directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 56334 - incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc
Date Tue, 02 Nov 2004 03:04:33 GMT
Author: erodriguez
Date: Mon Nov  1 19:04:33 2004
New Revision: 56334

Modified:
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
   incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Updated dispatcher, AS, and TGS services to properly return error messages to clients.

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
Mon Nov  1 19:04:33 2004
@@ -44,27 +44,29 @@
 	public AuthenticationReply getReplyFor(KdcRequest request) throws KerberosException {
 		
 		KerberosPrincipal clientPrincipal = request.getClientPrincipal();
-		
-		System.out.println("Client:  " + clientPrincipal.toString());
-		PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
 		EncryptionKey clientKey;
-		if (clientEntry != null) {
-			clientKey = clientEntry.getEncryptionKey();
-		} else {
-			System.out.println("Going to look up client");
-			clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
+		try {
+			PrincipalStoreEntry clientEntry = _bootstrap.getEntry(clientPrincipal);
+			if (clientEntry != null) {
+				clientKey = clientEntry.getEncryptionKey();
+			} else {
+				clientKey = _store.getEntry(clientPrincipal).getEncryptionKey();
+			}
+		} catch (Exception e) {
+			throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
 		}
 		
 		KerberosPrincipal serverPrincipal = request.getServerPrincipal();
-		
-		System.out.println("Server:  " + serverPrincipal.toString());
-		PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 		EncryptionKey serverKey;
-		if (serverEntry != null) {
-			serverKey = serverEntry.getEncryptionKey();
-		} else {
-			System.out.println("Going to look up client");
-			serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
+		try {
+			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
+			if (serverEntry != null) {
+				serverKey = serverEntry.getEncryptionKey();
+			} else {
+				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
+			}
+		} catch (Exception e) {
+			throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
 		}
 		
 		verifyPreAuthentication(request, clientPrincipal);

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
Mon Nov  1 19:04:33 2004
@@ -34,8 +34,9 @@
 	
 	private ReplayCache _replay = new InMemoryReplayCache();
 	
-	private KdcRequestDecoder _decoder = new KdcRequestDecoder();
-	private KdcReplyEncoder   _encoder = new KdcReplyEncoder();
+	private KdcRequestDecoder _decoder        = new KdcRequestDecoder();
+	private KdcReplyEncoder   _encoder        = new KdcReplyEncoder();
+	private ErrorMessageEncoder _errorEncoder = new ErrorMessageEncoder();
 	
 	private PrincipalStore   _bootstrap;
 	private CryptoService    _cryptoService;
@@ -44,6 +45,7 @@
 	
 	private AuthenticationService _authService;
 	private TicketGrantingService _tgsService;
+	private ErrorService          _errorService;
 	
 	public KdcDispatcher(KdcConfiguration config, BootstrapStore bootstrap, PrincipalStore store)
{
 		_config    = config;
@@ -51,48 +53,51 @@
 		_store     = store;
 		
 		_cryptoService = new CryptoService(_config);
+		_errorService  = new ErrorService(_config);
 		_authService   = new AuthenticationService(_store, _bootstrap, _cryptoService, _config);
 		_tgsService    = new TicketGrantingService(_store, _bootstrap, _cryptoService, _config,
_replay);
 	}
 	
-	public byte[] dispatch(byte[] requestBytes) throws IOException, KerberosException {
+	public byte[] dispatch(byte[] requestBytes) throws IOException {
 		
 		ByteArrayInputStream  input  = new ByteArrayInputStream(requestBytes);
 		ByteArrayOutputStream output = new ByteArrayOutputStream();
 		
-		KdcRequest request = _decoder.decode(input);
-
-		byte messageType = requestBytes[0];
-		
-		switch (messageType) {
-			
-			case AS_REQ:
-				// generate the reply
-				AuthenticationReply authReply = _authService.getReplyFor(request);
-				// ASN1 encode the reply
-				_encoder.encode(authReply, output);
-	    		
-				break;
+		try {
+			KdcRequest request = _decoder.decode(input);
+	
+			byte messageType = requestBytes[0];
 			
-			case TGS_REQ:
-				// generate the reply
-				TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
-				// ASN1 encode the reply
-				_encoder.encode(ticketReply, output);
+			switch (messageType) {
 				
-	    		break;
-	    		
-	    	case AS_REP:
-	    	case TGS_REP:
-	    		throw new IOException("We should not be receiving reply messages");
-	    		
-			default:
-				System.out.println("Message received with tag " + messageType);
+				case AS_REQ:
+					// generate the reply
+					AuthenticationReply authReply = _authService.getReplyFor(request);
+					// ASN1 encode the reply
+					_encoder.encode(authReply, output);
+					break;
+				
+				case TGS_REQ:
+					// generate the reply
+					TicketGrantReply ticketReply = _tgsService.getReplyFor(request);
+					// ASN1 encode the reply
+					_encoder.encode(ticketReply, output);
+		    		break;
+		    		
+		    	case AS_REP:
+		    	case TGS_REP:
+		    		throw KerberosException.KRB_AP_ERR_BADDIRECTION;
+		    		
+				default:
+					throw KerberosException.KRB_AP_ERR_MSG_TYPE;
+			}
+		} catch (KerberosException ke) {
+			System.out.println("Returning error message:  " + ke.getMessage());
+			ErrorMessage errorMessage = _errorService.getReplyFor(ke);
+			_errorEncoder.encode(errorMessage, output);
 		}
 		
-		byte[] replyBytes = output.toByteArray();
-		
-		return replyBytes;
+		return output.toByteArray();
 	}
 }
 

Modified: incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Mon Nov  1 19:04:33 2004
@@ -55,8 +55,6 @@
 	
 	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
{
 		
-		System.out.println("Got request for " + request.getServerPrincipal());
-		
 		ApplicationRequest authHeader = getAuthHeader(request);
 		
 		Ticket tgt = authHeader.getTicket();
@@ -76,22 +74,15 @@
 		TicketGrantReply reply = getReply(tgt, newTicket, sessionKey, request);
 		
 		if (authenticator.getSubSessionKey() != null) {
-			System.out.println("Using authenticator sub session key.");
 			EncryptionKey subKey = authenticator.getSubSessionKey();
 			encryptReplyPart(reply, subKey);
 		} else {
-			System.out.println("Using session key.");
 			encryptReplyPart(reply, tgt.getSessionKey());
 		}
 		
 		return reply;
 	}
 	
-	/* 
-	 * Reading the application request requires first determining the server
-	 * for which a ticket was issued, and choosing the correct key for decryption.
-	 * The name of the server appears in the plaintext part of the ticket.
-	 */
 	private ApplicationRequest getAuthHeader(KdcRequest request) throws KerberosException, IOException
{
 		
 		if (request.getPaData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ)
@@ -125,7 +116,6 @@
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
 			} else {
-				System.out.println("Going to look up client");
 				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
 			}
 		}
@@ -194,17 +184,11 @@
 		return authenticator;
 	}
 	
-	/* 
-	 * Note that the realm in which the Kerberos server is operating is determined by
-	 * the instance from the ticket-granting ticket.  The realm in the ticket-granting
-	 * ticket is the realm under which the ticket granting ticket was issued.  It is
-	 * possible for a single Kerberos server to support more than one realm.
-	 */
 	private void verifyTicket(ApplicationRequest authHeader, KdcRequest request)
 			throws KerberosException {
 		
 		Ticket tgt = authHeader.getTicket();
-		if (!tgt.getRealm().toString().equals(_config.getPrimaryRealm()) &&
+		if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
 				!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
 	}
@@ -251,16 +235,14 @@
 		// TODO - allow lookup with realm
 		try {
 			KerberosPrincipal serverPrincipal = request.getServerPrincipal();
-			System.out.println(serverPrincipal.getName());
 			PrincipalStoreEntry serverEntry = _bootstrap.getEntry(serverPrincipal);
 			if (serverEntry != null) {
 				serverKey = serverEntry.getEncryptionKey();
 			} else {
-				System.out.println("Going to look up client");
 				serverKey = _store.getEntry(serverPrincipal).getEncryptionKey();
 			}
 			
-		} catch (KerberosException ke) {
+		} catch (Exception e) {
 			/*
 			if (!server) then
 			        if (is_foreign_tgt_name(server)) then

Mime
View raw message