QNAM: Move authentication cache to separate class

Also make the authentication cache thread-safe by using
a mutex and making QNetworkAuthenticationCredential
a value-class.

Reviewed-by: thiago

6 files changed, 424 insertions, 245 deletions

diff --git a/src/network/access/access.pri b/src/network/access/access.pri
index f8dfda6ff3..7497c1aa6e 100644
--- a/src/network/access/access.pri
+++ b/src/network/access/access.pri
@@ -8,6 +8,7 @@ HEADERS += \
     access/qhttpnetworkreply_p.h \
     access/qhttpnetworkconnection_p.h \
     access/qhttpnetworkconnectionchannel_p.h \
+    access/qnetworkaccessauthenticationmanager_p.h \
     access/qnetworkaccessmanager.h \
     access/qnetworkaccessmanager_p.h \
     access/qnetworkaccesscache_p.h \
@@ -42,6 +43,7 @@ SOURCES += \
     access/qhttpnetworkreply.cpp \
     access/qhttpnetworkconnection.cpp \
     access/qhttpnetworkconnectionchannel.cpp \
+    access/qnetworkaccessauthenticationmanager.cpp \
     access/qnetworkaccessmanager.cpp \
     access/qnetworkaccesscache.cpp \
     access/qnetworkaccessbackend.cpp \
diff --git a/src/network/access/qnetworkaccessauthenticationmanager.cpp b/src/network/access/qnetworkaccessauthenticationmanager.cpp
new file mode 100644
index 0000000000..d2bf00accf
--- /dev/null
+++ b/src/network/access/qnetworkaccessauthenticationmanager.cpp
@@ -0,0 +1,297 @@
+/****************************************************************************
+**
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
+** All rights reserved.
+** Contact: Nokia Corporation (qt-info@nokia.com)
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** No Commercial Usage
+** This file contains pre-release code and may not be distributed.
+** You may use this file in accordance with the terms and conditions
+** contained in the Technology Preview License Agreement accompanying
+** this package.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Nokia gives you certain additional
+** rights.  These rights are described in the Nokia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** If you have questions regarding the use of this file, please contact
+** Nokia at qt-info@nokia.com.
+**
+**
+**
+**
+**
+**
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+#include "qnetworkaccessmanager.h"
+#include "qnetworkaccessmanager_p.h"
+#include "qnetworkaccessauthenticationmanager_p.h"
+
+#include "QtCore/qbuffer.h"
+#include "QtCore/qurl.h"
+#include "QtCore/qvector.h"
+#include "QtCore/QMutexLocker"
+#include "QtNetwork/qauthenticator.h"
+
+QT_BEGIN_NAMESPACE
+
+
+
+
+class QNetworkAuthenticationCache: private QVector<QNetworkAuthenticationCredential>,
+                                   public QNetworkAccessCache::CacheableObject
+{
+public:
+    QNetworkAuthenticationCache()
+    {
+        setExpires(false);
+        setShareable(true);
+        reserve(1);
+    }
+
+    QNetworkAuthenticationCredential *findClosestMatch(const QString &domain)
+    {
+        iterator it = qLowerBound(begin(), end(), domain);
+        if (it == end() && !isEmpty())
+            --it;
+        if (it == end() || !domain.startsWith(it->domain))
+            return 0;
+        return &*it;
+    }
+
+    void insert(const QString &domain, const QString &user, const QString &password)
+    {
+        QNetworkAuthenticationCredential *closestMatch = findClosestMatch(domain);
+        if (closestMatch && closestMatch->domain == domain) {
+            // we're overriding the current credentials
+            closestMatch->user = user;
+            closestMatch->password = password;
+        } else {
+            QNetworkAuthenticationCredential newCredential;
+            newCredential.domain = domain;
+            newCredential.user = user;
+            newCredential.password = password;
+
+            if (closestMatch)
+                QVector<QNetworkAuthenticationCredential>::insert(++closestMatch, newCredential);
+            else
+                QVector<QNetworkAuthenticationCredential>::insert(end(), newCredential);
+        }
+    }
+
+    virtual void dispose() { delete this; }
+};
+
+#ifndef QT_NO_NETWORKPROXY
+static QByteArray proxyAuthenticationKey(const QNetworkProxy &proxy, const QString &realm)
+{
+    QUrl key;
+
+    switch (proxy.type()) {
+    case QNetworkProxy::Socks5Proxy:
+        key.setScheme(QLatin1String("proxy-socks5"));
+        break;
+
+    case QNetworkProxy::HttpProxy:
+    case QNetworkProxy::HttpCachingProxy:
+        key.setScheme(QLatin1String("proxy-http"));
+        break;
+
+    case QNetworkProxy::FtpCachingProxy:
+        key.setScheme(QLatin1String("proxy-ftp"));
+        break;
+
+    case QNetworkProxy::DefaultProxy:
+    case QNetworkProxy::NoProxy:
+        // shouldn't happen
+        return QByteArray();
+
+        // no default:
+        // let there be errors if a new proxy type is added in the future
+    }
+
+    if (key.scheme().isEmpty())
+        // proxy type not handled
+        return QByteArray();
+
+    key.setUserName(proxy.user());
+    key.setHost(proxy.hostName());
+    key.setPort(proxy.port());
+    key.setFragment(realm);
+    return "auth:" + key.toEncoded();
+}
+#endif
+
+static inline QByteArray authenticationKey(const QUrl &url, const QString &realm)
+{
+    QUrl copy = url;
+    copy.setFragment(realm);
+    return "auth:" + copy.toEncoded(QUrl::RemovePassword | QUrl::RemovePath | QUrl::RemoveQuery);
+}
+
+
+#ifndef QT_NO_NETWORKPROXY
+void QNetworkAccessAuthenticationManager::cacheProxyCredentials(const QNetworkProxy &p,
+                                                  const QAuthenticator *authenticator)
+{
+    Q_ASSERT(authenticator);
+    Q_ASSERT(p.type() != QNetworkProxy::DefaultProxy);
+    Q_ASSERT(p.type() != QNetworkProxy::NoProxy);
+
+    QMutexLocker mutexLocker(&mutex);
+
+    QString realm = authenticator->realm();
+    QNetworkProxy proxy = p;
+    proxy.setUser(authenticator->user());
+    // Set two credentials: one with the username and one without
+    do {
+        // Set two credentials actually: one with and one without the realm
+        do {
+            QByteArray cacheKey = proxyAuthenticationKey(proxy, realm);
+            if (cacheKey.isEmpty())
+                return;             // should not happen
+
+            QNetworkAuthenticationCache *auth = new QNetworkAuthenticationCache;
+            auth->insert(QString(), authenticator->user(), authenticator->password());
+            authenticationCache.addEntry(cacheKey, auth); // replace the existing one, if there's any
+
+            if (realm.isEmpty()) {
+                break;
+            } else {
+                realm.clear();
+            }
+        } while (true);
+
+        if (proxy.user().isEmpty())
+            break;
+        else
+            proxy.setUser(QString());
+    } while (true);
+}
+
+QNetworkAuthenticationCredential
+QNetworkAccessAuthenticationManager::fetchCachedProxyCredentials(const QNetworkProxy &p,
+                                                     const QAuthenticator *authenticator)
+{
+    QNetworkProxy proxy = p;
+    if (proxy.type() == QNetworkProxy::DefaultProxy) {
+        proxy = QNetworkProxy::applicationProxy();
+    }
+    if (!proxy.password().isEmpty())
+        return QNetworkAuthenticationCredential(); // no need to set credentials if it already has them
+
+    QString realm;
+    if (authenticator)
+        realm = authenticator->realm();
+
+    QMutexLocker mutexLocker(&mutex);
+    QByteArray cacheKey = proxyAuthenticationKey(proxy, realm);
+    if (cacheKey.isEmpty())
+        return QNetworkAuthenticationCredential();
+    if (!authenticationCache.hasEntry(cacheKey))
+        return QNetworkAuthenticationCredential();
+
+    QNetworkAuthenticationCache *auth =
+        static_cast<QNetworkAuthenticationCache *>(authenticationCache.requestEntryNow(cacheKey));
+    QNetworkAuthenticationCredential cred = *auth->findClosestMatch(QString());
+    authenticationCache.releaseEntry(cacheKey);
+
+    // proxy cache credentials always have exactly one item
+    Q_ASSERT_X(!cred.isNull(), "QNetworkAccessManager",
+               "Internal inconsistency: found a cache key for a proxy, but it's empty");
+    return cred;
+}
+
+#endif
+
+void QNetworkAccessAuthenticationManager::cacheCredentials(const QUrl &url,
+                                                  const QAuthenticator *authenticator)
+{
+    Q_ASSERT(authenticator);
+    QString domain = QString::fromLatin1("/"); // FIXME: make QAuthenticator return the domain
+    QString realm = authenticator->realm();
+
+    QMutexLocker mutexLocker(&mutex);
+
+    // Set two credentials actually: one with and one without the username in the URL
+    QUrl copy = url;
+    copy.setUserName(authenticator->user());
+    do {
+        QByteArray cacheKey = authenticationKey(copy, realm);
+        if (authenticationCache.hasEntry(cacheKey)) {
+            QNetworkAuthenticationCache *auth =
+                static_cast<QNetworkAuthenticationCache *>(authenticationCache.requestEntryNow(cacheKey));
+            auth->insert(domain, authenticator->user(), authenticator->password());
+            authenticationCache.releaseEntry(cacheKey);
+        } else {
+            QNetworkAuthenticationCache *auth = new QNetworkAuthenticationCache;
+            auth->insert(domain, authenticator->user(), authenticator->password());
+            authenticationCache.addEntry(cacheKey, auth);
+        }
+
+        if (copy.userName().isEmpty()) {
+            break;
+        } else {
+            copy.setUserName(QString());
+        }
+    } while (true);
+}
+
+/*!
+    Fetch the credential data from the credential cache.
+
+    If auth is 0 (as it is when called from createRequest()), this will try to
+    look up with an empty realm. That fails in most cases for HTTP (because the
+    realm is seldom empty for HTTP challenges). In any case, QHttpNetworkConnection
+    never sends the credentials on the first attempt: it needs to find out what
+    authentication methods the server supports.
+
+    For FTP, realm is always empty.
+*/
+QNetworkAuthenticationCredential
+QNetworkAccessAuthenticationManager::fetchCachedCredentials(const QUrl &url,
+                                                     const QAuthenticator *authentication)
+{
+    if (!url.password().isEmpty())
+        return QNetworkAuthenticationCredential(); // no need to set credentials if it already has them
+
+    QString realm;
+    if (authentication)
+        realm = authentication->realm();
+
+    QByteArray cacheKey = authenticationKey(url, realm);
+
+    QMutexLocker mutexLocker(&mutex);
+    if (!authenticationCache.hasEntry(cacheKey))
+        return QNetworkAuthenticationCredential();
+
+    QNetworkAuthenticationCache *auth =
+        static_cast<QNetworkAuthenticationCache *>(authenticationCache.requestEntryNow(cacheKey));
+    QNetworkAuthenticationCredential cred = *auth->findClosestMatch(url.path());
+    authenticationCache.releaseEntry(cacheKey);
+    return cred;
+}
+
+void QNetworkAccessAuthenticationManager::clearCache()
+{
+    authenticationCache.clear();
+}
+
+QT_END_NAMESPACE
+
diff --git a/src/network/access/qnetworkaccessauthenticationmanager_p.h b/src/network/access/qnetworkaccessauthenticationmanager_p.h
new file mode 100644
index 0000000000..d2347b1722
--- /dev/null
+++ b/src/network/access/qnetworkaccessauthenticationmanager_p.h
@@ -0,0 +1,107 @@
+/****************************************************************************
+**
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
+** All rights reserved.
+** Contact: Nokia Corporation (qt-info@nokia.com)
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** No Commercial Usage
+** This file contains pre-release code and may not be distributed.
+** You may use this file in accordance with the terms and conditions
+** contained in the Technology Preview License Agreement accompanying
+** this package.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Nokia gives you certain additional
+** rights.  These rights are described in the Nokia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** If you have questions regarding the use of this file, please contact
+** Nokia at qt-info@nokia.com.
+**
+**
+**
+**
+**
+**
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+#ifndef QNETWORKACCESSAUTHENTICATIONMANAGER_P_H
+#define QNETWORKACCESSAUTHENTICATIONMANAGER_P_H
+
+//
+//  W A R N I N G
+//  -------------
+//
+// This file is not part of the Qt API.  It exists for the convenience
+// of the Network Access API.  This header file may change from
+// version to version without notice, or even be removed.
+//
+// We mean it.
+//
+
+#include "qnetworkaccessmanager.h"
+#include "qnetworkaccesscache_p.h"
+#include "qnetworkaccessbackend_p.h"
+#include "QtNetwork/qnetworkproxy.h"
+#include "QtCore/QMutex"
+
+QT_BEGIN_NAMESPACE
+
+class QAuthenticator;
+class QAbstractNetworkCache;
+class QNetworkAuthenticationCredential;
+class QNetworkCookieJar;
+
+class QNetworkAuthenticationCredential
+{
+public:
+    QString domain;
+    QString user;
+    QString password;
+    bool isNull() {
+        return domain.isNull();
+    }
+};
+Q_DECLARE_TYPEINFO(QNetworkAuthenticationCredential, Q_MOVABLE_TYPE);
+inline bool operator<(const QNetworkAuthenticationCredential &t1, const QString &t2)
+{ return t1.domain < t2; }
+
+class QNetworkAccessAuthenticationManager
+{
+public:
+    QNetworkAccessAuthenticationManager() { };
+
+    void cacheCredentials(const QUrl &url, const QAuthenticator *auth);
+    QNetworkAuthenticationCredential fetchCachedCredentials(const QUrl &url,
+                                                             const QAuthenticator *auth = 0);
+
+#ifndef QT_NO_NETWORKPROXY
+    void cacheProxyCredentials(const QNetworkProxy &proxy, const QAuthenticator *auth);
+    QNetworkAuthenticationCredential fetchCachedProxyCredentials(const QNetworkProxy &proxy,
+                                                             const QAuthenticator *auth = 0);
+#endif
+
+    void clearCache();
+
+protected:
+    QNetworkAccessCache authenticationCache;
+    QMutex mutex;
+};
+
+QT_END_NAMESPACE
+
+#endif
diff --git a/src/network/access/qnetworkaccessbackend.cpp b/src/network/access/qnetworkaccessbackend.cpp
index fd1fa60d4e..53ae29e932 100644
--- a/src/network/access/qnetworkaccessbackend.cpp
+++ b/src/network/access/qnetworkaccessbackend.cpp
@@ -329,7 +329,7 @@ void QNetworkAccessBackend::authenticationRequired(QAuthenticator *authenticator
 
 void QNetworkAccessBackend::cacheCredentials(QAuthenticator *authenticator)
 {
-    manager->cacheCredentials(this->reply->url, authenticator);
+    manager->authenticationManager->cacheCredentials(this->reply->url, authenticator);
 }
 
 void QNetworkAccessBackend::metaDataChanged()
diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp
index 8f050d4111..562141b3e1 100644
--- a/src/network/access/qnetworkaccessmanager.cpp
+++ b/src/network/access/qnetworkaccessmanager.cpp
@@ -341,107 +341,6 @@ static void ensureInitialized()
     QNetworkReply::sslConfiguration(), QNetworkReply::ignoreSslErrors()
 */
 
-class QNetworkAuthenticationCredential
-{
-public:
-    QString domain;
-    QString user;
-    QString password;
-};
-Q_DECLARE_TYPEINFO(QNetworkAuthenticationCredential, Q_MOVABLE_TYPE);
-inline bool operator<(const QNetworkAuthenticationCredential &t1, const QString &t2)
-{ return t1.domain < t2; }
-
-class QNetworkAuthenticationCache: private QVector<QNetworkAuthenticationCredential>,
-                                   public QNetworkAccessCache::CacheableObject
-{
-public:
-    QNetworkAuthenticationCache()
-    {
-        setExpires(false);
-        setShareable(true);
-        reserve(1);
-    }
-
-    QNetworkAuthenticationCredential *findClosestMatch(const QString &domain)
-    {
-        iterator it = qLowerBound(begin(), end(), domain);
-        if (it == end() && !isEmpty())
-            --it;
-        if (it == end() || !domain.startsWith(it->domain))
-            return 0;
-        return &*it;
-    }
-
-    void insert(const QString &domain, const QString &user, const QString &password)
-    {
-        QNetworkAuthenticationCredential *closestMatch = findClosestMatch(domain);
-        if (closestMatch && closestMatch->domain == domain) {
-            // we're overriding the current credentials
-            closestMatch->user = user;
-            closestMatch->password = password;
-        } else {
-            QNetworkAuthenticationCredential newCredential;
-            newCredential.domain = domain;
-            newCredential.user = user;
-            newCredential.password = password;
-
-            if (closestMatch)
-                QVector<QNetworkAuthenticationCredential>::insert(++closestMatch, newCredential);
-            else
-                QVector<QNetworkAuthenticationCredential>::insert(end(), newCredential);
-        }
-    }
-
-    virtual void dispose() { delete this; }
-};
-
-#ifndef QT_NO_NETWORKPROXY
-static QByteArray proxyAuthenticationKey(const QNetworkProxy &proxy, const QString &realm)
-{
-    QUrl key;
-
-    switch (proxy.type()) {
-    case QNetworkProxy::Socks5Proxy:
-        key.setScheme(QLatin1String("proxy-socks5"));
-        break;
-
-    case QNetworkProxy::HttpProxy:
-    case QNetworkProxy::HttpCachingProxy:
-        key.setScheme(QLatin1String("proxy-http"));
-        break;
-
-    case QNetworkProxy::FtpCachingProxy:
-        key.setScheme(QLatin1String("proxy-ftp"));
-        break;
-
-    case QNetworkProxy::DefaultProxy:
-    case QNetworkProxy::NoProxy:
-        // shouldn't happen
-        return QByteArray();
-
-        // no default:
-        // let there be errors if a new proxy type is added in the future
-    }
-
-    if (key.scheme().isEmpty())
-        // proxy type not handled
-        return QByteArray();
-
-    key.setUserName(proxy.user());
-    key.setHost(proxy.hostName());
-    key.setPort(proxy.port());
-    key.setFragment(realm);
-    return "auth:" + key.toEncoded();
-}
-#endif
-
-static inline QByteArray authenticationKey(const QUrl &url, const QString &realm)
-{
-    QUrl copy = url;
-    copy.setFragment(realm);
-    return "auth:" + copy.toEncoded(QUrl::RemovePassword | QUrl::RemovePath | QUrl::RemoveQuery);
-}
 
 /*!
     Constructs a QNetworkAccessManager object that is the center of
@@ -1124,10 +1023,10 @@ void QNetworkAccessManagerPrivate::authenticationRequired(QNetworkAccessBackend
     // also called when last URL is empty, e.g. on first call
     if (backend->reply->urlForLastAuthentication.isEmpty()
             || url != backend->reply->urlForLastAuthentication) {
-        QNetworkAuthenticationCredential *cred = fetchCachedCredentials(url, authenticator);
-        if (cred) {
-            authenticator->setUser(cred->user);
-            authenticator->setPassword(cred->password);
+        QNetworkAuthenticationCredential cred = authenticationManager->fetchCachedCredentials(url, authenticator);
+        if (!cred.isNull()) {
+            authenticator->setUser(cred.user);
+            authenticator->setPassword(cred.password);
             backend->reply->urlForLastAuthentication = url;
             return;
         }
@@ -1140,7 +1039,7 @@ void QNetworkAccessManagerPrivate::authenticationRequired(QNetworkAccessBackend
 
     backend->reply->urlForLastAuthentication = url;
     emit q->authenticationRequired(backend->reply->q_func(), authenticator);
-    cacheCredentials(url, authenticator);
+    authenticationManager->cacheCredentials(url, authenticator);
 }
 
 #ifndef QT_NO_NETWORKPROXY
@@ -1157,10 +1056,10 @@ void QNetworkAccessManagerPrivate::proxyAuthenticationRequired(QNetworkAccessBac
     // possible solution: some tracking inside the authenticator
     //      or a new function proxyAuthenticationSucceeded(true|false)
     if (proxy != backend->reply->lastProxyAuthentication) {
-        QNetworkAuthenticationCredential *cred = fetchCachedProxyCredentials(proxy);
-        if (cred) {
-            authenticator->setUser(cred->user);
-            authenticator->setPassword(cred->password);
+        QNetworkAuthenticationCredential cred = authenticationManager->fetchCachedProxyCredentials(proxy);
+        if (!cred.isNull()) {
+            authenticator->setUser(cred.user);
+            authenticator->setPassword(cred.password);
             return;
         }
     }
@@ -1172,75 +1071,7 @@ void QNetworkAccessManagerPrivate::proxyAuthenticationRequired(QNetworkAccessBac
 
     backend->reply->lastProxyAuthentication = proxy;
     emit q->proxyAuthenticationRequired(proxy, authenticator);
-    cacheProxyCredentials(proxy, authenticator);
-}
-
-void QNetworkAccessManagerPrivate::cacheProxyCredentials(const QNetworkProxy &p,
-                                                  const QAuthenticator *authenticator)
-{
-    Q_ASSERT(authenticator);
-    Q_ASSERT(p.type() != QNetworkProxy::DefaultProxy);
-    Q_ASSERT(p.type() != QNetworkProxy::NoProxy);
-
-    QString realm = authenticator->realm();
-    QNetworkProxy proxy = p;
-    proxy.setUser(authenticator->user());
-    // Set two credentials: one with the username and one without
-    do {
-        // Set two credentials actually: one with and one without the realm
-        do {
-            QByteArray cacheKey = proxyAuthenticationKey(proxy, realm);
-            if (cacheKey.isEmpty())
-                return;             // should not happen
-
-            QNetworkAuthenticationCache *auth = new QNetworkAuthenticationCache;
-            auth->insert(QString(), authenticator->user(), authenticator->password());
-            objectCache.addEntry(cacheKey, auth); // replace the existing one, if there's any
-
-            if (realm.isEmpty()) {
-                break;
-            } else {
-                realm.clear();
-            }
-        } while (true);
-
-        if (proxy.user().isEmpty())
-            break;
-        else
-            proxy.setUser(QString());
-    } while (true);
-}
-
-QNetworkAuthenticationCredential *
-QNetworkAccessManagerPrivate::fetchCachedProxyCredentials(const QNetworkProxy &p,
-                                                     const QAuthenticator *authenticator)
-{
-    QNetworkProxy proxy = p;
-    if (proxy.type() == QNetworkProxy::DefaultProxy) {
-        proxy = QNetworkProxy::applicationProxy();
-    }
-    if (!proxy.password().isEmpty())
-        return 0;               // no need to set credentials if it already has them
-
-    QString realm;
-    if (authenticator)
-        realm = authenticator->realm();
-
-    QByteArray cacheKey = proxyAuthenticationKey(proxy, realm);
-    if (cacheKey.isEmpty())
-        return 0;
-    if (!objectCache.hasEntry(cacheKey))
-        return 0;
-
-    QNetworkAuthenticationCache *auth =
-        static_cast<QNetworkAuthenticationCache *>(objectCache.requestEntryNow(cacheKey));
-    QNetworkAuthenticationCredential *cred = auth->findClosestMatch(QString());
-    objectCache.releaseEntry(cacheKey);
-
-    // proxy cache credentials always have exactly one item
-    Q_ASSERT_X(cred, "QNetworkAccessManager",
-               "Internal inconsistency: found a cache key for a proxy, but it's empty");
-    return cred;
+    authenticationManager->cacheProxyCredentials(proxy, authenticator);
 }
 
 QList<QNetworkProxy> QNetworkAccessManagerPrivate::queryProxy(const QNetworkProxyQuery &query)
@@ -1264,73 +1095,10 @@ QList<QNetworkProxy> QNetworkAccessManagerPrivate::queryProxy(const QNetworkProx
 }
 #endif
 
-void QNetworkAccessManagerPrivate::cacheCredentials(const QUrl &url,
-                                                  const QAuthenticator *authenticator)
-{
-    Q_ASSERT(authenticator);
-    QString domain = QString::fromLatin1("/"); // FIXME: make QAuthenticator return the domain
-    QString realm = authenticator->realm();
-
-    // Set two credentials actually: one with and one without the username in the URL
-    QUrl copy = url;
-    copy.setUserName(authenticator->user());
-    do {
-        QByteArray cacheKey = authenticationKey(copy, realm);
-        if (objectCache.hasEntry(cacheKey)) {
-            QNetworkAuthenticationCache *auth =
-                static_cast<QNetworkAuthenticationCache *>(objectCache.requestEntryNow(cacheKey));
-            auth->insert(domain, authenticator->user(), authenticator->password());
-            objectCache.releaseEntry(cacheKey);
-        } else {
-            QNetworkAuthenticationCache *auth = new QNetworkAuthenticationCache;
-            auth->insert(domain, authenticator->user(), authenticator->password());
-            objectCache.addEntry(cacheKey, auth);
-        }
-
-        if (copy.userName().isEmpty()) {
-            break;
-        } else {
-            copy.setUserName(QString());
-        }
-    } while (true);
-}
-
-/*!
-    Fetch the credential data from the credential cache.
-
-    If auth is 0 (as it is when called from createRequest()), this will try to
-    look up with an empty realm. That fails in most cases for HTTP (because the
-    realm is seldom empty for HTTP challenges). In any case, QHttpNetworkConnection
-    never sends the credentials on the first attempt: it needs to find out what
-    authentication methods the server supports.
-
-    For FTP, realm is always empty.
-*/
-QNetworkAuthenticationCredential *
-QNetworkAccessManagerPrivate::fetchCachedCredentials(const QUrl &url,
-                                                     const QAuthenticator *authentication)
-{
-    if (!url.password().isEmpty())
-        return 0;               // no need to set credentials if it already has them
-
-    QString realm;
-    if (authentication)
-        realm = authentication->realm();
-
-    QByteArray cacheKey = authenticationKey(url, realm);
-    if (!objectCache.hasEntry(cacheKey))
-        return 0;
-
-    QNetworkAuthenticationCache *auth =
-        static_cast<QNetworkAuthenticationCache *>(objectCache.requestEntryNow(cacheKey));
-    QNetworkAuthenticationCredential *cred = auth->findClosestMatch(url.path());
-    objectCache.releaseEntry(cacheKey);
-    return cred;
-}
-
 void QNetworkAccessManagerPrivate::clearCache(QNetworkAccessManager *manager)
 {
     manager->d_func()->objectCache.clear();
+    manager->d_func()->authenticationManager->clearCache();
 }
 
 QNetworkAccessManagerPrivate::~QNetworkAccessManagerPrivate()
diff --git a/src/network/access/qnetworkaccessmanager_p.h b/src/network/access/qnetworkaccessmanager_p.h
index cf4d2f3386..dba1fd242a 100644
--- a/src/network/access/qnetworkaccessmanager_p.h
+++ b/src/network/access/qnetworkaccessmanager_p.h
@@ -59,6 +59,7 @@
 #include "private/qobject_p.h"
 #include "QtNetwork/qnetworkproxy.h"
 #include "QtNetwork/qnetworksession.h"
+#include "qnetworkaccessauthenticationmanager_p.h"
 
 QT_BEGIN_NAMESPACE
 
@@ -81,7 +82,8 @@ public:
           online(false),
           initializeSession(true),
 #endif
-          cookieJarCreated(false)
+          cookieJarCreated(false),
+          authenticationManager(new QNetworkAccessAuthenticationManager)
     { }
     ~QNetworkAccessManagerPrivate();
 
@@ -137,6 +139,9 @@ public:
 
     bool cookieJarCreated;
 
+    // The cache with authorization data:
+    QNetworkAccessAuthenticationManager* authenticationManager;
+
     // this cache can be used by individual backends to cache e.g. their TCP connections to a server
     // and use the connections for multiple requests.
     QNetworkAccessCache objectCache;