You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2012/01/27 01:41:39 UTC
svn commit: r1236474 - in /directory/apacheds/trunk:
kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/
protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/
Author: elecharny
Date: Fri Jan 27 00:41:39 2012
New Revision: 1236474
URL: http://svn.apache.org/viewvc?rev=1236474&view=rev
Log:
Fixed DIRKRB-84 : We now use a List instead of a Set to store the EncryptionTypes, and the selection of the valid EType has been modified.
Modified:
directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java
Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java?rev=1236474&r1=1236473&r2=1236474&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java (original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java Fri Jan 27 00:41:39 2012
@@ -6,16 +6,16 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
- * under the License.
- *
+ * under the License.
+ *
*/
package org.apache.directory.server.kerberos.kdc;
@@ -171,6 +171,7 @@ public class SaslGssapiBindITest extends
// isn't resolved to localhost by default. In that case we need
// to use the IP address for the service principal.
String hostName;
+
try
{
InetAddress loopback = InetAddress.getByName( "127.0.0.1" );
@@ -181,6 +182,7 @@ public class SaslGssapiBindITest extends
System.err.println( "Can't find loopback address '127.0.0.1', using hostname 'localhost'" );
hostName = "localhost";
}
+
String servicePrincipal = "ldap/" + hostName + "@EXAMPLE.COM";
getLdapServer().setSaslPrincipal( servicePrincipal );
@@ -195,6 +197,7 @@ public class SaslGssapiBindITest extends
// check if krb5kdc is disabled
Attributes krb5kdcAttrs = schemaRoot.getAttributes( "cn=Krb5kdc" );
boolean isKrb5KdcDisabled = false;
+
if ( krb5kdcAttrs.get( "m-disabled" ) != null )
{
isKrb5KdcDisabled = ( ( String ) krb5kdcAttrs.get( "m-disabled" ).get() ).equalsIgnoreCase( "TRUE" );
@@ -396,7 +399,7 @@ public class SaslGssapiBindITest extends
/**
* Sets the contexts of this class taking into account the extras and overrides
- * properties.
+ * properties.
*
* @param env an environment to use while setting up the system root.
* @throws NamingException if there is a failure of any kind
Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java?rev=1236474&r1=1236473&r2=1236474&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java Fri Jan 27 00:41:39 2012
@@ -24,8 +24,6 @@ import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.Date;
import java.util.List;
-import java.util.Set;
-
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -207,8 +205,8 @@ public class AuthenticationService
if ( preAuthData == null || preAuthData.size() == 0 )
{
- throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
- .getEncryptionTypes() ) );
+ throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
+ request.getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
}
try
@@ -277,7 +275,8 @@ public class AuthenticationService
if ( preAuthData == null )
{
throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
- preparePreAuthenticationError( config.getEncryptionTypes() ) );
+ preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
+ config.getEncryptionTypes() ) );
}
PaEncTsEnc timestamp = null;
@@ -287,6 +286,7 @@ public class AuthenticationService
if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
{
EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
+ paData.getPaDataType();
byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
@@ -301,7 +301,7 @@ public class AuthenticationService
if ( timestamp == null )
{
throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
- preparePreAuthenticationError( config.getEncryptionTypes() ) );
+ preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
}
if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
@@ -788,7 +788,7 @@ public class AuthenticationService
* @param encryptionTypes
* @return The error message as bytes.
*/
- private static byte[] preparePreAuthenticationError( List<EncryptionType> encryptionTypes )
+ private static byte[] preparePreAuthenticationError( List<EncryptionType> clientEncryptionTypes, List<EncryptionType> serverEncryptionTypes )
{
PaData[] paDataSequence = new PaData[2];
@@ -800,10 +800,13 @@ public class AuthenticationService
ETypeInfo eTypeInfo = new ETypeInfo();
- for ( EncryptionType encryptionType : encryptionTypes )
+ for ( EncryptionType encryptionType : clientEncryptionTypes )
{
- ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
- eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
+ if ( serverEncryptionTypes.contains( encryptionType ) )
+ {
+ ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
+ eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
+ }
}
byte[] encTypeInfo = null;