You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/08/29 01:50:40 UTC
svn commit: r263970 -
/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/
Author: erodriguez
Date: Sun Aug 28 16:50:27 2005
New Revision: 263970
URL: http://svn.apache.org/viewcvs?rev=263970&view=rev
Log:
Kerberos Authentication Service (AS) as chain. Calls pre-authentication sub-chain.
Added:
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java (with props)
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.kerberos.kdc.KdcContext;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.replay.InMemoryReplayCache;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class AuthenticationContext extends KdcContext
+{
+ private ReplayCache replayCache = new InMemoryReplayCache();
+
+ private Map checksumEngines = new HashMap();
+
+ private Ticket ticket;
+ private EncryptionKey clientKey;
+
+ private PrincipalStoreEntry clientEntry;
+ private PrincipalStoreEntry serverEntry;
+
+ /**
+ * @return Returns the serverEntry.
+ */
+ public PrincipalStoreEntry getServerEntry()
+ {
+ return serverEntry;
+ }
+
+ /**
+ * @param serverEntry The serverEntry to set.
+ */
+ public void setServerEntry( PrincipalStoreEntry serverEntry )
+ {
+ this.serverEntry = serverEntry;
+ }
+
+ /**
+ * @return Returns the clientEntry.
+ */
+ public PrincipalStoreEntry getClientEntry()
+ {
+ return clientEntry;
+ }
+
+ /**
+ * @param clientEntry The clientEntry to set.
+ */
+ public void setClientEntry( PrincipalStoreEntry clientEntry )
+ {
+ this.clientEntry = clientEntry;
+ }
+
+ /**
+ * @return Returns the checksumEngines.
+ */
+ public Map getChecksumEngines()
+ {
+ return checksumEngines;
+ }
+
+ /**
+ * @param checksumEngines The checksumEngines to set.
+ */
+ public void setChecksumEngines( Map checksumEngines )
+ {
+ this.checksumEngines = checksumEngines;
+ }
+
+ /**
+ * @return Returns the replayCache.
+ */
+ public ReplayCache getReplayCache()
+ {
+ return replayCache;
+ }
+
+ /**
+ * @param replayCache The replayCache to set.
+ */
+ public void setReplayCache( ReplayCache replayCache )
+ {
+ this.replayCache = replayCache;
+ }
+
+ /**
+ * @return Returns the clientKey.
+ */
+ public EncryptionKey getClientKey()
+ {
+ return clientKey;
+ }
+
+ /**
+ * @param clientKey The clientKey to set.
+ */
+ public void setClientKey( EncryptionKey clientKey )
+ {
+ this.clientKey = clientKey;
+ }
+
+ /**
+ * @return Returns the ticket.
+ */
+ public Ticket getTicket()
+ {
+ return ticket;
+ }
+
+ /**
+ * @param ticket The ticket to set.
+ */
+ public void setTicket( Ticket ticket )
+ {
+ this.ticket = ticket;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationContext.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.ErrorMessage;
+import org.apache.kerberos.service.ErrorMessageHandler;
+
+public class AuthenticationExceptionHandler extends ErrorMessageHandler
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ return CONTINUE_CHAIN;
+ }
+
+ public boolean postprocess( Context context, Exception exception )
+ {
+ if ( exception == null )
+ {
+ return CONTINUE_CHAIN;
+ }
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+ KdcConfiguration config = authContext.getConfig();
+ KerberosException ke = (KerberosException) exception;
+
+ System.out.println( "Exception " + exception.getMessage() + " occurred." );
+
+ ErrorMessage errorMessage = getErrorMessage( config.getKdcPrincipal(), ke );
+
+ authContext.setReply( errorMessage );
+
+ return STOP_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationExceptionHandler.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import org.apache.kerberos.chain.impl.ChainBase;
+import org.apache.kerberos.kdc.MonitorRequest;
+import org.apache.kerberos.kdc.preauthentication.PreAuthenticationChain;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthenticationServiceChain extends ChainBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( AuthenticationServiceChain.class );
+
+ public AuthenticationServiceChain()
+ {
+ super();
+ addCommand( new AuthenticationExceptionHandler() );
+ addCommand( new MonitorRequest() );
+ addCommand( new ConfigureAuthenticationChain() );
+ addCommand( new GetClientEntry() );
+ addCommand( new PreAuthenticationChain() );
+ addCommand( new GetServerEntry() );
+ addCommand( new GenerateTicket() );
+ addCommand( new BuildReply() );
+ addCommand( new SealReply() );
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/AuthenticationServiceChain.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.LastRequest;
+import org.apache.kerberos.messages.value.TicketFlags;
+
+public class BuildReply extends CommandBase
+{
+ public boolean execute( Context ctx ) throws Exception
+ {
+ System.out.println( "Building reply." );
+ AuthenticationContext authContext = (AuthenticationContext) ctx;
+ KdcRequest request = authContext.getRequest();
+ Ticket ticket = authContext.getTicket();
+
+ AuthenticationReply reply = new AuthenticationReply();
+
+ reply.setClientPrincipal( request.getClientPrincipal() );
+ reply.setTicket( ticket );
+ reply.setKey( ticket.getSessionKey() );
+
+ // TODO - fetch lastReq for this client; requires store
+ reply.setLastRequest( new LastRequest() );
+ // TODO - resp.key-expiration := client.expiration; requires store
+
+ reply.setNonce( request.getNonce() );
+
+ reply.setFlags( ticket.getFlags() );
+ reply.setAuthTime( ticket.getAuthTime() );
+ reply.setStartTime( ticket.getStartTime() );
+ reply.setEndTime( ticket.getEndTime() );
+
+ if ( ticket.getFlags().get( TicketFlags.RENEWABLE ) )
+ {
+ reply.setRenewTill( ticket.getRenewTill() );
+ }
+
+ reply.setServerPrincipal( ticket.getServerPrincipal() );
+ reply.setClientAddresses( ticket.getClientAddresses() );
+
+ authContext.setReply( reply );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/BuildReply.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import java.util.Map;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.checksum.ChecksumType;
+import org.apache.kerberos.crypto.checksum.Crc32Checksum;
+import org.apache.kerberos.crypto.checksum.RsaMd4Checksum;
+import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
+import org.apache.kerberos.crypto.checksum.Sha1Checksum;
+
+public class ConfigureAuthenticationChain extends CommandBase
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ System.out.println( "Configuring authentication chain." );
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+
+ Map checksumEngines = authContext.getChecksumEngines();
+ checksumEngines.put( ChecksumType.CRC32, new Crc32Checksum() );
+ checksumEngines.put( ChecksumType.RSA_MD4, new RsaMd4Checksum() );
+ checksumEngines.put( ChecksumType.RSA_MD5, new RsaMd5Checksum() );
+ checksumEngines.put( ChecksumType.SHA1, new Sha1Checksum() );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/ConfigureAuthenticationChain.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,205 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.RandomKey;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.EncTicketPartModifier;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.KdcOptions;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.apache.kerberos.messages.value.TransitedEncoding;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class GenerateTicket extends CommandBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( GenerateTicket.class );
+
+ public boolean execute(Context context) throws Exception
+ {
+ System.out.println("Generating ticket.");
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+ KdcRequest request = authContext.getRequest();
+
+ KerberosPrincipal serverPrincipal = request.getServerPrincipal();
+ EncryptionKey serverKey = authContext.getServerEntry().getEncryptionKey();
+ KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
+ EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+ KdcConfiguration config = authContext.getConfig();
+
+ if(request.getKdcOptions().get(KdcOptions.FORWARDABLE))
+ {
+ newTicketBody.setFlag(TicketFlags.FORWARDABLE);
+ }
+
+ if(request.getKdcOptions().get(KdcOptions.PROXIABLE))
+ {
+ newTicketBody.setFlag(TicketFlags.PROXIABLE);
+ }
+
+ if(request.getKdcOptions().get(KdcOptions.ALLOW_POSTDATE))
+ {
+ newTicketBody.setFlag(TicketFlags.MAY_POSTDATE);
+ }
+
+ if(request.getKdcOptions().get(KdcOptions.RENEW) ||
+ request.getKdcOptions().get(KdcOptions.VALIDATE) ||
+ request.getKdcOptions().get(KdcOptions.PROXY) ||
+ request.getKdcOptions().get(KdcOptions.FORWARDED) ||
+ request.getKdcOptions().get(KdcOptions.ENC_TKT_IN_SKEY))
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setSessionKey(new RandomKey().getNewSessionKey());
+ newTicketBody.setClientPrincipal(request.getClientPrincipal());
+ newTicketBody.setTransitedEncoding(new TransitedEncoding());
+
+ KerberosTime now = new KerberosTime();
+ newTicketBody.setAuthTime(now);
+
+ if (request.getKdcOptions().get(KdcOptions.POSTDATED))
+ {
+ // TODO - possibly allow req.from range
+ if (!config.isPostdateAllowed())
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ newTicketBody.setFlag(TicketFlags.INVALID);
+ newTicketBody.setStartTime(request.getFrom());
+ }
+
+ long till = 0;
+ if (request.getTill().getTime() == 0)
+ till = Long.MAX_VALUE;
+ else
+ till = request.getTill().getTime();
+ /*
+ new_tkt.endtime := min(till,
+ new_tkt.starttime+client.max_life,
+ new_tkt.starttime+server.max_life,
+ new_tkt.starttime+max_life_for_realm);
+ */
+ long endTime = Math.min(now.getTime() + config.getMaximumTicketLifetime(), till);
+ KerberosTime kerberosEndTime = new KerberosTime(endTime);
+ newTicketBody.setEndTime(kerberosEndTime);
+
+ long tempRtime = 0;
+ if (request.getKdcOptions().get(KdcOptions.RENEWABLE_OK) &&
+ request.getTill().greaterThan(kerberosEndTime))
+ {
+ request.getKdcOptions().set(KdcOptions.RENEWABLE);
+ tempRtime = request.getTill().getTime();
+ }
+
+ /*
+ if (req.kdc-options.RENEWABLE is set) then
+ set new_tkt.flags.RENEWABLE;
+ new_tkt.renew-till := min(rtime,
+ new_tkt.starttime+client.max_rlife,
+ new_tkt.starttime+server.max_rlife,
+ new_tkt.starttime+max_rlife_for_realm);
+ else
+ omit new_tkt.renew-till;
+ endif
+ */
+
+ if (tempRtime == 0)
+ {
+ tempRtime = Long.MAX_VALUE;
+ }
+ else
+ {
+ tempRtime = request.getRtime().getTime();
+ }
+
+ if ( request.getKdcOptions().get( KdcOptions.RENEWABLE ) )
+ {
+ newTicketBody.setFlag( TicketFlags.RENEWABLE );
+
+ /*
+ * 'from' KerberosTime is OPTIONAL
+ */
+ KerberosTime fromTime = request.getFrom();
+
+ if ( fromTime == null )
+ {
+ fromTime = new KerberosTime();
+ }
+
+ long renewTill = Math.min( fromTime.getTime()
+ + config.getMaximumRenewableLifetime(), tempRtime );
+ newTicketBody.setRenewTill( new KerberosTime( renewTill ) );
+ }
+
+ if (request.getAddresses() != null)
+ {
+ newTicketBody.setClientAddresses(request.getAddresses());
+ }
+
+ EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+ EncryptedData encryptedData = encryptTicketPart(ticketPart, serverKey);
+
+ Ticket newTicket = new Ticket(ticketPrincipal, encryptedData);
+ newTicket.setEncTicketPart(ticketPart);
+
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( "Ticket will be issued for access to " + serverPrincipal.toString() + "." );
+ }
+
+ authContext.setTicket( newTicket );
+
+ return CONTINUE_CHAIN;
+ }
+
+ private EncryptedData encryptTicketPart(EncTicketPart ticketPart, EncryptionKey serverKey)
+ {
+ EncTicketPartEncoder encoder = new EncTicketPartEncoder();
+ EncryptedData encryptedTicketPart = null;
+ try
+ {
+ byte[] plainText = encoder.encode(ticketPart);
+
+ EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey );
+
+ encryptedTicketPart = engine.getEncryptedData(serverKey, plainText);
+
+ }
+ catch (Exception e)
+ {
+ e.printStackTrace();
+ }
+ return encryptedTicketPart;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GenerateTicket.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+
+public class GetClientEntry extends GetPrincipalStoreEntry
+{
+ public boolean execute(Context context) throws Exception
+ {
+ System.out.println( "Getting client entry." );
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+
+ KerberosPrincipal principal = authContext.getRequest().getClientPrincipal();
+ PrincipalStore store = authContext.getStore();
+
+ authContext.setClientEntry( getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ) );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetClientEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+
+public class GetServerEntry extends GetPrincipalStoreEntry
+{
+ public boolean execute(Context context) throws Exception
+ {
+ System.out.println( "Getting server entry." );
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+
+ KerberosPrincipal principal = authContext.getRequest().getServerPrincipal();
+ PrincipalStore store = authContext.getStore();
+
+ authContext.setServerEntry( getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/GetServerEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java?rev=263970&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java Sun Aug 28 16:50:27 2005
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.authentication;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
+import org.apache.kerberos.messages.AuthenticationReply;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+
+public class SealReply extends CommandBase
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ System.out.println( "Sealing reply." );
+
+ AuthenticationContext authContext = (AuthenticationContext) context;
+
+ AuthenticationReply reply = (AuthenticationReply) authContext.getReply();
+ EncryptionKey clientKey = authContext.getClientKey();
+
+ EncAsRepPartEncoder encoder = new EncAsRepPartEncoder();
+ try
+ {
+ byte[] plainText = encoder.encode( reply );
+
+ EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( clientKey );
+
+ EncryptedData cipherText = engine.getEncryptedData( clientKey, plainText );
+
+ reply.setEncPart( cipherText );
+ }
+ catch ( Exception e )
+ {
+ e.printStackTrace();
+ }
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/authentication/SealReply.java
------------------------------------------------------------------------------
svn:eol-style = native