You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2007/07/21 13:17:06 UTC
svn commit: r558298 -
/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
Author: erodriguez
Date: Sat Jul 21 04:17:03 2007
New Revision: 558298
URL: http://svn.apache.org/viewvc?view=rev&rev=558298
Log:
Enhanced auth header verification to support new replay cache elements and to allow ticket validation by ticket-granting service.
Modified:
directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java?view=diff&rev=558298&r1=558297&r2=558298
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java (original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/VerifyAuthHeader.java Sat Jul 21 04:17:03 2007
@@ -22,6 +22,8 @@
import java.net.InetAddress;
+import javax.security.auth.kerberos.KerberosPrincipal;
+
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
@@ -63,12 +65,13 @@
* @param clientAddress
* @param lockBox
* @param authenticatorKeyUsage
+ * @param isValidate
* @return The authenticator.
* @throws KerberosException
*/
public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress,
- CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage ) throws KerberosException
+ CipherTextHandler lockBox, KeyUsage authenticatorKeyUsage, boolean isValidate ) throws KerberosException
{
if ( authHeader.getProtocolVersionNumber() != 5 )
{
@@ -134,27 +137,42 @@
}
}
- if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal() ) )
+ KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+ KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
+ KerberosTime clientTime = authenticator.getClientTime();
+ int clientMicroSeconds = authenticator.getClientMicroSecond();
+
+ if ( replayCache.isReplay( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_REPEAT );
}
- replayCache.save( authenticator.getClientTime(), authenticator.getClientPrincipal() );
+ replayCache.save( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds );
if ( !authenticator.getClientTime().isInClockSkew( clockSkew ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
}
- if ( ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew( clockSkew )
- || ticket.getFlag( TicketFlags.INVALID ) )
+ /*
+ * "The server computes the age of the ticket: local (server) time minus
+ * the starttime inside the Ticket. If the starttime is later than the
+ * current time by more than the allowable clock skew, or if the INVALID
+ * flag is set in the ticket, the KRB_AP_ERR_TKT_NYV error is returned."
+ */
+ KerberosTime startTime = ( ticket.getStartTime() != null ) ? ticket.getStartTime() : ticket.getAuthTime();
+
+ KerberosTime now = new KerberosTime();
+ boolean isValidStartTime = startTime.lessThan( now );
+
+ if ( !isValidStartTime || ( ticket.getFlag( TicketFlags.INVALID ) && !isValidate ) )
{
// it hasn't yet become valid
throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
}
// TODO - doesn't take into account skew
- if ( !ticket.getEndTime().greaterThan( new KerberosTime() ) )
+ if ( !ticket.getEndTime().greaterThan( now ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
}