You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2007/07/21 13:36:55 UTC
svn commit: r558310 -
/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java
Author: erodriguez
Date: Sat Jul 21 04:36:54 2007
New Revision: 558310
URL: http://svn.apache.org/viewvc?view=rev&rev=558310
Log:
Minor refactoring of TGT verification to break abstract ticket verification. Also added some new checks for when the wrong tickets are presented to the TGS.
Modified:
directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java?view=diff&rev=558310&r1=558309&r2=558310
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgt.java Sat Jul 21 04:36:54 2007
@@ -20,30 +20,59 @@
package org.apache.directory.server.kerberos.kdc.ticketgrant;
-import javax.security.auth.kerberos.KerberosPrincipal;
-
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
-import org.apache.directory.server.kerberos.shared.service.VerifyTicket;
import org.apache.mina.common.IoSession;
+import org.apache.mina.handler.chain.IoHandlerCommand;
/**
+ * Note that the realm in which the Kerberos server is operating is determined by
+ * the instance from the ticket-granting ticket. The realm in the ticket-granting
+ * ticket is the realm under which the ticket granting ticket was issued. It is
+ * possible for a single Kerberos server to support more than one realm.
+ *
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$, $Date$
*/
-public class VerifyTgt extends VerifyTicket
+public class VerifyTgt implements IoHandlerCommand
{
+ private String contextKey = "context";
+
+
public void execute( NextCommand next, IoSession session, Object message ) throws Exception
{
TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
KdcConfiguration config = tgsContext.getConfig();
Ticket tgt = tgsContext.getTgt();
- String primaryRealm = config.getPrimaryRealm();
- KerberosPrincipal serverPrincipal = tgsContext.getRequest().getServerPrincipal();
- verifyTicket( tgt, primaryRealm, serverPrincipal );
+ // Check primary realm.
+ if ( !tgt.getRealm().equals( config.getPrimaryRealm() ) )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
+ }
+
+ String tgtServerName = tgt.getServerPrincipal().getName();
+ String requestServerName = tgsContext.getRequest().getServerPrincipal().getName();
+
+ /*
+ * if (tgt.sname is not a TGT for local realm and is not
+ * req.sname) then error_out(KRB_AP_ERR_NOT_US);
+ */
+ if ( !tgtServerName.equals( config.getServicePrincipal().getName() )
+ && !tgtServerName.equals( requestServerName ) )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
+ }
next.execute( session, message );
+ }
+
+
+ protected String getContextKey()
+ {
+ return ( this.contextKey );
}
}