Bug 428482 Add support for Kerberised LDAP to extensions/auth. r=bienvenu,sr=dmose,a1.9=beltzner
authorbugzilla@standard8.plus.com
Sun, 13 Apr 2008 11:31:34 -0700
changeset 14275 255c9f9e78243a0814f7ad6d9300c2dd63cf34ae
parent 14274 0c228893d2f6ef5b2f01c23ad0d0a62d335ff7de
child 14276 dc173edbc6e0c2715e3e0c04cddfebe19faeb796
push idunknown
push userunknown
push dateunknown
reviewersbienvenu, dmose
bugs428482
milestone1.9pre
Bug 428482 Add support for Kerberised LDAP to extensions/auth. r=bienvenu,sr=dmose,a1.9=beltzner
extensions/auth/nsAuthGSSAPI.cpp
extensions/auth/nsAuthGSSAPI.h
extensions/auth/nsAuthSASL.cpp
extensions/auth/nsAuthSASL.h
--- a/extensions/auth/nsAuthGSSAPI.cpp
+++ b/extensions/auth/nsAuthGSSAPI.cpp
@@ -352,17 +352,18 @@ nsAuthGSSAPI::Reset()
 nsAuthGSSAPI::Shutdown()
 {
     if (gssLibrary) {
         PR_UnloadLibrary(gssLibrary);
         gssLibrary = nsnull;
     }
 }
 
-NS_IMPL_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
+/* Limitations apply to this class's thread safety. See the header file */
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
 
 NS_IMETHODIMP
 nsAuthGSSAPI::Init(const char *serviceName,
                    PRUint32    serviceFlags,
                    const PRUnichar *domain,
                    const PRUnichar *username,
                    const PRUnichar *password)
 {
@@ -441,17 +442,20 @@ nsAuthGSSAPI::GetNextToken(const void *i
         return NS_ERROR_UNEXPECTED; 
     }
 
 #if defined(XP_MACOSX)
     // Suppress Kerberos prompts to get credentials.  See bug 240643.
     // We can only use Mac OS X specific kerb functions if we are using 
     // the native lib
     KLBoolean found;    
-    PRBool doingMailTask = mServiceName.Find("imap@") || mServiceName.Find("pop@") || mServiceName.Find("smtp@");
+    PRBool doingMailTask = mServiceName.Find("imap@") ||
+                           mServiceName.Find("pop@") ||
+                           mServiceName.Find("smtp@") ||
+                           mServiceName.Find("ldap@");
     
     if (!doingMailTask && (gssNativeImp &&
          (KLCacheHasValidTickets_ptr(NULL, kerberosVersion_V5, &found, NULL, NULL) != klNoErr || !found)))
     {
         major_status = GSS_S_FAILURE;
         minor_status = 0;
     }
     else
--- a/extensions/auth/nsAuthGSSAPI.h
+++ b/extensions/auth/nsAuthGSSAPI.h
@@ -47,16 +47,33 @@
 
 #define GSS_USE_FUNCTION_POINTERS 1
 
 #include "gssapi.h"
 
 // The nsAuthGSSAPI class provides responses for the GSS-API Negotiate method
 // as specified by Microsoft in draft-brezak-spnego-http-04.txt
 
+/* Some remarks on thread safety ...
+ *
+ * The thread safety of this class depends largely upon the thread safety of
+ * the underlying GSSAPI and Kerberos libraries. This code just loads the 
+ * system GSSAPI library, and whilst it avoids loading known bad libraries, 
+ * it cannot determine the thread safety of the the code it loads.
+ *
+ * When used with a non-threadsafe library, it is not safe to simultaneously 
+ * use multiple instantiations of this class.
+ *
+ * When used with a threadsafe Kerberos library, multiple instantiations of 
+ * this class may happily co-exist. Methods may be sequentially called from 
+ * multiple threads. The nature of the GSSAPI protocol is such that a correct 
+ * implementation will never call methods in parallel, as the results of the 
+ * last call are required as input to the next.
+ */
+
 class nsAuthGSSAPI : public nsIAuthModule
 {
 public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSIAUTHMODULE
 
     nsAuthGSSAPI(pType package);
 
--- a/extensions/auth/nsAuthSASL.cpp
+++ b/extensions/auth/nsAuthSASL.cpp
@@ -49,17 +49,18 @@ nsAuthSASL::nsAuthSASL()
     mSASLReady = false;
 }
 
 void nsAuthSASL::Reset() 
 {
     mSASLReady = false;
 }
 
-NS_IMPL_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
+/* Limitations apply to this class's thread safety. See the header file */
+NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
 
 NS_IMETHODIMP
 nsAuthSASL::Init(const char *serviceName,
                  PRUint32    serviceFlags,
                  const PRUnichar *domain,
                  const PRUnichar *username,
                  const PRUnichar *password)
 {
--- a/extensions/auth/nsAuthSASL.h
+++ b/extensions/auth/nsAuthSASL.h
@@ -37,16 +37,21 @@
 
 #ifndef nsAuthSASL_h__
 #define nsAuthSASL_h__
 
 #include "nsIAuthModule.h"
 #include "nsString.h"
 #include "nsCOMPtr.h"
 
+/* This class is implemented using the nsAuthGSSAPI class, and the same
+ * thread safety constraints which are documented in nsAuthGSSAPI.h
+ * apply to this class
+ */
+
 class nsAuthSASL : public nsIAuthModule
 {
 public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSIAUTHMODULE
 
     nsAuthSASL();