You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2004/11/02 04:04:33 UTC
svn commit: rev 56334 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc
Author: erodriguez
Date: Mon Nov 1 19:04:33 2004
New Revision: 56334
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Updated dispatcher, AS, and TGS services to properly return error messages to clients.
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java Mon Nov 1 19:04:33 2004
@@ -44,27 +44,29 @@
public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
KerberosPrincipal clientPrincipal = request.getClientPrincipal();
-
- System.out.println("Client: " + clientPrincipal.toString());
- PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
EncryptionKey clientKey;
- if (clientEntry != null) {
- clientKey = clientEntry.getEncryptionKey();
- } else {
- System.out.println("Going to look up client");
- clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
+ try {
+ PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
+ if (clientEntry != null) {
+ clientKey = clientEntry.getEncryptionKey();
+ } else {
+ clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
+ }
+ } catch (Exception e) {
+ throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
KerberosPrincipal serverPrincipal = request.getServerPrincipal();
-
- System.out.println("Server: " + serverPrincipal.toString());
- PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
EncryptionKey serverKey;
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- } else {
- System.out.println("Going to look up client");
- serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
+ try {
+ PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
+ if (serverEntry != null) {
+ serverKey = serverEntry.getEncryptionKey();
+ } else {
+ serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
+ }
+ } catch (Exception e) {
+ throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
verifyPreAuthentication(request, clientPrincipal);
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java Mon Nov 1 19:04:33 2004
@@ -34,8 +34,9 @@
private ReplayCache _replay = new InMemoryReplayCache();
- private KdcRequestDecoder _decoder = new KdcRequestDecoder();
- private KdcReplyEncoder _encoder = new KdcReplyEncoder();
+ private KdcRequestDecoder _decoder = new KdcRequestDecoder();
+ private KdcReplyEncoder _encoder = new KdcReplyEncoder();
+ private ErrorMessageEncoder _errorEncoder = new ErrorMessageEncoder();
private PrincipalStore _bootstrap;
private CryptoService _cryptoService;
@@ -44,6 +45,7 @@
private AuthenticationService _authService;
private TicketGrantingService _tgsService;
+ private ErrorService _errorService;
public KdcDispatcher(KdcConfiguration config, BootstrapStore bootstrap, PrincipalStore store) {
_config = config;
@@ -51,48 +53,51 @@
_store = store;
_cryptoService = new CryptoService(_config);
+ _errorService = new ErrorService(_config);
_authService = new AuthenticationService(_store, _bootstrap, _cryptoService, _config);
_tgsService = new TicketGrantingService(_store, _bootstrap, _cryptoService, _config, _replay);
}
- public byte[] dispatch(byte[] requestBytes) throws IOException, KerberosException {
+ public byte[] dispatch(byte[] requestBytes) throws IOException {
ByteArrayInputStream input = new ByteArrayInputStream(requestBytes);
ByteArrayOutputStream output = new ByteArrayOutputStream();
- KdcRequest request = _decoder.decode(input);
-
- byte messageType = requestBytes[0];
-
- switch (messageType) {
-
- case AS_REQ:
- // generate the reply
- AuthenticationReply authReply = _authService.getReplyFor(request);
- // ASN1 encode the reply
- _encoder.encode(authReply, output);
-
- break;
+ try {
+ KdcRequest request = _decoder.decode(input);
+
+ byte messageType = requestBytes[0];
- case TGS_REQ:
- // generate the reply
- TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
- // ASN1 encode the reply
- _encoder.encode(ticketReply, output);
+ switch (messageType) {
- break;
-
- case AS_REP:
- case TGS_REP:
- throw new IOException("We should not be receiving reply messages");
-
- default:
- System.out.println("Message received with tag " + messageType);
+ case AS_REQ:
+ // generate the reply
+ AuthenticationReply authReply = _authService.getReplyFor(request);
+ // ASN1 encode the reply
+ _encoder.encode(authReply, output);
+ break;
+
+ case TGS_REQ:
+ // generate the reply
+ TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
+ // ASN1 encode the reply
+ _encoder.encode(ticketReply, output);
+ break;
+
+ case AS_REP:
+ case TGS_REP:
+ throw KerberosException.KRB_AP_ERR_BADDIRECTION;
+
+ default:
+ throw KerberosException.KRB_AP_ERR_MSG_TYPE;
+ }
+ } catch (KerberosException ke) {
+ System.out.println("Returning error message: " + ke.getMessage());
+ ErrorMessage errorMessage = _errorService.getReplyFor(ke);
+ _errorEncoder.encode(errorMessage, output);
}
- byte[] replyBytes = output.toByteArray();
-
- return replyBytes;
+ return output.toByteArray();
}
}
Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java (original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java Mon Nov 1 19:04:33 2004
@@ -55,8 +55,6 @@
public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException {
- System.out.println("Got request for " + request.getServerPrincipal());
-
ApplicationRequest authHeader = getAuthHeader(request);
Ticket tgt = authHeader.getTicket();
@@ -76,22 +74,15 @@
TicketGrantReply reply = getReply(tgt, newTicket, sessionKey, request);
if (authenticator.getSubSessionKey() != null) {
- System.out.println("Using authenticator sub session key.");
EncryptionKey subKey = authenticator.getSubSessionKey();
encryptReplyPart(reply, subKey);
} else {
- System.out.println("Using session key.");
encryptReplyPart(reply, tgt.getSessionKey());
}
return reply;
}
- /*
- * Reading the application request requires first determining the server
- * for which a ticket was issued, and choosing the correct key for decryption.
- * The name of the server appears in the plaintext part of the ticket.
- */
private ApplicationRequest getAuthHeader(KdcRequest request) throws KerberosException, IOException {
if (request.getPaData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ)
@@ -125,7 +116,6 @@
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
- System.out.println("Going to look up client");
serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
}
}
@@ -194,17 +184,11 @@
return authenticator;
}
- /*
- * Note that the realm in which the Kerberos server is operating is determined by
- * the instance from the ticket-granting ticket. The realm in the ticket-granting
- * ticket is the realm under which the ticket granting ticket was issued. It is
- * possible for a single Kerberos server to support more than one realm.
- */
private void verifyTicket(ApplicationRequest authHeader, KdcRequest request)
throws KerberosException {
Ticket tgt = authHeader.getTicket();
- if (!tgt.getRealm().toString().equals(_config.getPrimaryRealm()) &&
+ if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
throw KerberosException.KRB_AP_ERR_NOT_US;
}
@@ -251,16 +235,14 @@
// TODO - allow lookup with realm
try {
KerberosPrincipal serverPrincipal = request.getServerPrincipal();
- System.out.println(serverPrincipal.getName());
PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
- System.out.println("Going to look up client");
serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
}
- } catch (KerberosException ke) {
+ } catch (Exception e) {
/*
if (!server) then
if (is_foreign_tgt_name(server)) then