPI and Kerberos libraries. This code just loads the
+ * system GSSAPI library, and whilst it avoids loading known bad libraries,
+ * it cannot determine the thread safety of the the code it loads.
+ *
+ * When used with a non-threadsafe library, it is not safe to simultaneously
+ * use multiple instantiations of this class.
+ *
+ * When used with a threadsafe Kerberos library, multiple instantiations of
+ * this class may happily co-exist. Methods may be sequentially called from
+ * multiple threads. The nature of the GSSAPI protocol is such that a correct
+ * implementation will never call methods in parallel, as the results of the
+ * last call are required as input to the next.
+ */
+
class nsAuthGSSAPI : public nsIAuthModule
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIAUTHMODULE
nsAuthGSSAPI(pType package);
--- a/extensions/auth/nsAuthSASL.cpp
+++ b/extensions/auth/nsAuthSASL.cpp
@@ -49,17 +49,18 @@ nsAuthSASL::nsAuthSASL()
mSASLReady = false;
}
void nsAuthSASL::Reset()
{
mSASLReady = false;
}
-NS_IMPL_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
+/* Limitations apply to this class's thread safety. See the header file */
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
NS_IMETHODIMP
nsAuthSASL::Init(const char *serviceName,
PRUint32 serviceFlags,
const PRUnichar *domain,
const PRUnichar *username,
const PRUnichar *password)
{
--- a/extensions/auth/nsAuthSASL.h
+++ b/extensions/auth/nsAuthSASL.h
@@ -37,16 +37,21 @@
#ifndef nsAuthSASL_h__
#define nsAuthSASL_h__
#include "nsIAuthModule.h"
#include "nsString.h"
#include "nsCOMPtr.h"
+/* This class is implemented using the nsAuthGSSAPI class, and the same
+ * thread safety constraints which are documented in nsAuthGSSAPI.h
+ * apply to this class
+ */
+
class nsAuthSASL : public nsIAuthModule
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIAUTHMODULE
nsAuthSASL();
