Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

597 lines
15 KiB

/*++
Copyright (c) 1999 Microsoft Corporation
Module Name :
basicprovider.cxx
Abstract:
Basic authentication provider
Author:
Bilal Alam (balam) 10-Jan-2000
Environment:
Win32 - User Mode
Project:
ULW3.DLL
--*/
#include "precomp.hxx"
#include "basicprovider.hxx"
#include "uuencode.hxx"
HRESULT
BASIC_AUTH_PROVIDER::DoesApply(
W3_MAIN_CONTEXT * pMainContext,
BOOL * pfApplies
)
/*++
Routine Description:
Does basic authentication apply to this request?
Arguments:
pMainContext - Main context representing request
pfApplies - Set to true if SSPI is applicable
Return Value:
HRESULT
--*/
{
LPCSTR pszAuthHeader;
if ( pMainContext == NULL ||
pfApplies == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
*pfApplies = FALSE;
//
// Get auth type
//
pszAuthHeader = pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization );
//
// No package, no auth
//
if ( pszAuthHeader == NULL )
{
return NO_ERROR;
}
//
// Is it basic?
//
if ( _strnicmp( pszAuthHeader, "Basic", sizeof("Basic") - 1 ) == 0 )
{
*pfApplies = TRUE;
}
return NO_ERROR;
}
HRESULT
BASIC_AUTH_PROVIDER::DoAuthenticate(
W3_MAIN_CONTEXT * pMainContext,
BOOL * pfFilterFinished
)
/*++
Routine Description:
Do the authentication thing!
Arguments:
pMainContext - main context
pfFilterFinished - Set to TRUE if filter wants out
Return Value:
HRESULT
--*/
{
CHAR * pszAuthHeader = NULL;
HRESULT hr;
BOOL fRet;
STACK_BUFFER ( buffDecoded, 256 );
CHAR * pszDecoded;
CHAR * pszColon;
// add 1 to strUserDomain for separator "\"
STACK_STRA( strUserDomain, UNLEN + IIS_DNLEN + 1 + 1 );
STACK_STRA( strUserName, UNLEN + 1 );
STACK_STRA( strPassword, PWLEN + 1 );
STACK_STRA( strDomainName, IIS_DNLEN + 1 );
// add 1 to strUserDomainW for separator "\"
STACK_STRU( strUserDomainW, UNLEN + IIS_DNLEN + 1 + 1 );
STACK_STRU( strUserNameW, UNLEN + 1 );
STACK_STRU( strPasswordW, PWLEN + 1 );
STACK_STRU( strRemotePasswordW, PWLEN + 1 );
STACK_STRU( strDomainNameW, IIS_DNLEN + 1 );
// add 1 to strRemoteUserNameW for separator "\"
STACK_STRU( strRemoteUserNameW, UNLEN + IIS_DNLEN + 1 );
W3_METADATA * pMetaData = NULL;
TOKEN_CACHE_ENTRY * pCachedToken = NULL;
BASIC_USER_CONTEXT * pUserContext = NULL;
DWORD dwLogonError = ERROR_SUCCESS;
BOOL fPossibleUPNLogon = FALSE;
if ( pMainContext == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
//
// Get the part after the auth type
//
pszAuthHeader = (PSTR) pMainContext->QueryRequest()->GetHeader( HttpHeaderAuthorization );
DBG_ASSERT( pszAuthHeader != NULL );
//
// We better have an Authorization: Basic header if we got to here!
//
DBG_ASSERT( _strnicmp( pszAuthHeader, "Basic", 5 ) == 0 );
//
// Advance to good stuff
//
if ( pszAuthHeader[ 5 ] == '\0' )
{
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
Http401BadLogon );
hr = NO_ERROR;
goto exit;
}
pszAuthHeader = pszAuthHeader + 6;
//
// UUDecode the buffer
//
if ( !uudecode( pszAuthHeader,
&buffDecoded ) )
{
hr = HRESULT_FROM_WIN32( GetLastError() );
goto exit;
}
pszDecoded = (CHAR*) buffDecoded.QueryPtr();
//
// Now split out user:password
//
pszColon = strchr( pszDecoded, ':' );
if ( pszColon == NULL )
{
//
// Bad credentials
//
pMainContext->QueryResponse()->SetStatus( HttpStatusUnauthorized,
Http401BadLogon );
hr = NO_ERROR;
goto exit;
}
//
// Get user/password
//
hr = strUserDomain.Copy( pszDecoded,
DIFF( pszColon - pszDecoded ) );
if ( FAILED( hr ) )
{
goto exit;
}
hr = strPassword.Copy( pszColon + 1 );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Copy the user name into the request
//
hr = pMainContext->QueryRequest()->SetRequestUserName( strUserDomain );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Copy the password into the request (filters suck)
//
hr = pMainContext->QueryRequest()->SetRequestPassword( strPassword );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Remember the unmapped user name and password
//
hr = strRemoteUserNameW.CopyA( strUserDomain.QueryStr() );
if ( FAILED( hr ) )
{
goto exit;
}
hr = strRemotePasswordW.CopyA( strPassword.QueryStr() );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Notify authentication filters
//
if ( pMainContext->IsNotificationNeeded( SF_NOTIFY_AUTHENTICATION ) )
{
HTTP_FILTER_AUTHENT filterAuthent;
hr = strUserDomain.Resize( SF_MAX_USERNAME );
if ( FAILED( hr ) )
{
goto exit;
}
hr = strPassword.Resize( SF_MAX_PASSWORD );
if ( FAILED( hr ) )
{
goto exit;
}
filterAuthent.pszUser = strUserDomain.QueryStr();
filterAuthent.cbUserBuff = SF_MAX_USERNAME;
filterAuthent.pszPassword = strPassword.QueryStr();
filterAuthent.cbPasswordBuff = SF_MAX_PASSWORD;
fRet = pMainContext->NotifyFilters( SF_NOTIFY_AUTHENTICATION,
&filterAuthent,
pfFilterFinished );
if ( !fRet )
{
hr = HRESULT_FROM_WIN32( GetLastError() );
goto exit;
}
if ( *pfFilterFinished )
{
pMainContext->SetDone();
goto exit;
}
strUserDomain.SetLen( strlen( strUserDomain.QueryStr() ) );
strPassword.SetLen( strlen( strPassword.QueryStr() ) );
}
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
DBG_ASSERT( pMetaData != NULL );
if( pMetaData->QueryAuthTypeSupported( MD_AUTH_ANONYMOUS ) &&
strUserDomain.IsEmpty() &&
strPassword.IsEmpty() )
{
//
// If user domain and password strings are empty, then we will
// fall back to anonymous authentication
//
AUTH_PROVIDER * pAnonymousProvider =
W3_STATE_AUTHENTICATION::QueryAnonymousProvider();
DBG_ASSERT( pAnonymousProvider != NULL );
hr = pAnonymousProvider->DoAuthenticate( pMainContext,
pfFilterFinished );
goto exit;
}
//
// Convert to unicode
//
hr = strUserDomainW.CopyA( strUserDomain.QueryStr() );
if ( FAILED( hr ) )
{
goto exit;
}
hr = strPasswordW.CopyA( strPassword.QueryStr() );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Get username/domain out of domain\username
//
hr = W3_STATE_AUTHENTICATION::SplitUserDomain( strUserDomainW,
&strUserNameW,
&strDomainNameW,
pMetaData->QueryDomainName(),
&fPossibleUPNLogon );
if ( FAILED( hr ) )
{
goto exit;
}
//
// Try to get the token
//
DBG_ASSERT( g_pW3Server->QueryTokenCache() != NULL );
hr = g_pW3Server->QueryTokenCache()->GetCachedToken(
strUserNameW.QueryStr(),
strDomainNameW.QueryStr(),
strPasswordW.QueryStr(),
pMetaData->QueryLogonMethod(),
FALSE,
fPossibleUPNLogon,
pMainContext->QueryRequest()->
QueryRemoteSockAddress(),
&pCachedToken,
&dwLogonError );
if ( FAILED( hr ) )
{
goto exit;
}
//
// If pCachedToken is NULL, then logon failed
//
if ( pCachedToken == NULL )
{
DBG_ASSERT( dwLogonError != ERROR_SUCCESS );
if( dwLogonError == ERROR_PASSWORD_MUST_CHANGE ||
dwLogonError == ERROR_PASSWORD_EXPIRED )
{
hr = HRESULT_FROM_WIN32( dwLogonError );
goto exit;
}
pMainContext->QueryResponse()->SetStatus(
HttpStatusUnauthorized,
Http401BadLogon );
pMainContext->SetErrorStatus( HRESULT_FROM_WIN32( dwLogonError ) );
hr = NO_ERROR;
goto exit;
}
//
// We have a token! Setup a W3_USER_CONTEXT and we're done
//
pUserContext = new BASIC_USER_CONTEXT( this );
if ( FAILED( hr ) )
{
goto exit;
}
hr = pUserContext->Create( pCachedToken,
strUserNameW,
strDomainNameW,
strRemotePasswordW,
strRemoteUserNameW,
strUserDomainW,
pMetaData->QueryLogonMethod() );
if ( FAILED( hr ) )
{
pUserContext->DereferenceUserContext();
pUserContext = NULL;
goto exit;
}
pMainContext->SetUserContext( pUserContext );
exit:
//
// Zero out all copies of password in this routine
//
ZeroMemory( buffDecoded.QueryPtr(), buffDecoded.QuerySize() );
if( strPassword.QueryCB() )
{
SecureZeroMemory( ( VOID * )strPassword.QueryStr(),
strPassword.QueryCB() );
}
if( strPasswordW.QueryCB() )
{
SecureZeroMemory( ( VOID * )strPasswordW.QueryStr(),
strPassword.QueryCB() );
}
if( strRemotePasswordW.QueryCB() )
{
SecureZeroMemory( ( VOID * )strRemotePasswordW.QueryStr(),
strPassword.QueryCB() );
}
return hr;
}
HRESULT
BASIC_AUTH_PROVIDER::OnAccessDenied(
W3_MAIN_CONTEXT * pMainContext
)
/*++
Routine Description:
Add basic authentication header
Arguments:
pMainContext - Main context
Return Value:
HRESULT
--*/
{
STACK_STRU( strAuthHeader, 256 );
STACK_STRA( straAuthHeader, 256 );
STACK_STRU( strHostAddr, 256 );
HRESULT hr;
W3_METADATA * pMetaData;
if ( pMainContext == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
hr = strAuthHeader.Copy( L"Basic realm=\"" );
if ( FAILED( hr ) )
{
return hr;
}
pMetaData = pMainContext->QueryUrlContext()->QueryMetaData();
DBG_ASSERT( pMetaData != NULL );
//
// If a realm is configured, use it. Otherwise use host address of
// request
//
if ( pMetaData->QueryRealm() != NULL )
{
hr = strAuthHeader.Append( pMetaData->QueryRealm() );
}
else
{
hr = pMainContext->QueryRequest()->GetHostAddr( &strHostAddr );
if ( FAILED( hr ) )
{
return hr;
}
hr = strAuthHeader.Append( strHostAddr );
}
if ( FAILED( hr ) )
{
return hr;
}
hr = strAuthHeader.Append( L"\"" );
if ( FAILED( hr ) )
{
return hr;
}
if (FAILED(hr = straAuthHeader.CopyW(strAuthHeader.QueryStr())))
{
return hr;
}
return pMainContext->QueryResponse()->SetHeader( "WWW-Authenticate",
16,
straAuthHeader.QueryStr(),
(USHORT)straAuthHeader.QueryCCH() );
}
HRESULT
BASIC_USER_CONTEXT::Create(
TOKEN_CACHE_ENTRY * pCachedToken,
STRU & strUserName,
STRU & strDomainName,
STRU & strPassword,
STRU & strRemoteUserName,
STRU & strMappedDomainUser,
DWORD dwLogonMethod
)
/*++
Routine Description:
Initialize a basic user context
Arguments:
pCachedToken - The token
strUserName - User name (without embedded domain)
strDomainName - Domain name
strPassword - Password
strRemoteUserName - Unmapped user name
strMappedDomainUser - Mapped domain user (may have embedded domain)
dwLogonMethod - Logon method
Return Value:
HRESULT
--*/
{
HRESULT hr;
UNREFERENCED_PARAMETER( strUserName );
UNREFERENCED_PARAMETER( strDomainName );
UNREFERENCED_PARAMETER( dwLogonMethod );
if ( pCachedToken == NULL )
{
DBG_ASSERT( FALSE );
return HRESULT_FROM_WIN32( ERROR_INVALID_PARAMETER );
}
hr = _strUserName.Copy( strMappedDomainUser );
if ( FAILED( hr ) )
{
return hr;
}
hr = _strPassword.Append( strPassword );
if ( FAILED( hr ) )
{
return hr;
}
hr = _strRemoteUserName.Append( strRemoteUserName );
if ( FAILED( hr ) )
{
return hr;
}
_pCachedToken = pCachedToken;
SetCachedToken( TRUE );
return NO_ERROR;
}