Examples of KerberosConfig

Examples of org.apache.directory.server.kerberos.KerberosConfig




    private static void selectEncryptionType( TicketGrantingContext tgsContext ) throws Exception
    {
        KdcContext kdcContext = tgsContext;
        KerberosConfig config = kdcContext.getConfig();


        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();


        EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );


        LOG_KRB.debug( "Session will use encryption type {}.", bestType );


        if ( bestType == null )
        {

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

    }




    public static void verifyTgt( TicketGrantingContext tgsContext ) throws KerberosException
    {
        KerberosConfig config = tgsContext.getConfig();
        Ticket tgt = tgsContext.getTgt();


        // Check primary realm.
        if ( !tgt.getRealm().equals( config.getPrimaryRealm() ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }


        String tgtServerName = KerberosUtils.getKerberosPrincipal( tgt.getSName(), tgt.getRealm() ).getName();
        String requestServerName = KerberosUtils.getKerberosPrincipal(
            tgsContext.getRequest().getKdcReqBody().getSName(), tgsContext.getRequest().getKdcReqBody().getRealm() )
            .getName();


        /*
         * if (tgt.sname is not a TGT for local realm and is not req.sname)
         *     then error_out(KRB_AP_ERR_NOT_US);
         */
        if ( !tgtServerName.equals( config.getServicePrincipal().getName() )
            && !tgtServerName.equals( requestServerName ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }
    }

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

     * <li>Section 3.3.2. Receipt of KRB_TGS_REQ Message -> 2nd paragraph
     * <li>Section 5.5.1. KRB_AP_REQ Definition -> Authenticator -> cksum
     */
    private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException
    {
        KerberosConfig config = tgsContext.getConfig();


        if ( config.isBodyChecksumVerified() )
        {
            KdcReqBody body = tgsContext.getRequest().getKdcReqBody();
            // FIXME how this byte[] is computed??
            // is it full ASN.1 encoded bytes OR just the bytes of all the values alone?
            // for now am using the ASN.1 encoded value

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

            request.getKdcReqBody().getSName(), request.getKdcReqBody().getRealm() );


        EncryptionType encryptionType = tgsContext.getEncryptionType();
        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );


        KerberosConfig config = tgsContext.getConfig();


        tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();


        EncTicketPart newTicketPart = new EncTicketPart();

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

    /**
     * Creates a new instance of KdcServer with the default configuration.
     */
    public KdcServer()
    {
        this( new KerberosConfig() );
    }

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

        
        KdcServer server = ServerAnnotationProcessor.getKdcServer( directoryService, AvailablePortFinder.getNextAvailable( 1024 ) );


        assertEquals( 2, server.getTransports().length );
        
        KerberosConfig config = server.getConfig();
        assertEquals( directoryService, server.getDirectoryService() );
        assertEquals( "apache.org", config.getPrimaryRealm() );
        assertEquals( "krbtgt/apache.org@apache.org", config.getServicePrincipal().getName() );
        assertEquals( 1000, config.getMaximumTicketLifetime() );
        assertEquals( 2000, config.getMaximumRenewableLifetime() );
        
        server.stop();
        directoryService.shutdown();


        FileUtils.deleteDirectory( directoryService.getInstanceLayout().getInstanceDirectory() );

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

        if ( createKdcServer == null )
        {
            return null;
        }


        KerberosConfig kdcConfig = new KerberosConfig();
        kdcConfig.setServicePrincipal( createKdcServer.kdcPrincipal() );
        kdcConfig.setPrimaryRealm( createKdcServer.primaryRealm() );
        kdcConfig.setMaximumTicketLifetime( createKdcServer.maxTicketLifetime() );
        kdcConfig.setMaximumRenewableLifetime( createKdcServer.maxRenewableLifetime() );


        KdcServer kdcServer = new KdcServer( kdcConfig );


        kdcServer.setSearchBaseDn( createKdcServer.searchBaseDn() );

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

        InvalidTicketException
    {


        LOG_KRB.debug( "--> Selecting the EncryptionType" );
        KdcContext kdcContext = authContext;
        KerberosConfig config = kdcContext.getConfig();


        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
        LOG_KRB.debug( "Encryption types requested by client {}.", requestedTypes );


        EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );


        LOG_KRB.debug( "Session will use encryption type {}.", bestType );


        if ( bestType == null )
        {

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig


    private static void verifySam( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
    {
        LOG_KRB.debug( "--> Verifying using SAM subsystem." );
        KdcReq request = authContext.getRequest();
        KerberosConfig config = authContext.getConfig();


        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();


        EncryptionKey clientKey = null;


        if ( clientEntry.getSamType() != null )
        {
            if ( LOG_KRB.isDebugEnabled() )
            {
                LOG_KRB
                    .debug(
                        "Entry for client principal {} has a valid SAM type.  Invoking SAM subsystem for pre-authentication.",
                        clientName );
            }


            List<PaData> preAuthData = request.getPaData();


            if ( ( preAuthData == null ) || ( preAuthData.size() == 0 ) )
            {
                LOG_KRB.debug( "No PreAuth Data" );
                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
                    authContext.getEncryptionType(), config
                        .getEncryptionTypes() ) );
            }


            try
            {

View Full Code Here

Examples of org.apache.directory.server.kerberos.KerberosConfig

    private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException,
        InvalidTicketException
    {
        LOG_KRB.debug( "--> Verifying using encrypted timestamp." );


        KerberosConfig config = authContext.getConfig();
        KdcReq request = authContext.getRequest();
        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();


        EncryptionKey clientKey = null;


        if ( clientEntry.getSamType() == null )
        {
            LOG_KRB.debug(
                "Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.",
                clientName );


            EncryptionType encryptionType = authContext.getEncryptionType();
            clientKey = clientEntry.getKeyMap().get( encryptionType );


            if ( clientKey == null )
            {
                LOG_KRB.error( "No key for client {}", clientEntry.getDistinguishedName() );
                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
            }


            if ( config.isPaEncTimestampRequired() )
            {
                List<PaData> preAuthData = request.getPaData();


                if ( preAuthData == null )
                {
                    LOG_KRB.debug( "PRE_AUTH required..." );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }


                PaEncTsEnc timestamp = null;


                for ( PaData paData : preAuthData )
                {
                    if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                    {
                        EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
                            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                        timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
                    }
                }


                if ( timestamp == null )
                {
                    LOG_KRB.error( "No timestamp found" );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }


                if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
                {
                    LOG_KRB.error( "Timestamp not in delay" );


                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
                }

View Full Code Here

0 1 2 3 4

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.