You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/10/18 08:29:06 UTC
[8/9] directory-kerby git commit: DIRKRB-662 Cross realm tgs request
should skip checking client entry.
DIRKRB-662 Cross realm tgs request should skip checking client entry.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8790af24
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8790af24
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8790af24
Branch: refs/heads/trunk
Commit: 8790af24f7f0ffc5a208e1f0140400ba89a0a36c
Parents: a5f14eb
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Oct 18 16:19:48 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Oct 18 16:28:36 2017 +0800
----------------------------------------------------------------------
.../kerb/client/request/TgsRequestWithTgt.java | 6 ++++++
.../kerberos/kerb/server/request/KdcRequest.java | 14 +++++++++-----
.../kerberos/kerb/server/request/TgsRequest.java | 13 +++++++++----
3 files changed, 24 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8790af24/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
index 41fb0c1..52c7d03 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
@@ -50,6 +50,9 @@ public class TgsRequestWithTgt extends TgsRequest {
setAllowedPreauth(PaDataType.TGS_REQ);
ticket = tgt;
clientPrincipal = tgt.getClientPrincipal();
+ if (clientPrincipal.getRealm() == null) {
+ clientPrincipal.setRealm(tgt.getRealm());
+ }
}
public TgsRequestWithTgt(KrbContext context, SgtTicket sgt) {
@@ -57,6 +60,9 @@ public class TgsRequestWithTgt extends TgsRequest {
setAllowedPreauth(PaDataType.TGS_REQ);
ticket = sgt;
clientPrincipal = sgt.getClientPrincipal();
+ if (clientPrincipal.getRealm() == null) {
+ clientPrincipal.setRealm(sgt.getRealm());
+ }
}
public PrincipalName getClientPrincipal() {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8790af24/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 168862f..56e8c62 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -588,10 +588,14 @@ public abstract class KdcRequest {
return tgsEntry;
}
- public boolean checkCrossRealm(String remoteRealm) {
- isCrossRealm = !(kdcContext.getKdcRealm().equals(remoteRealm));
- this.remoteRealm = remoteRealm;
- return isCrossRealm;
+ public boolean checkCrossRealm(String remoteRealm) throws KrbException {
+ if (remoteRealm != null && kdcContext.getKdcRealm() != null) {
+ isCrossRealm = !(kdcContext.getKdcRealm().equals(remoteRealm));
+ this.remoteRealm = remoteRealm;
+ return isCrossRealm;
+ } else {
+ throw new KrbException("Missing the realm.");
+ }
}
public boolean isCrossRealm() {
@@ -647,7 +651,7 @@ public abstract class KdcRequest {
throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
}
} else {
- LOG.info("Client entry is empty.");
+ LOG.info("Client entry is empty, token preauth or cross realm.");
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8790af24/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 98e1176..e1e3dd2 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -186,10 +186,15 @@ public class TgsRequest extends KdcRequest {
PrincipalName serverPrincipal = tgtTicket.getSname();
serverPrincipal.setRealm(tgtTicket.getRealm());
- PrincipalName clientPrincipal = authenticator.getCname();
- clientPrincipal.setRealm(authenticator.getCrealm());
- KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
- setClientEntry(clientEntry);
+
+ /* The client principal does not exist in backend when it's a cross realm request */
+ if (authenticator.getCrealm() != null
+ && authenticator.getCrealm().equals(getKdcContext().getKdcRealm())) {
+ PrincipalName clientPrincipal = authenticator.getCname();
+ clientPrincipal.setRealm(authenticator.getCrealm());
+ KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
+ setClientEntry(clientEntry);
+ }
if (!authenticator.getCtime().isInClockSkew(
getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {