You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/09/04 17:11:43 UTC
svn commit: r278598 - in
/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos:
kdc/ kdc/ticketgrant/ protocol/
Author: erodriguez
Date: Sun Sep 4 08:11:37 2005
New Revision: 278598
URL: http://svn.apache.org/viewcvs?rev=278598&view=rev
Log:
Added ticket host addresses check to kerberos protocol
o added client address to KDC context
o added client address logging to request monitor
o added client and ticket address logging to context monitor
o added passing of client address from MINA to auth header stage via handler
Modified:
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/MonitorRequest.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/protocol/KerberosProtocolHandler.java
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java?rev=278598&r1=278597&r2=278598&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/KdcContext.java Sun Sep 4 08:11:37 2005
@@ -16,6 +16,8 @@
*/
package org.apache.kerberos.kdc;
+import java.net.InetAddress;
+
import org.apache.kerberos.chain.impl.ContextBase;
import org.apache.kerberos.messages.KdcRequest;
import org.apache.kerberos.messages.KerberosMessage;
@@ -27,6 +29,7 @@
private PrincipalStore store;
private KdcRequest request;
private KerberosMessage reply;
+ private InetAddress clientAddress;
/**
* @return Returns the config.
@@ -90,5 +93,21 @@
public void setRequest( KdcRequest request )
{
this.request = request;
+ }
+
+ /**
+ * @return Returns the clientAddress.
+ */
+ public InetAddress getClientAddress()
+ {
+ return clientAddress;
+ }
+
+ /**
+ * @param clientAddress The clientAddress to set.
+ */
+ public void setClientAddress( InetAddress clientAddress )
+ {
+ this.clientAddress = clientAddress;
}
}
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/MonitorRequest.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/MonitorRequest.java?rev=278598&r1=278597&r2=278598&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/MonitorRequest.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/MonitorRequest.java Sun Sep 4 08:11:37 2005
@@ -32,6 +32,7 @@
{
KdcContext kdcContext = (KdcContext) context;
KdcRequest request = kdcContext.getRequest();
+ String clientAddress = kdcContext.getClientAddress().getHostAddress();
if ( log.isDebugEnabled() )
{
@@ -39,6 +40,7 @@
+ "\n\trealm: " + request.getRealm()
+ "\n\tserverPrincipal: " + request.getServerPrincipal()
+ "\n\tclientPrincipal: " + request.getClientPrincipal()
+ + "\n\tclientAddress: " + clientAddress
+ "\n\thostAddresses: " + request.getAddresses()
+ "\n\tencryptionType: " + getEncryptionTypes( request )
+ "\n\tfrom krb time: " + request.getFrom()
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java?rev=278598&r1=278597&r2=278598&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java Sun Sep 4 08:11:37 2005
@@ -16,6 +16,8 @@
*/
package org.apache.kerberos.kdc.ticketgrant;
+import java.net.InetAddress;
+
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.kerberos.chain.Context;
@@ -23,6 +25,8 @@
import org.apache.kerberos.crypto.checksum.ChecksumType;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.HostAddress;
+import org.apache.kerberos.messages.value.HostAddresses;
import org.apache.kerberos.replay.ReplayCache;
import org.apache.kerberos.store.PrincipalStore;
import org.apache.kerberos.store.PrincipalStoreEntry;
@@ -48,6 +52,14 @@
long clockSkew = tgsContext.getConfig().getClockSkew();
ReplayCache replayCache = tgsContext.getReplayCache();
ChecksumType checksumType = tgsContext.getAuthenticator().getChecksum().getChecksumType();
+ InetAddress clientAddress = tgsContext.getClientAddress();
+ HostAddresses clientAddresses = tgt.getClientAddresses();
+
+ boolean caddrContainsSender = false;
+ if ( tgt.getClientAddresses() != null )
+ {
+ caddrContainsSender = tgt.getClientAddresses().contains( new HostAddress( clientAddress ) );
+ }
StringBuffer sb = new StringBuffer();
@@ -57,6 +69,9 @@
sb.append( "\n\t" + "replayCache " + replayCache );
sb.append( "\n\t" + "clockSkew " + clockSkew );
sb.append( "\n\t" + "checksumType " + checksumType );
+ sb.append( "\n\t" + "clientAddress " + clientAddress );
+ sb.append( "\n\t" + "clientAddresses " + clientAddresses );
+ sb.append( "\n\t" + "caddr contains sender " + caddrContainsSender );
KerberosPrincipal requestServerPrincipal = tgsContext.getRequest().getServerPrincipal();
PrincipalStoreEntry requestPrincipal = tgsContext.getRequestPrincipalEntry();
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=278598&r1=278597&r2=278598&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Sun Sep 4 08:11:37 2005
@@ -16,6 +16,8 @@
*/
package org.apache.kerberos.kdc.ticketgrant;
+import java.net.InetAddress;
+
import org.apache.kerberos.chain.Context;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.components.Authenticator;
@@ -35,8 +37,11 @@
EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getEncryptionKey();
long clockSkew = tgsContext.getConfig().getClockSkew();
ReplayCache replayCache = tgsContext.getReplayCache();
+ boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
+ InetAddress clientAddress = tgsContext.getClientAddress();
- Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache );
+ Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
+ emptyAddressesAllowed, clientAddress );
tgsContext.setAuthenticator( authenticator );
Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/protocol/KerberosProtocolHandler.java?rev=278598&r1=278597&r2=278598&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/protocol/KerberosProtocolHandler.java Sun Sep 4 08:11:37 2005
@@ -16,6 +16,9 @@
*/
package org.apache.kerberos.protocol;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+
import org.apache.kerberos.chain.Command;
import org.apache.kerberos.exceptions.ErrorType;
import org.apache.kerberos.kdc.KdcConfiguration;
@@ -102,6 +105,7 @@
log.debug( session.getRemoteAddress() + " RCVD: " + message );
}
+ InetAddress clientAddress = ( (InetSocketAddress) session.getRemoteAddress() ).getAddress();
KdcRequest request = (KdcRequest) message;
int messageType = request.getMessageType().getOrdinal();
@@ -114,6 +118,7 @@
AuthenticationContext authContext = new AuthenticationContext();
authContext.setConfig( config );
authContext.setStore( store );
+ authContext.setClientAddress( clientAddress );
authContext.setRequest( request );
authService.execute( authContext );
@@ -125,6 +130,7 @@
TicketGrantingContext tgsContext = new TicketGrantingContext();
tgsContext.setConfig( config );
tgsContext.setStore( store );
+ tgsContext.setClientAddress( clientAddress );
tgsContext.setRequest( request );
tgsService.execute( tgsContext );