Examples of org.apache.directory.server.kerberos.kdc.KdcServer

Package org.apache.directory.server.kerberos.kdc

Examples of org.apache.directory.server.kerberos.kdc.KdcServer

org.apache.directory.server.kerberos.kdc.KdcServer
Contains the configuration parameters for the Kerberos protocol provider. @author Apache Directory Project

    {
        /** The LdapServer for this method, if any */
        LdapServer methodLdapServer = null;


        /** The KdcServer for this method, if any */
        KdcServer methodKdcServer = null;


        // Don't run the test if the @Ignored annotation is used
        if ( method.getAnnotation( Ignore.class ) != null )
        {
            Description description = describeChild( method );
            notifier.fireTestIgnored( description );
            return;
        }


        // Get the applyLdifs for each level
        Description suiteDescription = null;


        Description classDescription = getDescription();
        Description methodDescription = describeChild( method );


        // Before running any test, check to see if we must create a class DS
        // Get the LdapServerBuilder, if any
        CreateLdapServer methodLdapServerBuilder = methodDescription.getAnnotation( CreateLdapServer.class );
        CreateKdcServer methodKdcServerBuilder = methodDescription.getAnnotation( CreateKdcServer.class );


        // Ok, ready to run the test
        try
        {
            DirectoryService directoryService = null;


            // Set the revision to 0, we will revert only if it's set to another value
            long revision = 0L;


            // Check if this method has a dedicated DSBuilder
            DirectoryService methodDS = DSAnnotationProcessor.getDirectoryService( methodDescription );


            // give #1 priority to method level DS if present
            if ( methodDS != null )
            {
                // Apply all the LDIFs
                DSAnnotationProcessor.applyLdifs( suiteDescription, methodDS );
                DSAnnotationProcessor.applyLdifs( classDescription, methodDS );
                DSAnnotationProcessor.applyLdifs( methodDescription, methodDS );


                directoryService = methodDS;
            }
            else if ( classDS != null )
            {
                directoryService = classDS;


                // apply the method LDIFs, and tag for reversion
                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }
            // we don't support method level LdapServer so
            // we check for the presence of Class level LdapServer first 
            else if ( classLdapServer != null )
            {
                directoryService = classLdapServer.getDirectoryService();


                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }
            else if ( classKdcServer != null )
            {
                directoryService = classKdcServer.getDirectoryService();


                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }


            if ( methodLdapServerBuilder != null )
            {
                methodLdapServer = ServerAnnotationProcessor.createLdapServer( methodDescription, directoryService );
            }


            if ( methodKdcServerBuilder != null )
            {
                int minPort = getMinPort();


                methodKdcServer = ServerAnnotationProcessor.getKdcServer( methodDescription, directoryService,
                    minPort + 1 );
            }


            // At this point, we know which service to use.
            // Inject it into the class
            Method setService = null;


            try
            {
                setService = getTestClass().getJavaClass().getMethod( SET_SERVICE_METHOD_NAME,
                    DirectoryService.class );


                setService.invoke( getTestClass().getJavaClass(), directoryService );
            }
            catch ( NoSuchMethodException nsme )
            {
                // Do nothing
            }


            // if we run this class in a suite, tell it to the test
            Method setLdapServer = null;


            try
            {
                setLdapServer = getTestClass().getJavaClass().getMethod( SET_LDAP_SERVER_METHOD_NAME,
                    LdapServer.class );
            }
            catch ( NoSuchMethodException nsme )
            {
                // Do nothing
            }


            Method setKdcServer = null;


            try
            {
                setKdcServer = getTestClass().getJavaClass().getMethod( SET_KDC_SERVER_METHOD_NAME, KdcServer.class );
            }
            catch ( NoSuchMethodException nsme )
            {
                // Do nothing
            }


            DirectoryService oldLdapServerDirService = null;
            DirectoryService oldKdcServerDirService = null;


            if ( methodLdapServer != null )
            {
                // setting the directoryService is required to inject the correct level DS instance in the class or suite level LdapServer
                methodLdapServer.setDirectoryService( directoryService );


                setLdapServer.invoke( getTestClass().getJavaClass(), methodLdapServer );
            }
            else if ( classLdapServer != null )
            {
                oldLdapServerDirService = classLdapServer.getDirectoryService();


                // setting the directoryService is required to inject the correct level DS instance in the class or suite level LdapServer
                classLdapServer.setDirectoryService( directoryService );


                setLdapServer.invoke( getTestClass().getJavaClass(), classLdapServer );
            }


            if ( methodKdcServer != null )
            {
                // setting the directoryService is required to inject the correct level DS instance in the class or suite level KdcServer
                methodKdcServer.setDirectoryService( directoryService );


                setKdcServer.invoke( getTestClass().getJavaClass(), methodKdcServer );
            }
            else if ( classKdcServer != null )
            {

View Full Code Here

     * Creates a new instance of {@link TicketGrantingPolicyTest}.
     */
    @Before
    public void setUp() throws IOException
    {
        kdcServer = new KdcServer();
        config = kdcServer.getConfig();


        /*
         * Body checksum verification must be disabled because we are bypassing
         * the codecs, where the body bytes are set on the KdcReq message.

View Full Code Here

        if ( !isEnabled( kdcEntry ) )
        {
            return null;
        }


        KdcServer kdcServer = new KdcServer();


        kdcServer.setServiceId( getString( "ads-serverId", kdcEntry ) );


        DN transportsDN = new DN( getString( "ads-transports", kdcEntry ) );
        transportsDN.normalize( schemaManager.getNormalizerMapping() );
        Transport[] transports = getTransports( transportsDN );
        kdcServer.setTransports( transports );


        // MAY attributes
        EntryAttribute clockSkewAttr = kdcEntry.get( "ads-krbAllowableClockSkew" );


        if ( clockSkewAttr != null )
        {
            kdcServer.setAllowableClockSkew( Long.parseLong( clockSkewAttr.getString() ) );
        }


        EntryAttribute encryptionTypeAttr = kdcEntry.get( "ads-krbEncryptionTypes" );


        if ( encryptionTypeAttr != null )
        {
            EncryptionType[] encryptionTypes = new EncryptionType[encryptionTypeAttr.size()];
            Iterator<Value<?>> itr = encryptionTypeAttr.getAll();
            int count = 0;


            while ( itr.hasNext() )
            {
                Value<?> val = itr.next();
                encryptionTypes[count++] = EncryptionType.getByName( val.getString() );
            }


            kdcServer.setEncryptionTypes( encryptionTypes );
        }


        EntryAttribute emptyAddrAttr = kdcEntry.get( "ads-krbEmptyAddressesAllowed" );


        if ( emptyAddrAttr != null )
        {
            kdcServer.setEmptyAddressesAllowed( Boolean.parseBoolean( emptyAddrAttr.getString() ) );
        }


        EntryAttribute fwdAllowedAttr = kdcEntry.get( "ads-krbForwardableAllowed" );


        if ( fwdAllowedAttr != null )
        {
            kdcServer.setForwardableAllowed( Boolean.parseBoolean( fwdAllowedAttr.getString() ) );
        }


        EntryAttribute paEncTmstpAttr = kdcEntry.get( "ads-krbPaEncTimestampRequired" );


        if ( paEncTmstpAttr != null )
        {
            kdcServer.setPaEncTimestampRequired( Boolean.parseBoolean( paEncTmstpAttr.getString() ) );
        }


        EntryAttribute posdtAllowedAttr = kdcEntry.get( "ads-krbPostdatedAllowed" );


        if ( posdtAllowedAttr != null )
        {
            kdcServer.setPostdatedAllowed( Boolean.parseBoolean( posdtAllowedAttr.getString() ) );
        }


        EntryAttribute prxyAllowedAttr = kdcEntry.get( "ads-krbProxiableAllowed" );


        if ( prxyAllowedAttr != null )
        {
            kdcServer.setProxiableAllowed( Boolean.parseBoolean( prxyAllowedAttr.getString() ) );
        }


        EntryAttribute rnwAllowedAttr = kdcEntry.get( "ads-krbRenewableAllowed" );


        if ( rnwAllowedAttr != null )
        {
            kdcServer.setRenewableAllowed( Boolean.parseBoolean( rnwAllowedAttr.getString() ) );
        }


        EntryAttribute kdcPrncplAttr = kdcEntry.get( "ads-krbKdcPrincipal" );


        if ( kdcPrncplAttr != null )
        {
            kdcServer.setKdcPrincipal( kdcPrncplAttr.getString() );
        }


        EntryAttribute maxRnwLfTimeAttr = kdcEntry.get( "ads-krbMaximumRenewableLifetime" );


        if ( maxRnwLfTimeAttr != null )
        {
            kdcServer.setMaximumRenewableLifetime( Long.parseLong( maxRnwLfTimeAttr.getString() ) );
        }


        EntryAttribute maxTcktLfTimeAttr = kdcEntry.get( "ads-krbMaximumTicketLifetime" );


        if ( maxTcktLfTimeAttr != null )
        {
            kdcServer.setMaximumTicketLifetime( Long.parseLong( maxTcktLfTimeAttr.getString() ) );
        }


        EntryAttribute prmRealmAttr = kdcEntry.get( "ads-krbPrimaryRealm" );


        if ( prmRealmAttr != null )
        {
            kdcServer.setPrimaryRealm( prmRealmAttr.getString() );
        }


        EntryAttribute bdyCkhsmVerifyAttr = kdcEntry.get( "ads-krbBodyChecksumVerified" );


        if ( bdyCkhsmVerifyAttr != null )
        {
            kdcServer.setBodyChecksumVerified( Boolean.parseBoolean( bdyCkhsmVerifyAttr.getString() ) );
        }


        return kdcServer;
    }

View Full Code Here

        kdcConfig.setPrimaryRealm(createKdcServer.primaryRealm());
        kdcConfig.setMaximumTicketLifetime(createKdcServer.maxTicketLifetime());
        kdcConfig.setMaximumRenewableLifetime(createKdcServer.maxRenewableLifetime());
        kdcConfig.setPaEncTimestampRequired(false);


        KdcServer kdcServer = new NoReplayKdcServer(kdcConfig);


        kdcServer.setSearchBaseDn(createKdcServer.searchBaseDn());


        CreateTransport[] transportBuilders = createKdcServer.transports();


        if (transportBuilders == null) {
            // create only UDP transport if none specified
            UdpTransport defaultTransport = new UdpTransport(bindAddress, AvailablePortFinder.getNextAvailable(startPort));
            kdcServer.addTransports(defaultTransport);
        } else if (transportBuilders.length > 0) {
            for (CreateTransport transportBuilder : transportBuilders) {
               String protocol = transportBuilder.protocol();
                int port = transportBuilder.port();
                int nbThreads = transportBuilder.nbThreads();
                int backlog = transportBuilder.backlog();
                final String address = bindAddress != null ? bindAddress : transportBuilder.address();


                if (port == -1) {
                    port = AvailablePortFinder.getNextAvailable(startPort);
                    startPort = port + 1;
                }


                if (protocol.equalsIgnoreCase("TCP")) {
                    Transport tcp = new TcpTransport(address, port, nbThreads, backlog);
                    kdcServer.addTransports(tcp);
                } else if (protocol.equalsIgnoreCase("UDP")) {
                    UdpTransport udp = new UdpTransport(address, port);
                    kdcServer.addTransports(udp);
                } else {
                    throw new IllegalArgumentException(I18n.err(I18n.ERR_689, protocol));
                }
            }
        }


        CreateChngPwdServer[] createChngPwdServers = createKdcServer.chngPwdServer();


        if (createChngPwdServers.length > 0) {


            CreateChngPwdServer createChngPwdServer = createChngPwdServers[0];
            ChangePasswordConfig config = new ChangePasswordConfig(kdcConfig);
            config.setServicePrincipal(createChngPwdServer.srvPrincipal());


            ChangePasswordServer chngPwdServer = new ChangePasswordServer(config);


            for (CreateTransport transportBuilder : createChngPwdServer.transports()) {
                Transport t = createTransport(transportBuilder, startPort);
                startPort = t.getPort() + 1;
                chngPwdServer.addTransports(t);
            }


            chngPwdServer.setDirectoryService(directoryService);


            kdcServer.setChangePwdServer(chngPwdServer);
        }


        kdcServer.setDirectoryService(directoryService);


        // Launch the server
        try {
            kdcServer.start();
        } catch (Exception e) {
            e.printStackTrace();
        }


        return kdcServer;

View Full Code Here

    {
        /** The LdapServer for this method, if any */
        LdapServer methodLdapServer = null;


        /** The KdcServer for this method, if any */
        KdcServer methodKdcServer = null;


        // Don't run the test if the @Ignored annotation is used
        if ( method.getAnnotation( Ignore.class ) != null )
        {
            Description description = describeChild( method );
            notifier.fireTestIgnored( description );
            return;
        }


        // Get the applyLdifs for each level
        Description suiteDescription = null;


        if ( suite != null )
        {
            suiteDescription = suite.getDescription();
        }


        Description classDescription = getDescription();
        Description methodDescription = describeChild( method );


        // Before running any test, check to see if we must create a class DS
        // Get the LdapServerBuilder, if any
        CreateLdapServer methodLdapServerBuilder = methodDescription.getAnnotation( CreateLdapServer.class );
        CreateKdcServer methodKdcServerBuilder = methodDescription.getAnnotation( CreateKdcServer.class );


        // Ok, ready to run the test
        try
        {
            DirectoryService directoryService = null;


            // Set the revision to 0, we will revert only if it's set to another value
            long revision = 0L;


            // Check if this method has a dedicated DSBuilder
            DirectoryService methodDS = DSAnnotationProcessor.getDirectoryService( methodDescription );


            // give #1 priority to method level DS if present
            if ( methodDS != null )
            {
                // Apply all the LDIFs
                DSAnnotationProcessor.applyLdifs( suiteDescription, methodDS );
                DSAnnotationProcessor.applyLdifs( classDescription, methodDS );
                DSAnnotationProcessor.applyLdifs( methodDescription, methodDS );


                directoryService = methodDS;
            }
            else if ( classDS != null )
            {
                directoryService = classDS;


                // apply the method LDIFs, and tag for reversion
                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }
            // we don't support method level LdapServer so
            // we check for the presence of Class level LdapServer first 
            else if ( classLdapServer != null )
            {
                directoryService = classLdapServer.getDirectoryService();


                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }
            else if ( classKdcServer != null )
            {
                directoryService = classKdcServer.getDirectoryService();


                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }
            else if ( suite != null )
            {
                directoryService = suite.getDirectoryService();


                // apply the method LDIFs, and tag for reversion
                revision = getCurrentRevision( directoryService );


                DSAnnotationProcessor.applyLdifs( methodDescription, directoryService );
            }


            if ( methodLdapServerBuilder != null )
            {
                int minPort = getMinPort();


                methodLdapServer = ServerAnnotationProcessor.createLdapServer( methodDescription, directoryService );
            }


            if ( methodKdcServerBuilder != null )
            {
                int minPort = getMinPort();


                methodKdcServer = ServerAnnotationProcessor.getKdcServer( methodDescription, directoryService,
                    minPort + 1 );
            }


            // At this point, we know which service to use.
            // Inject it into the class
            Method setService = getTestClass().getJavaClass().getMethod( SET_SERVICE_METHOD_NAME,
                DirectoryService.class );
            setService.invoke( getTestClass().getJavaClass(), directoryService );


            // if we run this class in a suite, tell it to the test
            Field runInSuiteField = getTestClass().getJavaClass().getField( IS_RUN_IN_SUITE_FIELD_NAME );
            runInSuiteField.set( getTestClass().getJavaClass(), suite != null );


            Method setLdapServer = getTestClass().getJavaClass().getMethod( SET_LDAP_SERVER_METHOD_NAME,
                LdapServer.class );
            Method setKdcServer = getTestClass().getJavaClass().getMethod( SET_KDC_SERVER_METHOD_NAME, KdcServer.class );


            DirectoryService oldLdapServerDirService = null;
            DirectoryService oldKdcServerDirService = null;


            if ( methodLdapServer != null )
            {
                // setting the directoryService is required to inject the correct level DS instance in the class or suite level LdapServer
                methodLdapServer.setDirectoryService( directoryService );


                setLdapServer.invoke( getTestClass().getJavaClass(), methodLdapServer );
            }
            else if ( classLdapServer != null )
            {
                oldLdapServerDirService = classLdapServer.getDirectoryService();


                // setting the directoryService is required to inject the correct level DS instance in the class or suite level LdapServer
                classLdapServer.setDirectoryService( directoryService );


                setLdapServer.invoke( getTestClass().getJavaClass(), classLdapServer );
            }


            if ( methodKdcServer != null )
            {
                // setting the directoryService is required to inject the correct level DS instance in the class or suite level KdcServer
                methodKdcServer.setDirectoryService( directoryService );


                setKdcServer.invoke( getTestClass().getJavaClass(), methodKdcServer );
            }
            else if ( classKdcServer != null )
            {

View Full Code Here

        if ( ( kdcServerBean == null ) || kdcServerBean.isDisabled() )
        {
            return null;
        }


        KdcServer kdcServer = new KdcServer();


        kdcServer.setDirectoryService( directoryService );
        kdcServer.setEnabled( true );


        kdcServer.setDirectoryService( directoryService );


        // The ID
        kdcServer.setServiceId( kdcServerBean.getServerId() );


        // AllowableClockSkew
        kdcServer.setAllowableClockSkew( kdcServerBean.getKrbAllowableClockSkew() );


        // BodyChecksumVerified
        kdcServer.setBodyChecksumVerified( kdcServerBean.isKrbBodyChecksumVerified() );


        // CatalogBased
        //kdcServer.setCatelogBased( kdcServerBean.is );


        // EmptyAddressesAllowed
        kdcServer.setEmptyAddressesAllowed( kdcServerBean.isKrbEmptyAddressesAllowed() );


        // EncryptionType
        EncryptionType[] encryptionTypes = createEncryptionTypes( kdcServerBean.getKrbEncryptionTypes() );
        kdcServer.setEncryptionTypes( encryptionTypes );


        // ForwardableAllowed
        kdcServer.setForwardableAllowed( kdcServerBean.isKrbForwardableAllowed() );


        // KdcPrincipal
        kdcServer.setKdcPrincipal( kdcServerBean.getKrbKdcPrincipal().toString() );


        // MaximumRenewableLifetime
        kdcServer.setMaximumRenewableLifetime( kdcServerBean.getKrbMaximumRenewableLifetime() );


        // MaximumTicketLifetime
        kdcServer.setMaximumTicketLifetime( kdcServerBean.getKrbMaximumTicketLifetime() );


        // PaEncTimestampRequired
        kdcServer.setPaEncTimestampRequired( kdcServerBean.isKrbPaEncTimestampRequired() );


        // PostdatedAllowed
        kdcServer.setPostdatedAllowed( kdcServerBean.isKrbPostdatedAllowed() );


        // PrimaryRealm
        kdcServer.setPrimaryRealm( kdcServerBean.getKrbPrimaryRealm() );


        // ProxiableAllowed
        kdcServer.setProxiableAllowed( kdcServerBean.isKrbProxiableAllowed() );


        // RenewableAllowed
        kdcServer.setRenewableAllowed( kdcServerBean.isKrbRenewableAllowed() );


        // searchBaseDn
        kdcServer.setSearchBaseDn( kdcServerBean.getSearchBaseDn().getName() );


        // The transports
        Transport[] transports = createTransports( kdcServerBean.getTransports() );
        kdcServer.setTransports( transports );


        return kdcServer;
    }

View Full Code Here


    private static void selectEncryptionType( AuthenticationContext authContext ) throws KerberosException,
        InvalidTicketException
    {
        KdcContext kdcContext = authContext;
        KdcServer config = kdcContext.getConfig();


        List<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();


        EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );


        LOG.debug( "Session will use encryption type {}.", bestType );


        if ( bestType == null )
        {

View Full Code Here


    private static void verifySam( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
    {
        LOG.debug( "Verifying using SAM subsystem." );
        KdcReq request = authContext.getRequest();
        KdcServer config = authContext.getConfig();


        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();


        EncryptionKey clientKey = null;


        if ( clientEntry.getSamType() != null )
        {
            if ( LOG.isDebugEnabled() )
            {
                LOG.debug(
                    "Entry for client principal {} has a valid SAM type.  Invoking SAM subsystem for pre-authentication.",
                    clientName );
            }


            List<PaData> preAuthData = request.getPaData();


            if ( preAuthData == null || preAuthData.size() == 0 )
            {
                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
                    request.getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
            }


            try
            {
                for ( PaData paData : preAuthData )

View Full Code Here

    private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException,
        InvalidTicketException
    {
        LOG.debug( "Verifying using encrypted timestamp." );


        KdcServer config = authContext.getConfig();
        KdcReq request = authContext.getRequest();
        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();


        EncryptionKey clientKey = null;


        if ( clientEntry.getSamType() == null )
        {
            if ( LOG.isDebugEnabled() )
            {
                LOG.debug(
                    "Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.",
                    clientName );
            }


            EncryptionType encryptionType = authContext.getEncryptionType();
            clientKey = clientEntry.getKeyMap().get( encryptionType );


            if ( clientKey == null )
            {
                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
            }


            if ( config.isPaEncTimestampRequired() )
            {
                List<PaData> preAuthData = request.getPaData();


                if ( preAuthData == null )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
                            config.getEncryptionTypes() ) );
                }


                PaEncTsEnc timestamp = null;


                for ( PaData paData : preAuthData )
                {
                    if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                    {
                        EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
                        paData.getPaDataType();
                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
                            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                        timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
                    }
                }


                if ( ( preAuthData.size() > 0 ) && ( timestamp == null ) )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
                }


                if ( timestamp == null )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
                            config.getEncryptionTypes() ) );
                }


                if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
                }


                /*

View Full Code Here

        EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );


        PrincipalName ticketPrincipal = request.getKdcReqBody().getSName();


        EncTicketPart encTicketPart = new EncTicketPart();
        KdcServer config = authContext.getConfig();


        // The INITIAL flag indicates that a ticket was issued using the AS protocol.
        TicketFlags ticketFlags = new TicketFlags();
        encTicketPart.setFlags( ticketFlags );
        ticketFlags.setFlag( TicketFlag.INITIAL );


        // The PRE-AUTHENT flag indicates that the client used pre-authentication.
        if ( authContext.isPreAuthenticated() )
        {
            ticketFlags.setFlag( TicketFlag.PRE_AUTHENT );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDABLE ) )
        {
            if ( !config.isForwardableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            ticketFlags.setFlag( TicketFlag.FORWARDABLE );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXIABLE ) )
        {
            if ( !config.isProxiableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            ticketFlags.setFlag( TicketFlag.PROXIABLE );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ALLOW_POSTDATE ) )
        {
            if ( !config.isPostdatedAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            ticketFlags.setFlag( TicketFlag.MAY_POSTDATE );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW )
            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE )
            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY )
            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDED )
            || request.getKdcReqBody().getKdcOptions().get( KdcOptions.ENC_TKT_IN_SKEY ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
        }


        EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( authContext.getEncryptionType() );
        encTicketPart.setKey( sessionKey );


        encTicketPart.setCName( request.getKdcReqBody().getCName() );
        encTicketPart.setCRealm( request.getKdcReqBody().getRealm() );
        encTicketPart.setTransited( new TransitedEncoding() );
        String serverRealm = request.getKdcReqBody().getRealm();


        KerberosTime now = new KerberosTime();


        encTicketPart.setAuthTime( now );


        KerberosTime startTime = request.getKdcReqBody().getFrom();


        /*
         * "If the requested starttime is absent, indicates a time in the past,
         * or is within the window of acceptable clock skew for the KDC and the
         * POSTDATE option has not been specified, then the starttime of the
         * ticket is set to the authentication server's current time."
         */
        if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
            && !request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
        {
            startTime = now;
        }


        /*
         * "If it indicates a time in the future beyond the acceptable clock skew,
         * but the POSTDATED option has not been specified, then the error
         * KDC_ERR_CANNOT_POSTDATE is returned."
         */
        if ( startTime != null && startTime.greaterThan( now )
            && !startTime.isInClockSkew( config.getAllowableClockSkew() )
            && !request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
        }


        /*
         * "Otherwise the requested starttime is checked against the policy of the
         * local realm and if the ticket's starttime is acceptable, it is set as
         * requested, and the INVALID flag is set in the new ticket."
         */
        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
        {
            if ( !config.isPostdatedAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            ticketFlags.setFlag( TicketFlag.POSTDATED );
            ticketFlags.setFlag( TicketFlag.INVALID );
            encTicketPart.setStartTime( startTime );
        }


        long till = 0;


        if ( request.getKdcReqBody().getTill().getTime() == 0 )
        {
            till = Long.MAX_VALUE;
        }
        else
        {
            till = request.getKdcReqBody().getTill().getTime();
        }


        /*
         * The end time is the minimum of (a) the requested till time or (b)
         * the start time plus maximum lifetime as configured in policy.
         */
        long endTime = Math.min( till, startTime.getTime() + config.getMaximumTicketLifetime() );
        KerberosTime kerberosEndTime = new KerberosTime( endTime );
        encTicketPart.setEndTime( kerberosEndTime );


        /*
         * "If the requested expiration time minus the starttime (as determined
         * above) is less than a site-determined minimum lifetime, an error
         * message with code KDC_ERR_NEVER_VALID is returned."
         */
        if ( kerberosEndTime.lessThan( startTime ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
        }


        long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );


        if ( ticketLifeTime < config.getAllowableClockSkew() )
        {
            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
        }


        /*
         * "If the requested expiration time for the ticket exceeds what was determined
         * as above, and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
         * flag is set in the new ticket, and the renew-till value is set as if the
         * 'RENEWABLE' option were requested."
         */
        KerberosTime tempRtime = request.getKdcReqBody().getRTime();


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEWABLE_OK )
            && request.getKdcReqBody().getTill().greaterThan( kerberosEndTime ) )
        {
            if ( !config.isRenewableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            request.getKdcReqBody().getKdcOptions().set( KdcOptions.RENEWABLE );
            tempRtime = request.getKdcReqBody().getTill();
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEWABLE ) )
        {
            if ( !config.isRenewableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            ticketFlags.setFlag( TicketFlag.RENEWABLE );


            if ( tempRtime == null || tempRtime.isZero() )
            {
                tempRtime = KerberosTime.INFINITY;
            }


            /*
             * The renew-till time is the minimum of (a) the requested renew-till
             * time or (b) the start time plus maximum renewable lifetime as
             * configured in policy.
             */
            long renewTill = Math.min( tempRtime.getTime(), startTime.getTime() + config.getMaximumRenewableLifetime() );
            encTicketPart.setRenewTill( new KerberosTime( renewTill ) );
        }


        if ( request.getKdcReqBody().getAddresses() != null
            && request.getKdcReqBody().getAddresses().getAddresses() != null
            && request.getKdcReqBody().getAddresses().getAddresses().length > 0 )
        {
            encTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses() );
        }
        else
        {
            if ( !config.isEmptyAddressesAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }
        }

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of org.apache.directory.server.kerberos.kdc.KdcServer

io.undertow.server.security.KerberosKDCUtil

net.sf.ehcache.Cache

org.apache.directory.api.ldap.model.name.Dn

org.apache.directory.server.config.builder.ServiceBuilder

org.apache.directory.server.config.ConfigPartitionReader

org.apache.directory.server.config.ServiceBuilder

org.apache.directory.server.core.integ.FrameworkRunner

org.apache.directory.server.factory.CreateKdcServerAnnotationTest

org.apache.directory.server.factory.ServerAnnotationProcessor

org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.