nsIHttpAuthenticator
Interface designed to allow for pluggable HTTP authentication modules.
Implementations are registered under the ContractID:
“@mozilla.org/network/http-authenticator;1?scheme=
where
Upon receipt of a server challenge, this function is called to determine
whether or not the current user identity has been rejected. If true,
then the user will be prompted by the channel to enter (or revise) their
identity. Following this, generateCredentials will be called.
If the IDENTITY_IGNORED auth flag is set, then the aInvalidateIdentity
return value will be ignored, and user prompting will be suppressed.
| aChannel | the http channel that received the challenge. |
| aChallenge | the challenge from the WWW-Authenticate/Proxy-Authenticate server response header. (possibly from the auth cache.) |
| aProxyAuth | flag indicating whether or not aChallenge is from a proxy. |
| aSessionState | see description below for generateCredentials. |
| aContinuationState | see description below for generateCredentials. |
| aInvalidateIdentity | return value indicating whether or not to prompt the user for a revised identity. |
Called to generate the authentication credentials for a particular
server/proxy challenge. This is the value that will be sent back
to the server via an Authorization/Proxy-Authorization header.
This function may be called using a cached challenge provided the
authenticator sets the REUSABLE_CHALLENGE flag.
| aChannel | the http channel requesting credentials |
| aChallenge | the challenge from the WWW-Authenticate/Proxy-Authenticate server response header. (possibly from the auth cache.) |
| aProxyAuth | flag indicating whether or not aChallenge is from a proxy. |
| aDomain | string containing the domain name (if appropriate) |
| aUser | string containing the user name |
| aPassword | string containing the password |
| aSessionState | state stored along side the user's identity in the auth cache for the lifetime of the browser session. if a new auth cache entry is created for this challenge, then this parameter will be null. on return, the result will be stored in the new auth cache entry. this parameter is non-null when an auth cache entry is being reused. |
| aContinuationState | state held by the channel between consecutive calls to generateCredentials, assuming multiple calls are required to authenticate. this state is held for at most the lifetime of the channel. |
| aFlags | authenticator may return one of the generate flags bellow. |
Flags defining various properties of the authenticator.
Generate flags
Indicates that the authenticator has used an out-of-band or internal
source of identity and tells the consumer that it must not cache
the returned identity because it might not be valid and would overwrite
the cached identity. See bug 542318 comment 32.
A request based authentication scheme only authenticates an individual
request (or a set of requests under the same authentication domain as
defined by RFC 2617). BASIC and DIGEST are request based authentication
schemes.
A connection based authentication scheme authenticates an individual
connection. Multiple requests may be issued over the connection without
repeating the authentication steps. Connection based authentication
schemes can associate state with the connection being authenticated via
the aContinuationState parameter (see generateCredentials).
The credentials returned from generateCredentials may be reused with any
other URLs within “the protection space” as defined by RFC 2617 section
1.2. If this flag is not set, then generateCredentials must be called
for each request within the protection space. REUSABLE_CREDENTIALS
implies REUSABLE_CHALLENGE.
A challenge may be reused to later generate credentials in anticipation
of a duplicate server challenge for URLs within “the protection space”
as defined by RFC 2617 section 1.2.
This flag indicates that the identity of the user is not required by
this authentication scheme.
This flag indicates that the identity of the user includes a domain
attribute that the user must supply.
This flag indicates that the identity will be sent encrypted. It does
not make sense to combine this flag with IDENTITY_IGNORED.