You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/10/18 08:29:02 UTC
[4/9] directory-kerby git commit: DIRKRB-649 Cross realm server side
implementation.
DIRKRB-649 Cross realm server side implementation.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/945ae7da
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/945ae7da
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/945ae7da
Branch: refs/heads/trunk
Commit: 945ae7daf252fff45fdb2668df71416064580465
Parents: fdfc559
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Sep 29 14:43:24 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Oct 18 16:27:34 2017 +0800
----------------------------------------------------------------------
.../kerby/kerberos/kerb/common/KrbUtil.java | 5 +++
.../kerb/server/request/KdcRequest.java | 32 ++++++++++++++++++--
.../server/request/ServiceTicketIssuer.java | 8 +++--
.../kerb/server/request/TgsRequest.java | 21 +++++++++++--
.../kerb/server/request/TicketIssuer.java | 8 ++++-
5 files changed, 67 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/945ae7da/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
index c4d9ded..3465b29 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/KrbUtil.java
@@ -53,6 +53,11 @@ public class KrbUtil {
return new PrincipalName(nameString, NameType.NT_SRV_INST);
}
+ public static PrincipalName makeCrossRealmPrincipal(String localRealm, String remoteRealm) {
+ String nameString = KrbConstant.TGS_PRINCIPAL + "/" + localRealm + "@" + remoteRealm;
+ return new PrincipalName(nameString, NameType.NT_SRV_INST);
+ }
+
/**
* Construct kadmin principal name.
* @param realm The realm
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/945ae7da/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index ba77fe9..168862f 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -101,6 +101,8 @@ public abstract class KdcRequest {
private EncryptionKey sessionKey;
private ByteBuffer reqPackage;
private boolean isHttps = false;
+ private boolean isCrossRealm = false;
+ private String remoteRealm = null;
/**
* Get session key.
@@ -570,8 +572,34 @@ public abstract class KdcRequest {
* @return principal name
*/
public PrincipalName getTgsPrincipal() {
- PrincipalName result = KrbUtil.makeTgsPrincipal(kdcContext.getKdcRealm());
- return result;
+ return KrbUtil.makeTgsPrincipal(kdcContext.getKdcRealm());
+ }
+
+ public PrincipalName getCrossRealmTgsPrincipal(String remoteRealm) {
+ return KrbUtil.makeCrossRealmPrincipal(kdcContext.getKdcRealm(), remoteRealm);
+ }
+
+ public KrbIdentity getCrossRealmTgsEntry(String remoteRealm) throws KrbException {
+ PrincipalName tgsPrincipal = getCrossRealmTgsPrincipal(remoteRealm);
+ KrbIdentity tgsEntry = null;
+ if (tgsPrincipal != null) {
+ tgsEntry = getEntry(tgsPrincipal.getName());
+ }
+ return tgsEntry;
+ }
+
+ public boolean checkCrossRealm(String remoteRealm) {
+ isCrossRealm = !(kdcContext.getKdcRealm().equals(remoteRealm));
+ this.remoteRealm = remoteRealm;
+ return isCrossRealm;
+ }
+
+ public boolean isCrossRealm() {
+ return isCrossRealm;
+ }
+
+ public String getRemoteRealm() {
+ return this.remoteRealm;
}
/**
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/945ae7da/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
index 1d08a93..55c17d4 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/ServiceTicketIssuer.java
@@ -43,10 +43,14 @@ public class ServiceTicketIssuer extends TicketIssuer {
@Override
protected PrincipalName getclientPrincipal() {
+ PrincipalName clientPrincipal;
if (token != null) {
- return new PrincipalName(token.getSubject());
+ clientPrincipal = new PrincipalName(token.getSubject());
+ } else {
+ clientPrincipal = tgtTicket.getEncPart().getCname();
+ clientPrincipal.setRealm(tgtTicket.getEncPart().getCrealm());
}
- return tgtTicket.getEncPart().getCname();
+ return clientPrincipal;
}
@Override
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/945ae7da/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 9d18057..98e1176 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -135,8 +135,23 @@ public class TgsRequest extends KdcRequest {
}
tgtTicket = apReq.getTicket();
+ EncryptionKey tgsKey;
EncryptionType encType = tgtTicket.getEncryptedEncPart().getEType();
- EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
+ String remoteRealm = tgtTicket.getRealm();
+ if (checkCrossRealm(remoteRealm)) {
+ KrbIdentity tgs = getCrossRealmTgsEntry(remoteRealm);
+ if (tgs != null) {
+ tgsKey = tgs.getKey(encType);
+ } else {
+ throw new KrbException("Fail to get the tgs entry for remote realm: " + remoteRealm);
+ }
+ } else {
+ tgsKey = getTgsEntry().getKeys().get(encType);
+ }
+ if (tgsKey == null) {
+ throw new KrbException("Fail to get the tgs key for the type: " + encType);
+ }
+
if (tgtTicket.getTktvno() != KrbConstant.KRB_V5) {
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
}
@@ -211,10 +226,12 @@ public class TgsRequest extends KdcRequest {
if (getClientEntry() == null) {
reply.setCname(ticket.getEncPart().getCname());
+ reply.setCrealm(ticket.getEncPart().getCrealm());
} else {
reply.setCname(getClientEntry().getPrincipal());
+ reply.setCrealm(getKdcContext().getKdcRealm());
}
- reply.setCrealm(getKdcContext().getKdcRealm());
+
reply.setTicket(ticket);
EncKdcRepPart encKdcRepPart = makeEncKdcRepPart();
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/945ae7da/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
index 2685632..dc72c33 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.java
@@ -130,8 +130,14 @@ public abstract class TicketIssuer {
kdcRequest.getEncryptionType());
encTicketPart.setKey(sessionKey);
+ PrincipalName clientPrincipal = getclientPrincipal();
encTicketPart.setCname(getclientPrincipal());
- encTicketPart.setCrealm(request.getReqBody().getRealm());
+
+ if (clientPrincipal.getRealm() != null) {
+ encTicketPart.setCrealm(clientPrincipal.getRealm());
+ } else {
+ encTicketPart.setCrealm(request.getReqBody().getRealm());
+ }
TransitedEncoding transEnc = getTransitedEncoding();
encTicketPart.setTransited(transEnc);