You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2007/07/21 13:51:24 UTC
svn commit: r558318 [1/2] - in
/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol:
AbstractTicketGrantingServiceTest.java EncTktInSkeyTest.java
TicketGrantingServiceTest.java
Author: erodriguez
Date: Sat Jul 21 04:51:23 2007
New Revision: 558318
URL: http://svn.apache.org/viewvc?view=rev&rev=558318
Log:
Added test coverage for the Ticket-Granting Service (TGS).
Added:
directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java (with props)
directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java (with props)
directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/TicketGrantingServiceTest.java (with props)
Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java?view=auto&rev=558318
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java Sat Jul 21 04:51:23 2007
@@ -0,0 +1,425 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+import java.security.SecureRandom;
+
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import junit.framework.TestCase;
+
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.io.encoder.ApplicationRequestEncoder;
+import org.apache.directory.server.kerberos.shared.io.encoder.KdcRequestEncoder;
+import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.MessageType;
+import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
+import org.apache.directory.server.kerberos.shared.messages.components.AuthenticatorModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
+import org.apache.directory.server.kerberos.shared.messages.components.TicketModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.ApOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalNameModifier;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalNameType;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
+import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
+import org.apache.mina.common.IoFilterChain;
+import org.apache.mina.common.IoHandler;
+import org.apache.mina.common.IoService;
+import org.apache.mina.common.IoServiceConfig;
+import org.apache.mina.common.IoSessionConfig;
+import org.apache.mina.common.TransportType;
+import org.apache.mina.common.WriteFuture;
+import org.apache.mina.common.support.BaseIoSession;
+
+
+/**
+ * Abstract base class for Ticket-Granting Service (TGS) tests, with utility methods
+ * for generating message components.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public abstract class AbstractTicketGrantingServiceTest extends TestCase
+{
+ protected CipherTextHandler lockBox;
+ protected static final SecureRandom random = new SecureRandom();
+
+ /** Session attributes that must be verified. */
+ protected EncryptionKey sessionKey;
+ protected EncryptionKey subSessionKey;
+ protected int sequenceNumber;
+ protected KerberosTime now;
+ protected int clientMicroSeconds = 0;
+
+
+ protected Ticket getTgt( KerberosPrincipal clientPrincipal, KerberosPrincipal serverPrincipal, String serverPassword )
+ throws Exception
+ {
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, serverPassword );
+ return getTicket( clientPrincipal, serverPrincipal, serverKey );
+ }
+
+
+ /**
+ * Returns an encryption key derived from a principal name and passphrase.
+ *
+ * @param principal
+ * @param passPhrase
+ * @return The server's {@link EncryptionKey}.
+ */
+ protected EncryptionKey getEncryptionKey( KerberosPrincipal principal, String passPhrase )
+ {
+ KerberosKey kerberosKey = new KerberosKey( principal, passPhrase.toCharArray(), "DES" );
+ byte[] keyBytes = kerberosKey.getEncoded();
+ return new EncryptionKey( EncryptionType.DES_CBC_MD5, keyBytes );
+ }
+
+
+ /**
+ * Build the service ticket. The service ticket contains the session key generated
+ * by the KDC for the client and service to use. The service will unlock the
+ * authenticator with the session key from the ticket. The principal in the ticket
+ * must equal the authenticator client principal.
+ *
+ * If set in the AP Options, the Ticket can also be sealed with the session key.
+ *
+ * @param clientPrincipal
+ * @param serverPrincipal
+ * @param serverKey
+ * @return The {@link Ticket}.
+ * @throws KerberosException
+ */
+ protected Ticket getTicket( KerberosPrincipal clientPrincipal, KerberosPrincipal serverPrincipal,
+ EncryptionKey serverKey ) throws KerberosException
+ {
+ EncTicketPartModifier encTicketModifier = new EncTicketPartModifier();
+
+ TicketFlags ticketFlags = new TicketFlags();
+ ticketFlags.set( TicketFlags.RENEWABLE );
+ encTicketModifier.setFlags( ticketFlags );
+
+ EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+
+ encTicketModifier.setSessionKey( sessionKey );
+ encTicketModifier.setClientPrincipal( clientPrincipal );
+ encTicketModifier.setTransitedEncoding( new TransitedEncoding() );
+ encTicketModifier.setAuthTime( new KerberosTime() );
+
+ long now = System.currentTimeMillis();
+ KerberosTime endTime = new KerberosTime( now + KerberosTime.DAY );
+ encTicketModifier.setEndTime( endTime );
+
+ KerberosTime renewTill = new KerberosTime( now + KerberosTime.WEEK );
+ encTicketModifier.setRenewTill( renewTill );
+
+ EncTicketPart encTicketPart = encTicketModifier.getEncTicketPart();
+
+ EncryptedData encryptedTicketPart = lockBox.seal( serverKey, encTicketPart, KeyUsage.NUMBER2 );
+
+ TicketModifier ticketModifier = new TicketModifier();
+ ticketModifier.setTicketVersionNumber( 5 );
+ ticketModifier.setServerPrincipal( serverPrincipal );
+ ticketModifier.setEncPart( encryptedTicketPart );
+
+ Ticket ticket = ticketModifier.getTicket();
+
+ ticket.setEncTicketPart( encTicketPart );
+
+ return ticket;
+ }
+
+
+ protected EncTicketPartModifier getTicketArchetype( KerberosPrincipal clientPrincipal ) throws KerberosException
+ {
+ EncTicketPartModifier encTicketModifier = new EncTicketPartModifier();
+
+ TicketFlags ticketFlags = new TicketFlags();
+ ticketFlags.set( TicketFlags.RENEWABLE );
+ encTicketModifier.setFlags( ticketFlags );
+
+ EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( EncryptionType.DES_CBC_MD5 );
+
+ encTicketModifier.setSessionKey( sessionKey );
+ encTicketModifier.setClientPrincipal( clientPrincipal );
+ encTicketModifier.setTransitedEncoding( new TransitedEncoding() );
+ encTicketModifier.setAuthTime( new KerberosTime() );
+
+ long now = System.currentTimeMillis();
+ KerberosTime endTime = new KerberosTime( now + KerberosTime.DAY );
+ encTicketModifier.setEndTime( endTime );
+
+ KerberosTime renewTill = new KerberosTime( now + KerberosTime.WEEK );
+ encTicketModifier.setRenewTill( renewTill );
+
+ return encTicketModifier;
+ }
+
+
+ protected Ticket getTicket( EncTicketPartModifier encTicketModifier, KerberosPrincipal serverPrincipal,
+ EncryptionKey serverKey ) throws KerberosException
+ {
+ EncTicketPart encTicketPart = encTicketModifier.getEncTicketPart();
+
+ EncryptedData encryptedTicketPart = lockBox.seal( serverKey, encTicketPart, KeyUsage.NUMBER2 );
+
+ TicketModifier ticketModifier = new TicketModifier();
+ ticketModifier.setTicketVersionNumber( 5 );
+ ticketModifier.setServerPrincipal( serverPrincipal );
+ ticketModifier.setEncPart( encryptedTicketPart );
+
+ Ticket ticket = ticketModifier.getTicket();
+
+ ticket.setEncTicketPart( encTicketPart );
+
+ return ticket;
+ }
+
+
+ protected KdcRequest getKdcRequest( Ticket tgt, RequestBody requestBody ) throws Exception
+ {
+ return getKdcRequest( tgt, requestBody, ChecksumType.RSA_MD5 );
+ }
+
+
+ /**
+ * Create a KdcRequest, suitable for requesting a service Ticket.
+ */
+ protected KdcRequest getKdcRequest( Ticket tgt, RequestBody requestBody, ChecksumType checksumType )
+ throws Exception
+ {
+ // Get the session key from the service ticket.
+ sessionKey = tgt.getSessionKey();
+
+ // Generate a new sequence number.
+ sequenceNumber = random.nextInt();
+ now = new KerberosTime();
+
+ EncryptedData authenticator = getAuthenticator( tgt.getClientPrincipal(), requestBody, checksumType );
+
+ PreAuthenticationData[] paData = getPreAuthenticationData( tgt, authenticator );
+
+ return new KdcRequest( 5, MessageType.KRB_TGS_REQ, paData, requestBody );
+ }
+
+
+ /**
+ * Build the authenticator. The authenticator communicates the sub-session key the
+ * service will use to unlock the private message. The service will unlock the
+ * authenticator with the session key from the ticket. The authenticator client
+ * principal must equal the principal in the ticket.
+ *
+ * @param clientPrincipal
+ * @return The {@link EncryptedData} containing the {@link Authenticator}.
+ * @throws KerberosException
+ */
+ protected EncryptedData getAuthenticator( KerberosPrincipal clientPrincipal, RequestBody requestBody,
+ ChecksumType checksumType ) throws IOException, KerberosException
+ {
+ AuthenticatorModifier authenticatorModifier = new AuthenticatorModifier();
+
+ clientMicroSeconds = random.nextInt();
+
+ authenticatorModifier.setVersionNumber( 5 );
+ authenticatorModifier.setClientPrincipal( clientPrincipal );
+ authenticatorModifier.setClientTime( now );
+ authenticatorModifier.setClientMicroSecond( clientMicroSeconds );
+ authenticatorModifier.setSubSessionKey( subSessionKey );
+ authenticatorModifier.setSequenceNumber( sequenceNumber );
+
+ Checksum checksum = getBodyChecksum( requestBody, checksumType );
+ authenticatorModifier.setChecksum( checksum );
+
+ Authenticator authenticator = authenticatorModifier.getAuthenticator();
+
+ EncryptedData encryptedAuthenticator = lockBox.seal( sessionKey, authenticator, KeyUsage.NUMBER11 );
+
+ return encryptedAuthenticator;
+ }
+
+
+ protected Checksum getBodyChecksum( RequestBody requestBody, ChecksumType checksumType ) throws IOException,
+ KerberosException
+ {
+ KdcRequestEncoder bodyEncoder = new KdcRequestEncoder();
+ byte[] bodyBytes = bodyEncoder.encodeRequestBody( requestBody );
+
+ ChecksumHandler checksumHandler = new ChecksumHandler();
+ return checksumHandler.calculateChecksum( checksumType, bodyBytes, null, KeyUsage.NUMBER8 );
+ }
+
+
+ /**
+ * Make new AP_REQ, aka the "auth header," and package it into pre-authentication data.
+ *
+ * @param ticket
+ * @param authenticator
+ * @return
+ * @throws IOException
+ */
+ protected PreAuthenticationData[] getPreAuthenticationData( Ticket ticket, EncryptedData authenticator )
+ throws IOException
+ {
+ ApplicationRequest applicationRequest = new ApplicationRequest();
+ applicationRequest.setMessageType( MessageType.KRB_AP_REQ );
+ applicationRequest.setProtocolVersionNumber( 5 );
+ applicationRequest.setApOptions( new ApOptions() );
+ applicationRequest.setTicket( ticket );
+ applicationRequest.setEncPart( authenticator );
+
+ ApplicationRequestEncoder encoder = new ApplicationRequestEncoder();
+ byte[] encodedApReq = encoder.encode( applicationRequest );
+
+ PreAuthenticationData[] paData = new PreAuthenticationData[1];
+
+ PreAuthenticationDataModifier preAuth = new PreAuthenticationDataModifier();
+ preAuth.setDataType( PreAuthenticationDataType.PA_TGS_REQ );
+
+ preAuth.setDataValue( encodedApReq );
+
+ paData[0] = preAuth.getPreAuthenticationData();
+
+ return paData;
+ }
+
+
+ protected PrincipalName getPrincipalName( String principalName )
+ {
+ PrincipalNameModifier principalNameModifier = new PrincipalNameModifier();
+ principalNameModifier.addName( principalName );
+ principalNameModifier.setType( PrincipalNameType.KRB_NT_PRINCIPAL.getOrdinal() );
+
+ return principalNameModifier.getPrincipalName();
+ }
+
+ protected static class DummySession extends BaseIoSession
+ {
+ Object message;
+
+
+ @Override
+ public WriteFuture write( Object message )
+ {
+ this.message = message;
+
+ return super.write( message );
+ }
+
+
+ protected Object getMessage()
+ {
+ return message;
+ }
+
+
+ protected void updateTrafficMask()
+ {
+ // Do nothing.
+ }
+
+
+ public IoService getService()
+ {
+ return null;
+ }
+
+
+ public IoHandler getHandler()
+ {
+ return null;
+ }
+
+
+ public IoFilterChain getFilterChain()
+ {
+ return null;
+ }
+
+
+ public TransportType getTransportType()
+ {
+ return null;
+ }
+
+
+ public SocketAddress getRemoteAddress()
+ {
+ return new InetSocketAddress( 10088 );
+ }
+
+
+ public SocketAddress getLocalAddress()
+ {
+ return null;
+ }
+
+
+ public IoSessionConfig getConfig()
+ {
+ return null;
+ }
+
+
+ public int getScheduledWriteRequests()
+ {
+ return 0;
+ }
+
+
+ public SocketAddress getServiceAddress()
+ {
+ return null;
+ }
+
+
+ public IoServiceConfig getServiceConfig()
+ {
+ return null;
+ }
+
+
+ public int getScheduledWriteBytes()
+ {
+ return 0;
+ }
+ }
+}
Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/AbstractTicketGrantingServiceTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java?view=auto&rev=558318
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java (added)
+++ directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java Sat Jul 21 04:51:23 2007
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.kerberos.protocol;
+
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
+import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
+import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
+import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
+import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
+import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
+import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
+
+
+/**
+ * Test case for RFC 4120 Section 3.7. "User-to-User Authentication Exchanges." This
+ * is option "ENC-TKT-IN-SKEY."
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class EncTktInSkeyTest extends AbstractTicketGrantingServiceTest
+{
+ private KdcConfiguration config;
+ private PrincipalStore store;
+ private KerberosProtocolHandler handler;
+ private DummySession session;
+
+
+ /**
+ * Creates a new instance of {@link EncTktInSkeyTest}.
+ */
+ public EncTktInSkeyTest()
+ {
+ config = new KdcConfiguration();
+
+ /*
+ * Body checksum verification must be disabled because we are bypassing
+ * the codecs, where the body bytes are set on the KdcRequest message.
+ */
+ config.setBodyChecksumVerified( false );
+
+ store = new MapPrincipalStoreImpl();
+ handler = new KerberosProtocolHandler( config, store );
+ session = new DummySession();
+ lockBox = new CipherTextHandler();
+ }
+
+
+ /**
+ * If the ENC-TKT-IN-SKEY option has been specified and an additional ticket
+ * has been included in the request, it indicates that the client is using
+ * user-to-user authentication to prove its identity to a server that does
+ * not have access to a persistent key. Section 3.7 describes the effect
+ * of this option on the entire Kerberos protocol. When generating the
+ * KRB_TGS_REP message, this option in the KRB_TGS_REQ message tells the KDC
+ * to decrypt the additional ticket using the key for the server to which the
+ * additional ticket was issued and to verify that it is a TGT. If the name
+ * of the requested server is missing from the request, the name of the client
+ * in the additional ticket will be used. Otherwise, the name of the requested
+ * server will be compared to the name of the client in the additional ticket.
+ * If it is different, the request will be rejected. If the request succeeds,
+ * the session key from the additional ticket will be used to encrypt the new
+ * ticket that is issued instead of using the key of the server for which the
+ * new ticket will be used.
+ *
+ * @throws Exception
+ */
+ public void testEncTktInSkey() throws Exception
+ {
+ // Get the mutable ticket part.
+ KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
+ EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
+
+ // Make changes to test.
+
+ // Seal the ticket for the server.
+ KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
+ String passPhrase = "randomKey";
+ EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
+ Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
+
+ RequestBodyModifier modifier = new RequestBodyModifier();
+ modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
+ modifier.setRealm( "EXAMPLE.COM" );
+ modifier.setEType( config.getEncryptionTypes() );
+ modifier.setNonce( random.nextInt() );
+
+ KdcOptions kdcOptions = new KdcOptions();
+ kdcOptions.set( KdcOptions.ENC_TKT_IN_SKEY );
+ modifier.setKdcOptions( kdcOptions );
+
+ long now = System.currentTimeMillis();
+
+ KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
+ modifier.setTill( requestedEndTime );
+
+ KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
+ modifier.setRtime( requestedRenewTillTime );
+
+ RequestBody requestBody = modifier.getRequestBody();
+ KdcRequest message = getKdcRequest( tgt, requestBody );
+
+ handler.messageReceived( session, message );
+
+ ErrorMessage error = ( ErrorMessage ) session.getMessage();
+ assertEquals( "KDC cannot accommodate requested option", 13, error.getErrorCode() );
+ }
+}
Propchange: directory/apacheds/trunk/protocol-kerberos/src/test/java/org/apache/directory/server/kerberos/protocol/EncTktInSkeyTest.java
------------------------------------------------------------------------------
svn:eol-style = native