You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2007/07/04 06:29:24 UTC
svn commit: r553069 - in
/directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos:
GetServiceTicket.java KdcConnection.java KdcControls.java
Author: erodriguez
Date: Tue Jul 3 21:29:23 2007
New Revision: 553069
URL: http://svn.apache.org/viewvc?view=rev&rev=553069
Log:
Kerberos client component API clean-up.
Modified:
directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/GetServiceTicket.java
directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcConnection.java
directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcControls.java
Modified: directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/GetServiceTicket.java
URL: http://svn.apache.org/viewvc/directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/GetServiceTicket.java?view=diff&rev=553069&r1=553068&r2=553069
==============================================================================
--- directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/GetServiceTicket.java (original)
+++ directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/GetServiceTicket.java Tue Jul 3 21:29:23 2007
@@ -277,7 +277,7 @@
modifier.setRealm( servicePrincipal.getRealm() );
// Set the requested starting time.
- if ( controls.isPostdated() )
+ if ( controls.getStartTime() != null )
{
KerberosTime fromTime = new KerberosTime( controls.getStartTime() );
modifier.setFrom( fromTime );
@@ -286,12 +286,12 @@
long currentTime = System.currentTimeMillis();
- KerberosTime endTime = new KerberosTime( currentTime + KdcControls.DAY );
+ KerberosTime endTime = new KerberosTime( currentTime + controls.getLifeTime() );
modifier.setTill( endTime );
- if ( controls.isRenewable() )
+ if ( controls.getRenewableLifetime() > 0 )
{
- KerberosTime renewTime = new KerberosTime( currentTime + KdcControls.WEEK );
+ KerberosTime renewTime = new KerberosTime( currentTime + controls.getRenewableLifetime() );
modifier.setRtime( renewTime );
kdcOptions.set( KdcOptions.RENEWABLE );
}
Modified: directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcConnection.java
URL: http://svn.apache.org/viewvc/directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcConnection.java?view=diff&rev=553069&r1=553068&r2=553069
==============================================================================
--- directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcConnection.java (original)
+++ directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcConnection.java Tue Jul 3 21:29:23 2007
@@ -20,16 +20,9 @@
package org.apache.directory.client.kerberos;
-import java.net.InetAddress;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
-import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
-
/**
* Connection to an RFC 4120 Kerberos server (KDC). Connection users may request Ticket-Granting
@@ -105,7 +98,7 @@
public KerberosTicket getTicketGrantingTicket( KerberosPrincipal clientPrincipal, String password )
throws KdcConnectionException
{
- return getTicketGrantingTicket( clientPrincipal, password, getDefaultKdcControls() );
+ return getTicketGrantingTicket( clientPrincipal, password, new KdcControls() );
}
@@ -137,7 +130,7 @@
public KerberosTicket getServiceTicket( KerberosTicket tgt, KerberosPrincipal servicePrincipal )
throws KdcConnectionException
{
- return getServiceTicket( tgt, servicePrincipal, getDefaultKdcControls() );
+ return getServiceTicket( tgt, servicePrincipal, new KdcControls() );
}
@@ -164,40 +157,5 @@
public void disconnect()
{
// Wouldn't do anything for UDP.
- }
-
-
- private KdcControls getDefaultKdcControls()
- {
- List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
- encryptionTypes.add( EncryptionType.DES_CBC_MD5 );
-
- KdcControls controls = new KdcControls();
- controls.setEncryptionTypes( encryptionTypes );
- controls.setUsePaEncTimestamp( true );
-
- // default is UDP. Set to 1 to use TCP.
- controls.setUdpPreferenceLimit( 1 );
-
- // useful dates
- long currentTime = System.currentTimeMillis();
- Date now = new Date( currentTime );
- Date oneDay = new Date( currentTime + KdcControls.DAY );
- Date oneWeek = new Date( currentTime + KdcControls.WEEK );
-
- // flags & times
- // if the start time exceeds "now" by more than the clockskew, consider it a POSTDATED request.
- controls.setStartTime( now );
- controls.setEndTime( oneDay );
- controls.setRenewTime( oneWeek );
-
- // even less important
- controls.setForwardable( true );
- controls.setProxiable( true );
-
- List<InetAddress> clientAddresses = new ArrayList<InetAddress>();
- controls.setClientAddresses( clientAddresses );
-
- return controls;
}
}
Modified: directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcControls.java
URL: http://svn.apache.org/viewvc/directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcControls.java?view=diff&rev=553069&r1=553068&r2=553069
==============================================================================
--- directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcControls.java (original)
+++ directory/clients/trunk/kerberos/client/src/main/java/org/apache/directory/client/kerberos/KdcControls.java Tue Jul 3 21:29:23 2007
@@ -30,6 +30,10 @@
/**
* Parameters for controlling a connection to a Kerberos server (KDC).
+ *
+ * 3.1.1. Generation of KRB_AS_REQ Message
+ *
+ * The client may specify a number of options in the initial request.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$, $Date$
@@ -45,56 +49,17 @@
/** The number of milliseconds in a week. */
public static final int WEEK = MINUTE * 10080;
- /** The default allowed clockskew */
- private static final long DEFAULT_ALLOWED_CLOCKSKEW = 5 * MINUTE;
-
- /** The default for requiring encrypted timestamps */
- private static final boolean DEFAULT_USE_PA_ENC_TIMESTAMP = true;
-
- /** The default for the maximum ticket lifetime */
- private static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = DAY;
-
- /** The default for the maximum renewable lifetime */
- private static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = WEEK;
-
- /** The default for allowing forwardable tickets */
- private static final boolean DEFAULT_TGS_FORWARDABLE = false;
-
- /** The default for allowing proxiable tickets */
- private static final boolean DEFAULT_TGS_PROXIABLE = false;
-
- /** The default for allowing postdatable tickets */
- private static final boolean DEFAULT_TGS_POSTDATED = false;
-
- /** The default for allowing renewable tickets */
- private static final boolean DEFAULT_TGS_RENEWABLE = true;
-
- /** The default UDP preference limit */
- private static final int DEFAULT_UDP_PREFERENCE_LIMIT = 1500;
-
/** The allowed clock skew. */
- private long allowedClockSkew = DEFAULT_ALLOWED_CLOCKSKEW;
-
- /** Whether pre-authentication by encrypted timestamp is required. */
- private boolean usePaEncTimestamp = DEFAULT_USE_PA_ENC_TIMESTAMP;
+ private long allowedClockSkew = 5 * MINUTE;
- /** The maximum ticket lifetime. */
- private long maximumTicketLifetime = DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
-
- /** The maximum renewable lifetime. */
- private long maximumRenewableLifetime = DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
+ /** Whether pre-authentication by encrypted timestamp is used. */
+ private boolean usePaEncTimestamp = true;
/** Whether forwardable addresses are allowed. */
- private boolean isForwardable = DEFAULT_TGS_FORWARDABLE;
+ private boolean isForwardable = false;
/** Whether proxiable addresses are allowed. */
- private boolean isProxiable = DEFAULT_TGS_PROXIABLE;
-
- /** Whether postdating is allowed. */
- private boolean isPostdated = DEFAULT_TGS_POSTDATED;
-
- /** Whether renewable tickets are allowed. */
- private boolean isRenewable = DEFAULT_TGS_RENEWABLE;
+ private boolean isProxiable = false;
/** The encryption types. */
private List<EncryptionType> encryptionTypes = new ArrayList<EncryptionType>();
@@ -103,11 +68,26 @@
private List<InetAddress> clientAddresses = new ArrayList<InetAddress>();
/** The UDP preference limit. */
- private int udpPreferenceLimit = DEFAULT_UDP_PREFERENCE_LIMIT;
+ private int udpPreferenceLimit = 1500;
+ /** The ticket lifetime. */
+ private long lifeTime = DAY;
+
+ /** The ticket start time. */
private Date startTime;
- private Date endTime;
- private Date renewTime;
+
+ /** The renewable lifetime. */
+ private long renewableLifetime;
+
+ /** Whether to allow postdating of derivative tickets. */
+ private boolean isAllowPostdate;
+
+ /**
+ * Whether a renewable ticket will be accepted in lieu of a non-renewable ticket if the
+ * requested ticket expiration date cannot be satisfied by a non-renewable ticket (due to
+ * configuration constraints).
+ */
+ private boolean isRenewableOk;
/**
@@ -140,9 +120,9 @@
/**
- * Returns whether pre-authentication by encrypted timestamp is used.
+ * Returns whether pre-authentication by encrypted timestamp is to be performed.
*
- * @return Whether pre-authentication by encrypted timestamp is used.
+ * @return Whether pre-authentication by encrypted timestamp is to be performed.
*/
public boolean isUsePaEncTimestamp()
{
@@ -151,7 +131,7 @@
/**
- * @param usePaEncTimestamp Whether to use a encrypted timestamp pre-authentication.
+ * @param usePaEncTimestamp Whether to use encrypted timestamp pre-authentication.
*/
public void setUsePaEncTimestamp( boolean usePaEncTimestamp )
{
@@ -191,8 +171,8 @@
/**
- * Sets the start time. If the start time exceeds "now" by more than the
- * clockskew, consider it a POSTDATED request.
+ * Request a postdated ticket, valid starting at the specified start time. Postdated
+ * tickets are issued in an invalid state and must be validated by the KDC before use.
*
* @param startTime
*/
@@ -203,50 +183,6 @@
/**
- * Returns the end time.
- *
- * @return The end time.
- */
- public Date getEndTime()
- {
- return endTime;
- }
-
-
- /**
- * Sets the end time.
- *
- * @param endTime
- */
- public void setEndTime( Date endTime )
- {
- this.endTime = endTime;
- }
-
-
- /**
- * Returns the renew time.
- *
- * @return The renew time.
- */
- public Date getRenewTime()
- {
- return renewTime;
- }
-
-
- /**
- * Sets the renew time.
- *
- * @param renewTime
- */
- public void setRenewTime( Date renewTime )
- {
- this.renewTime = renewTime;
- }
-
-
- /**
* Returns whether to request a forwardable ticket.
*
* @return true if the request is for a forwardable ticket.
@@ -269,28 +205,6 @@
/**
- * Returns whether to request a postdated ticket.
- *
- * @return true if the request is for a postdated ticket.
- */
- public boolean isPostdated()
- {
- return isPostdated;
- }
-
-
- /**
- * Sets whether to request a postdated ticket.
- *
- * @param isPostdated
- */
- public void setPostdated( boolean isPostdated )
- {
- this.isPostdated = isPostdated;
- }
-
-
- /**
* Returns whether to request a proxiable ticket.
*
* @return true if the request is for a proxiable ticket.
@@ -313,60 +227,45 @@
/**
- * Returns whether to request a renewable ticket.
- *
- * @return true if the request is for a renewable ticket.
+ * @return The lifetime in milliseconds.
*/
- public boolean isRenewable()
+ public long getLifeTime()
{
- return isRenewable;
+ return lifeTime;
}
/**
- * Sets whether to request a renewable ticket.
+ * Requests a ticket with the specified lifetime. The value for lifetime is
+ * in milliseconds. Constants are provided for MINUTE, DAY, and WEEK.
*
- * @param isRenewable
- */
- public void setRenewable( boolean isRenewable )
- {
- this.isRenewable = isRenewable;
- }
-
-
- /**
- * @return The maximumTicketLifetime.
+ * @param lifeTime The lifetime to set.
*/
- public long getMaximumTicketLifetime()
+ public void setLifeTime( long lifeTime )
{
- return maximumTicketLifetime;
+ this.lifeTime = lifeTime;
}
/**
- * @param maximumTicketLifetime The maximumTicketLifetime to set.
+ * @return The renewable lifetime.
*/
- public void setMaximumTicketLifetime( long maximumTicketLifetime )
+ public long getRenewableLifetime()
{
- this.maximumTicketLifetime = maximumTicketLifetime;
+ return renewableLifetime;
}
/**
- * @return The maximumRenewableLifetime.
- */
- public long getMaximumRenewableLifetime()
- {
- return maximumRenewableLifetime;
- }
-
-
- /**
- * @param maximumRenewableLifetime The maximumRenewableLifetime to set.
+ * Requests a ticket with the specified total lifetime. The value for
+ * lifetime is in milliseconds. Constants are provided for MINUTE, DAY,
+ * and WEEK.
+ *
+ * @param renewableLifetime The renewable lifetime to set.
*/
- public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
+ public void setRenewableLifetime( long renewableLifetime )
{
- this.maximumRenewableLifetime = maximumRenewableLifetime;
+ this.renewableLifetime = renewableLifetime;
}
@@ -409,5 +308,49 @@
public void setClientAddresses( List<InetAddress> clientAddresses )
{
this.clientAddresses = clientAddresses;
+ }
+
+
+ /**
+ * Returns whether postdating is allowed.
+ *
+ * @return true if postdating is allowed.
+ */
+ public boolean isAllowPostdate()
+ {
+ return isAllowPostdate;
+ }
+
+
+ /**
+ * Sets whether postdating is allowed.
+ *
+ * @param isAllowPostdate Whether postdating is allowed.
+ */
+ public void setAllowPostdate( boolean isAllowPostdate )
+ {
+ this.isAllowPostdate = isAllowPostdate;
+ }
+
+
+ /**
+ * Returns whether renewable tickets are OK.
+ *
+ * @return true if renewable tickets are OK.
+ */
+ public boolean isRenewableOk()
+ {
+ return isRenewableOk;
+ }
+
+
+ /**
+ * Sets whether renewable tickets are OK.
+ *
+ * @param isRenewableOk Whether renewable tickets are OK.
+ */
+ public void setRenewableOk( boolean isRenewableOk )
+ {
+ this.isRenewableOk = isRenewableOk;
}
}