You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/08/30 20:56:12 UTC
svn commit: r264826 -
/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/
Author: erodriguez
Date: Tue Aug 30 11:56:01 2005
New Revision: 264826
URL: http://svn.apache.org/viewcvs?rev=264826&view=rev
Log:
Kerberos Ticket Granting Service (TGS) as chain.
Added:
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java (with props)
directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (with props)
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.LastRequest;
+import org.apache.kerberos.messages.value.TicketFlags;
+
+public class BuildReply extends CommandBase
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcRequest request = tgsContext.getRequest();
+ Ticket tgt = tgsContext.getTgt();
+ Ticket newTicket = tgsContext.getNewTicket();
+ EncryptionKey sessionKey = tgsContext.getSessionKey();
+
+ TicketGrantReply reply = new TicketGrantReply();
+ reply.setClientPrincipal( tgt.getClientPrincipal() );
+ reply.setTicket( newTicket );
+ reply.setKey( sessionKey );
+ reply.setNonce( request.getNonce() );
+ // TODO - resp.last-req := fetch_last_request_info(client); requires store
+ reply.setLastRequest( new LastRequest() );
+ reply.setFlags( newTicket.getFlags() );
+ reply.setClientAddresses( newTicket.getClientAddresses() );
+ reply.setAuthTime( newTicket.getAuthTime() );
+ reply.setStartTime( newTicket.getStartTime() );
+ reply.setEndTime( newTicket.getEndTime() );
+ reply.setServerPrincipal( newTicket.getServerPrincipal() );
+
+ if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
+ {
+ reply.setRenewTill( newTicket.getRenewTill() );
+ }
+
+ tgsContext.setReply( reply );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.replay.InMemoryReplayCache;
+import org.apache.kerberos.replay.ReplayCache;
+
+public class ConfigureTicketGrantingChain extends CommandBase
+{
+ private static final ReplayCache replayCache = new InMemoryReplayCache();
+
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+ tgsContext.setReplayCache( replayCache );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,410 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.RandomKey;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.EncTicketPartModifier;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.AuthorizationData;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.KdcOptions;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class GenerateTicket extends CommandBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( GenerateTicket.class );
+
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcRequest request = tgsContext.getRequest();
+ Ticket tgt = tgsContext.getTgt();
+ Authenticator authenticator = tgsContext.getAuthenticator();
+
+ KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
+ EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getEncryptionKey();
+ KdcConfiguration config = tgsContext.getConfig();
+
+ // TODO - quite possibly its own chain command
+ EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
+ tgsContext.setSessionKey( sessionKey );
+
+ EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+
+ newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+
+ processFlags( config, request, tgt, newTicketBody );
+
+ newTicketBody.setSessionKey( sessionKey );
+ newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+
+ AuthorizationData authData = processAuthorizationData( request, authenticator, tgt );
+ newTicketBody.setAuthorizationData( authData );
+
+ processTransited( newTicketBody, tgt );
+
+ processTimes( config, request, newTicketBody, tgt );
+
+ EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+ EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request );
+
+ Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
+ newTicket.setEncTicketPart( ticketPart );
+
+ tgsContext.setNewTicket( newTicket );
+
+ return CONTINUE_CHAIN;
+ }
+
+ private void processFlags( KdcConfiguration config, KdcRequest request, Ticket tgt,
+ EncTicketPartModifier newTicketBody ) throws KerberosException
+ {
+ if ( request.getOption( KdcOptions.FORWARDABLE ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+ }
+
+ if ( request.getOption( KdcOptions.FORWARDED ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+ newTicketBody.setFlag( TicketFlags.FORWARDED );
+ newTicketBody.setClientAddresses( request.getAddresses() );
+ // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+ }
+
+ if ( tgt.getFlag( TicketFlags.FORWARDED ) )
+ {
+ newTicketBody.setFlag( TicketFlags.FORWARDED );
+ }
+
+ if ( request.getOption( KdcOptions.PROXIABLE ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setFlag( TicketFlags.PROXIABLE );
+ }
+
+ if ( request.getOption( KdcOptions.PROXY ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setFlag( TicketFlags.PROXY );
+ newTicketBody.setClientAddresses( request.getAddresses() );
+ // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+ }
+
+ if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+ }
+
+ if ( request.getOption( KdcOptions.POSTDATED ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ newTicketBody.setFlag( TicketFlags.POSTDATED );
+ newTicketBody.setFlag( TicketFlags.INVALID );
+
+ if ( !config.isPostdateAllowed() )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
+ newTicketBody.setStartTime( request.getFrom() );
+ }
+
+ if ( request.getOption( KdcOptions.VALIDATE ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.INVALID ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+ }
+
+ if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
+ }
+
+ /*
+ if (check_hot_list(tgt)) then
+ error_out(KRB_AP_ERR_REPEAT);
+ endif
+ */
+
+ echoTicket( newTicketBody, tgt );
+ newTicketBody.clearFlag( TicketFlags.INVALID );
+ }
+
+ if ( request.getOption( KdcOptions.RESERVED ) || request.getOption( KdcOptions.RENEWABLE_OK ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+ }
+
+ private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPartModifier newTicketBody,
+ Ticket tgt ) throws KerberosException
+ {
+ KerberosTime now = new KerberosTime();
+
+ newTicketBody.setAuthTime( tgt.getAuthTime() );
+
+ KerberosTime renewalTime = null;
+
+ if ( request.getOption( KdcOptions.RENEW ) )
+ {
+ if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+ }
+
+ if ( tgt.getRenewTill().greaterThan( now ) )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+ }
+
+ echoTicket( newTicketBody, tgt );
+
+ newTicketBody.setStartTime( now );
+ long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
+ newTicketBody.setEndTime( new KerberosTime( Math
+ .min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) );
+ }
+ else
+ {
+ newTicketBody.setStartTime( now );
+ KerberosTime till;
+ if ( request.getTill().isZero() )
+ {
+ till = KerberosTime.INFINITY;
+ }
+ else
+ {
+ till = request.getTill();
+ }
+
+ // TODO - config; requires store
+ /*
+ new_tkt.starttime+client.max_life,
+ new_tkt.starttime+server.max_life,
+ */
+ List minimizer = new ArrayList();
+ minimizer.add( till );
+ minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
+ minimizer.add( tgt.getEndTime() );
+ KerberosTime minTime = (KerberosTime) Collections.min( minimizer );
+ newTicketBody.setEndTime( minTime );
+
+ if ( request.getOption( KdcOptions.RENEWABLE_OK ) && minTime.lessThan( request.getTill() )
+ && tgt.getFlag( TicketFlags.RENEWABLE ) )
+ {
+ // we set the RENEWABLE option for later processing
+ request.setOption( KdcOptions.RENEWABLE );
+ long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
+ renewalTime = new KerberosTime( rtime );
+ }
+ }
+
+ if ( renewalTime == null )
+ {
+ renewalTime = request.getRtime();
+ }
+
+ KerberosTime rtime;
+ if ( renewalTime != null && renewalTime.isZero() )
+ {
+ rtime = KerberosTime.INFINITY;
+ }
+ else
+ {
+ rtime = renewalTime;
+ }
+
+ if ( request.getOption( KdcOptions.RENEWABLE ) && tgt.getFlag( TicketFlags.RENEWABLE ) )
+ {
+ newTicketBody.setFlag( TicketFlags.RENEWABLE );
+
+ /*
+ new_tkt.starttime+client.max_rlife,
+ new_tkt.starttime+server.max_rlife,
+ */
+ // TODO - client and server configurable; requires store
+ List minimizer = new ArrayList();
+
+ /*
+ * 'rtime' KerberosTime is OPTIONAL
+ */
+ if ( rtime != null )
+ {
+ minimizer.add( rtime );
+ }
+
+ minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
+ minimizer.add( tgt.getRenewTill() );
+ newTicketBody.setRenewTill( (KerberosTime) Collections.min( minimizer ) );
+ }
+ }
+
+ private AuthorizationData processAuthorizationData( KdcRequest request, Authenticator authHeader, Ticket tgt )
+ throws KerberosException
+ {
+ AuthorizationData authData = null;
+
+ if ( request.getEncAuthorizationData() != null )
+ {
+ try
+ {
+ EncryptionEngine engine = EncryptionEngineFactory
+ .getEncryptionEngineFor( authHeader.getSubSessionKey() );
+
+ byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(), request
+ .getEncAuthorizationData() );
+ AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
+ authData = decoder.decode( decryptedAuthData );
+ }
+ catch ( KerberosException e )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+ catch ( IOException ioe )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+ }
+
+ AuthorizationData ticketData = tgt.getAuthorizationData();
+ authData.add( ticketData );
+ }
+
+ return authData;
+ }
+
+ /*
+ if (realm_tgt_is_for(tgt) := tgt.realm) then
+ // tgt issued by local realm
+ new_tkt.transited := tgt.transited;
+ else
+ // was issued for this realm by some other realm
+ if (tgt.transited.tr-type not supported) then
+ error_out(KDC_ERR_TRTYPE_NOSUPP);
+ endif
+ new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+ endif
+ */
+ private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
+ {
+ // TODO - currently no transited support other than local
+ newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+ }
+
+ protected void echoTicket( EncTicketPartModifier newTicketBody, Ticket tgt )
+ {
+ newTicketBody.setAuthorizationData( tgt.getAuthorizationData() );
+ newTicketBody.setAuthTime( tgt.getAuthTime() );
+ newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+ newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+ newTicketBody.setEndTime( tgt.getEndTime() );
+ newTicketBody.setFlags( tgt.getFlags() );
+ newTicketBody.setRenewTill( tgt.getRenewTill() );
+ newTicketBody.setSessionKey( tgt.getSessionKey() );
+ newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+ }
+
+ private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey, KdcRequest request )
+ throws KerberosException
+ {
+ byte[] encodedTicket = null;
+
+ EncTicketPartEncoder encoder = new EncTicketPartEncoder();
+ try
+ {
+ encodedTicket = encoder.encode( newTicketBody );
+ }
+ catch ( IOException ioe )
+ {
+ log.error( "failed while encoding new ticket body", ioe );
+ }
+
+ if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+ {
+ /*
+ if (server not specified) then
+ server = req.second_ticket.client;
+ endif
+ if ((req.second_ticket is not a TGT) or
+ (req.second_ticket.client != server)) then
+ error_out(KDC_ERR_POLICY);
+ endif
+ new_tkt.enc-part := encrypt OCTET STRING
+ using etype_for_key(second-ticket.key), second-ticket.key;
+ */
+ }
+ else
+ {
+ // encrypt with serverKey
+ }
+
+ EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey );
+
+ return engine.getEncryptedData( serverKey, encodedTicket );
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+
+/*
+ * differs from the changepw getAuthHeader by verifying the presence of TGS_REQ
+ */
+public class GetAuthHeader extends CommandBase
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcRequest request = tgsContext.getRequest();
+
+ ApplicationRequest authHeader = getAuthHeader( request );
+ Ticket tgt = authHeader.getTicket();
+
+ tgsContext.setAuthHeader( authHeader );
+ tgsContext.setTgt( tgt );
+
+ return CONTINUE_CHAIN;
+ }
+
+ protected ApplicationRequest getAuthHeader( KdcRequest request ) throws KerberosException, IOException
+ {
+ byte[] undecodedAuthHeader = null;
+ PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+ for ( int ii = 0; ii < preAuthData.length; ii++ )
+ {
+ if ( preAuthData[ ii ].getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
+ {
+ undecodedAuthHeader = preAuthData[ ii ].getDataValue();
+ }
+ }
+
+ if ( undecodedAuthHeader == null )
+ {
+ throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
+ }
+
+ ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();
+ ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader );
+
+ return authHeader;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class GetRequestPrincipalEntry extends GetPrincipalStoreEntry
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+ KerberosPrincipal principal = tgsContext.getRequest().getServerPrincipal();
+ PrincipalStore store = tgsContext.getStore();
+
+ PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+ tgsContext.setRequestPrincipalEntry( entry );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class GetTicketPrincipalEntry extends GetPrincipalStoreEntry
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+ KerberosPrincipal principal = tgsContext.getTgt().getServerPrincipal();
+ PrincipalStore store = tgsContext.getStore();
+
+ PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+ tgsContext.setTicketPrincipalEntry( entry );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MonitorContext extends CommandBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( MonitorContext.class );
+
+ public boolean execute( Context context ) throws Exception
+ {
+ if ( log.isDebugEnabled() )
+ {
+ try
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+ PrincipalStore store = tgsContext.getStore();
+ ApplicationRequest authHeader = tgsContext.getAuthHeader();
+ Ticket tgt = tgsContext.getTgt();
+ long clockSkew = tgsContext.getConfig().getClockSkew();
+ ReplayCache replayCache = tgsContext.getReplayCache();
+
+ StringBuffer sb = new StringBuffer();
+
+ sb.append( "\n\t" + "store " + store );
+ sb.append( "\n\t" + "authHeader " + authHeader );
+ sb.append( "\n\t" + "tgt " + tgt );
+ sb.append( "\n\t" + "replayCache " + replayCache );
+ sb.append( "\n\t" + "clock skew " + clockSkew );
+
+ KerberosPrincipal requestServerPrincipal = tgsContext.getRequest().getServerPrincipal();
+ PrincipalStoreEntry requestPrincipal = tgsContext.getRequestPrincipalEntry();
+
+ sb.append( "\n\t" + "principal " + requestServerPrincipal );
+ sb.append( "\n\t" + "cn " + requestPrincipal.getCommonName() );
+ sb.append( "\n\t" + "realm " + requestPrincipal.getRealmName() );
+ sb.append( "\n\t" + "principal " + requestPrincipal.getPrincipal() );
+ sb.append( "\n\t" + "SAM type " + requestPrincipal.getSamType() );
+ sb.append( "\n\t" + "Key type " + requestPrincipal.getEncryptionKey().getKeyType() );
+ sb.append( "\n\t" + "Key version " + requestPrincipal.getEncryptionKey().getKeyVersion() );
+
+ KerberosPrincipal ticketServerPrincipal = tgsContext.getTgt().getServerPrincipal();
+ PrincipalStoreEntry ticketPrincipal = tgsContext.getTicketPrincipalEntry();
+
+ sb.append( "\n\t" + "principal " + ticketServerPrincipal );
+ sb.append( "\n\t" + "cn " + ticketPrincipal.getCommonName() );
+ sb.append( "\n\t" + "realm " + ticketPrincipal.getRealmName() );
+ sb.append( "\n\t" + "principal " + ticketPrincipal.getPrincipal() );
+ sb.append( "\n\t" + "SAM type " + ticketPrincipal.getSamType() );
+ sb.append( "\n\t" + "Key type " + ticketPrincipal.getEncryptionKey().getKeyType() );
+ sb.append( "\n\t" + "Key version " + ticketPrincipal.getEncryptionKey().getKeyVersion() );
+
+ log.debug( sb.toString() );
+ }
+ catch ( Exception e )
+ {
+ // This is a monitor. No exceptions should bubble up.
+ log.error( "Error in context monitor", e );
+ }
+ }
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SealReply extends CommandBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( SealReply.class );
+
+ public boolean execute( Context ctx ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) ctx;
+ TicketGrantReply reply = (TicketGrantReply) tgsContext.getReply();
+ Ticket tgt = tgsContext.getTgt();
+
+ Authenticator authenticator = tgsContext.getAuthenticator();
+
+ if ( authenticator.getSubSessionKey() != null )
+ {
+ encryptReplyPart( reply, authenticator.getSubSessionKey() );
+ }
+ else
+ {
+ encryptReplyPart( reply, tgt.getSessionKey() );
+ }
+
+ return CONTINUE_CHAIN;
+ }
+
+ private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key )
+ {
+ EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
+ try
+ {
+ byte[] plainText = encoder.encode( reply );
+ EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key );
+
+ EncryptedData cipherText = engine.getEncryptedData( key, plainText );
+
+ reply.setEncPart( cipherText );
+
+ }
+ catch ( Exception e )
+ {
+ log.error( "Failed to encrypt the reply part", e );
+ }
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,166 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.kdc.KdcContext;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class TicketGrantingContext extends KdcContext
+{
+ private ApplicationRequest authHeader;
+ private Ticket tgt;
+ private Ticket newTicket;
+ private EncryptionKey sessionKey;
+ private Authenticator authenticator;
+ private ReplayCache replayCache;
+
+ private PrincipalStoreEntry ticketPrincipalEntry;
+ private PrincipalStoreEntry requestPrincipalEntry;
+
+ /**
+ * @return Returns the requestPrincipalEntry.
+ */
+ public PrincipalStoreEntry getRequestPrincipalEntry()
+ {
+ return requestPrincipalEntry;
+ }
+
+ /**
+ * @param requestPrincipalEntry The requestPrincipalEntry to set.
+ */
+ public void setRequestPrincipalEntry( PrincipalStoreEntry requestPrincipalEntry )
+ {
+ this.requestPrincipalEntry = requestPrincipalEntry;
+ }
+
+ /**
+ * @return Returns the ticketPrincipalEntry.
+ */
+ public PrincipalStoreEntry getTicketPrincipalEntry()
+ {
+ return ticketPrincipalEntry;
+ }
+
+ /**
+ * @param ticketPrincipalEntry The ticketPrincipalEntry to set.
+ */
+ public void setTicketPrincipalEntry( PrincipalStoreEntry ticketPrincipalEntry )
+ {
+ this.ticketPrincipalEntry = ticketPrincipalEntry;
+ }
+
+ /**
+ * @return Returns the replayCache.
+ */
+ public ReplayCache getReplayCache()
+ {
+ return replayCache;
+ }
+
+ /**
+ * @param replayCache The replayCache to set.
+ */
+ public void setReplayCache( ReplayCache replayCache )
+ {
+ this.replayCache = replayCache;
+ }
+
+ /**
+ * @return Returns the authenticator.
+ */
+ public Authenticator getAuthenticator()
+ {
+ return authenticator;
+ }
+
+ /**
+ * @param authenticator The authenticator to set.
+ */
+ public void setAuthenticator( Authenticator authenticator )
+ {
+ this.authenticator = authenticator;
+ }
+
+ /**
+ * @return Returns the newTicket.
+ */
+ public Ticket getNewTicket()
+ {
+ return newTicket;
+ }
+
+ /**
+ * @param newTicket The newTicket to set.
+ */
+ public void setNewTicket( Ticket newTicket )
+ {
+ this.newTicket = newTicket;
+ }
+
+ /**
+ * @return Returns the sessionKey.
+ */
+ public EncryptionKey getSessionKey()
+ {
+ return sessionKey;
+ }
+
+ /**
+ * @param sessionKey The sessionKey to set.
+ */
+ public void setSessionKey( EncryptionKey sessionKey )
+ {
+ this.sessionKey = sessionKey;
+ }
+
+ /**
+ * @return Returns the tgt.
+ */
+ public Ticket getTgt()
+ {
+ return tgt;
+ }
+
+ /**
+ * @param tgt The tgt to set.
+ */
+ public void setTgt( Ticket tgt )
+ {
+ this.tgt = tgt;
+ }
+
+ /**
+ * @return Returns the authHeader.
+ */
+ public ApplicationRequest getAuthHeader()
+ {
+ return authHeader;
+ }
+
+ /**
+ * @param authHeader The authHeader to set.
+ */
+ public void setAuthHeader( ApplicationRequest authHeader )
+ {
+ this.authHeader = authHeader;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.ErrorMessage;
+import org.apache.kerberos.service.ErrorMessageHandler;
+
+public class TicketGrantingExceptionHandler extends ErrorMessageHandler
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ return CONTINUE_CHAIN;
+ }
+
+ public boolean postprocess( Context context, Exception exception )
+ {
+ if ( exception == null )
+ {
+ return CONTINUE_CHAIN;
+ }
+
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcConfiguration config = tgsContext.getConfig();
+ KerberosException ke = (KerberosException) exception;
+
+ ErrorMessage errorMessage = getErrorMessage( config.getKdcPrincipal(), ke );
+
+ tgsContext.setReply( errorMessage );
+
+ return STOP_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.impl.ChainBase;
+import org.apache.kerberos.kdc.MonitorReply;
+import org.apache.kerberos.kdc.MonitorRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * KRB_TGS_REQ verification and KRB_TGS_REP generation
+ */
+public class TicketGrantingServiceChain extends ChainBase
+{
+ /** the log for this class */
+ private static final Logger log = LoggerFactory.getLogger( TicketGrantingServiceChain.class );
+
+ public TicketGrantingServiceChain()
+ {
+ super();
+ addCommand( new TicketGrantingExceptionHandler() );
+
+ if ( log.isDebugEnabled() )
+ {
+ addCommand( new MonitorRequest() );
+ }
+
+ addCommand( new ConfigureTicketGrantingChain() );
+ addCommand( new GetAuthHeader() );
+ addCommand( new VerifyTgt() );
+ addCommand( new GetTicketPrincipalEntry() );
+ addCommand( new VerifyTgtAuthHeader() );
+ addCommand( new GetRequestPrincipalEntry() );
+ addCommand( new GenerateTicket() );
+ addCommand( new BuildReply() );
+
+ if ( log.isDebugEnabled() )
+ {
+ addCommand( new MonitorContext() );
+ }
+
+ if ( log.isDebugEnabled() )
+ {
+ addCommand( new MonitorReply() );
+ }
+
+ addCommand( new SealReply() );
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.checksum.ChecksumEngine;
+import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.Checksum;
+
+public class VerifyBodyChecksum extends CommandBase
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcRequest request = tgsContext.getRequest();
+ Checksum checksum = tgsContext.getAuthenticator().getChecksum();
+
+ verifyBodyChecksum( checksum, request );
+
+ return CONTINUE_CHAIN;
+ }
+
+ private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request ) throws KerberosException
+ {
+ if ( authChecksum == null )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+ }
+
+ /*
+ if (auth_hdr.authenticator.cksum type is not supported) then
+ error_out(KDC_ERR_SUMTYPE_NOSUPP);
+ endif
+ */
+
+ /*
+ if (auth_hdr.authenticator.cksum is not both collision-proof and keyed) then
+ error_out(KRB_AP_ERR_INAPP_CKSUM);
+ endif
+ */
+
+ KdcReqBodyEncoder encoder = new KdcReqBodyEncoder();
+ byte[] bytes = null;
+
+ try
+ {
+ bytes = encoder.encode( request );
+ }
+ catch ( IOException ioe )
+ {
+ ioe.printStackTrace();
+ }
+
+ ChecksumEngine digester = new RsaMd5Checksum();
+ Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) );
+
+ boolean equal = newChecksum.equals( authChecksum );
+
+ if ( !equal )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
+ }
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.service.VerifyTicket;
+
+public class VerifyTgt extends VerifyTicket
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+ KdcConfiguration config = tgsContext.getConfig();
+ Ticket tgt = tgsContext.getTgt();
+ String primaryRealm = config.getPrimaryRealm();
+ KerberosPrincipal serverPrincipal = tgsContext.getRequest().getServerPrincipal();
+
+ verifyTicket( tgt, primaryRealm, serverPrincipal );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.VerifyAuthHeader;
+
+public class VerifyTgtAuthHeader extends VerifyAuthHeader
+{
+ public boolean execute( Context context ) throws Exception
+ {
+ TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+ ApplicationRequest authHeader = tgsContext.getAuthHeader();
+ Ticket tgt = tgsContext.getTgt();
+ EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getEncryptionKey();
+ long clockSkew = tgsContext.getConfig().getClockSkew();
+ ReplayCache replayCache = tgsContext.getReplayCache();
+
+ Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache );
+
+ tgsContext.setAuthenticator( authenticator );
+
+ return CONTINUE_CHAIN;
+ }
+}
Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
------------------------------------------------------------------------------
svn:eol-style = native