Mailing-List: contact directory-cvs-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: directory-dev@incubator.apache.org
Date: 31 Oct 2004 21:57:38 -0000
Message-ID: <20041031215738.73733.qmail@minotaur.apache.org>
From: erodriguez@apache.org
To: directory-cvs@incubator.apache.org
Subject: svn commit: rev 56161 - in
 incubator/directory/kerberos/trunk/source/main/org/apache/kerberos: kdc/jaas
 kdc/store util

Author: erodriguez
Date: Sun Oct 31 13:57:38 2004
New Revision: 56161

Added:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java
      - copied, changed from rev 55216, incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
Removed:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubject.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcSubjectLogin.java
Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
Log:
Added custom LoginModule for KDC to obtain initial TGT for secure SASL-GSSAPI connection to LDAP servers.

Added: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java
==============================================================================
--- (empty file)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/KdcLoginModule.java	Sun Oct 31 13:57:38 2004
@@ -0,0 +1,159 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.jaas;
+
+import sun.security.krb5.*;
+
+import java.io.*;
+import java.util.*;
+
+import javax.security.auth.*;
+import javax.security.auth.callback.*;
+import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
+import javax.security.auth.spi.*;
+
+public class KdcLoginModule implements LoginModule {
+
+	private Subject _subject;
+	
+	// the authentication status
+	private boolean succeeded       = false;
+	private boolean commitSucceeded = false;
+	
+	private Credentials credential;
+	private KerberosTicket ticketGrantingTicket;
+
+	public void initialize(Subject subject, CallbackHandler notNeeded, Map ignored, Map notUsed) {
+		_subject = subject;
+	}
+
+	public boolean login() throws LoginException {
+		try {
+			attemptAuthentication();
+			succeeded = true;
+			return true;
+		} catch (LoginException le) {
+			succeeded = false;
+			throw le;
+		}
+	}
+
+	private void attemptAuthentication() throws LoginException {
+		try {
+			// TODO - iterate looking for KDC principal from configuration
+			Iterator it = _subject.getPrincipals(KerberosPrincipal.class).iterator();
+			KerberosPrincipal kerberosPrincipal = (KerberosPrincipal)it.next();
+			PrincipalName principalName = new PrincipalName(kerberosPrincipal.getName(),
+				PrincipalName.KRB_NT_PRINCIPAL);
+			
+			// TODO - iterate looking for KDC principal's key from configuration
+			it = _subject.getPrivateCredentials(KerberosKey.class).iterator();
+			KerberosKey key = (KerberosKey)it.next();
+			EncryptionKey encKey = new EncryptionKey(key.getEncoded());
+			
+			credential = Credentials.acquireTGT(principalName, encKey);
+
+			if (credential == null) {
+				throw new LoginException("TGT was not retrieved from KDC");
+			}
+			
+		} catch (KrbException ke) {
+			LoginException le = new LoginException(ke.getMessage());
+			le.initCause(ke);
+			throw le;
+		} catch (IOException ioe) {
+			LoginException le = new LoginException(ioe.getMessage());
+			le.initCause(ioe);
+			throw le;
+		}
+	}
+
+	public boolean commit() throws LoginException {
+
+		if (succeeded == false) {
+			return false;
+		}
+
+		Set privateCredentials = _subject.getPrivateCredentials();
+
+		if (credential == null) {
+			succeeded = false;
+			throw new LoginException("TGT was not retrieved from KDC");
+		}
+		
+		EncryptionKey sessionKey = credential.getSessionKey();
+		ticketGrantingTicket = new KerberosTicket(credential.getEncoded(), new KerberosPrincipal(
+			credential.getClient().getName()), new KerberosPrincipal(credential.getServer().getName()),
+			sessionKey.getBytes(), sessionKey.getEType(), credential.getFlags(),
+			credential.getAuthTime(), credential.getStartTime(), credential.getEndTime(),
+			credential.getRenewTill(), credential.getClientAddresses());
+
+		if (!privateCredentials.contains(ticketGrantingTicket)) {
+			privateCredentials.add(ticketGrantingTicket);
+		}
+		
+		commitSucceeded = true;
+		return true;
+	}
+
+	public boolean abort() throws LoginException {
+		if (succeeded == false) {
+			return false;
+		} else if (succeeded == true && commitSucceeded == false) {
+			// login succeeded but overall authentication failed
+			succeeded = false;
+			try {
+				if (ticketGrantingTicket != null) {
+					ticketGrantingTicket.destroy();
+				}
+			} catch (DestroyFailedException e) {
+				throw new LoginException("Destroy failed on Kerberos private credentials");
+			}
+			ticketGrantingTicket = null;
+		} else {
+			logout();
+		}
+		return true;
+	}
+
+	public boolean logout() throws LoginException {
+
+		// remove all Kerberos credentials stored in the Subject
+		Iterator it = _subject.getPrivateCredentials().iterator();
+		while (it.hasNext()) {
+			Object o = it.next();
+			if (o instanceof KerberosTicket || o instanceof KerberosKey) {
+				it.remove();
+			}
+		}
+		
+		try {
+			if (ticketGrantingTicket != null) {
+				ticketGrantingTicket.destroy();
+			}
+		} catch (DestroyFailedException e) {
+			throw new LoginException("Destroy failed on Kerberos private credentials");
+		}
+		
+		ticketGrantingTicket = null;
+		succeeded            = false;
+		commitSucceeded      = false;
+		return true;
+	}
+}
+

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java	(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/Krb5Configuration.java	Sun Oct 31 13:57:38 2004
@@ -27,12 +27,9 @@
 	
 	public Krb5Configuration() {
 		
-		String loginModule = "com.sun.security.auth.module.Krb5LoginModule";
+		String loginModule = "org.apache.kerberos.kdc.jaas.KdcLoginModule";
 		LoginModuleControlFlag flag = LoginModuleControlFlag.REQUIRED;
-		Map options = new HashMap();
-		options.put("storeKey", "true");
-		
-		_configList[0] = new AppConfigurationEntry(loginModule, flag, options);
+		_configList[0] = new AppConfigurationEntry(loginModule, flag, new HashMap());
 	}
 
 	/**

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java	(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/store/LdapStore.java	Sun Oct 31 13:57:38 2004
@@ -25,6 +25,7 @@
 import javax.naming.directory.*;
 import javax.security.auth.*;
 import javax.security.auth.kerberos.*;
+import javax.security.auth.login.*;
 
 public class LdapStore implements PrincipalStore {
 	
@@ -45,14 +46,20 @@
 	private Subject          _subject;
 	
 	public LdapStore(KdcConfiguration config) {
-		_config = config;
+		_config  = config;
+		_subject = _config.getKdcSubject();
 	}
 	
 	public void init() {
-		if (_subject == null) {
-			KdcSubject subjectLogin = new KdcSubjectLogin(_config.getKdcPrincipal(),
-					_config.getKdcPassPhrase());
-			_subject = subjectLogin.getSubject();
+		
+		Configuration.setConfiguration(new Krb5Configuration());
+		
+		LoginContext lc = null;
+		try {
+			lc = new LoginContext(LdapStore.class.getName(), _subject);
+			lc.login();
+		} catch (LoginException le) {
+			System.err.println("Authentication attempt failed" + le);
 		}
 	}
 	

Copied: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java (from rev 55216, incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java)
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/jaas/CallbackHandlerBean.java	(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/util/CallbackHandlerBean.java	Sun Oct 31 13:57:38 2004
@@ -14,7 +14,7 @@
  *   limitations under the License.
  *
  */
-package org.apache.kerberos.kdc.jaas;
+package org.apache.kerberos.util;
 
 import java.io.*;