directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r224383 - /directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Date Fri, 22 Jul 2005 19:05:16 GMT
Author: akarasulu
Date: Fri Jul 22 12:05:12 2005
New Revision: 224383

URL: http://svn.apache.org/viewcvs?rev=224383&view=rev
Log:
adding more log statements for debugging

Modified:
    directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java

Modified: directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java?rev=224383&r1=224382&r2=224383&view=diff
==============================================================================
--- directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ directory/protocol-providers/kerberos/trunk/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Fri Jul 22 12:05:12 2005
@@ -25,18 +25,14 @@
 import javax.security.auth.kerberos.KerberosPrincipal;
 
 import org.apache.kerberos.crypto.RandomKey;
-import org.apache.kerberos.crypto.checksum.ChecksumEngine;
-import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
 import org.apache.kerberos.crypto.encryption.EncryptionEngine;
 import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
-import org.apache.kerberos.crypto.encryption.EncryptionType;
 import org.apache.kerberos.exceptions.ErrorType;
 import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
 import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
 import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
 import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
-import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
 import org.apache.kerberos.messages.ApplicationRequest;
 import org.apache.kerberos.messages.KdcRequest;
 import org.apache.kerberos.messages.TicketGrantReply;
@@ -45,7 +41,6 @@
 import org.apache.kerberos.messages.components.EncTicketPartModifier;
 import org.apache.kerberos.messages.components.Ticket;
 import org.apache.kerberos.messages.value.AuthorizationData;
-import org.apache.kerberos.messages.value.Checksum;
 import org.apache.kerberos.messages.value.EncryptedData;
 import org.apache.kerberos.messages.value.EncryptionKey;
 import org.apache.kerberos.messages.value.KdcOptions;
@@ -56,486 +51,506 @@
 import org.apache.kerberos.service.KdcConfiguration;
 import org.apache.kerberos.service.KerberosService;
 import org.apache.kerberos.store.PrincipalStore;
+import org.apache.commons.logging.LogFactory;
+import org.apache.commons.logging.Log;
 
 /**
  * RFC 1510 A.6.  KRB_TGS_REQ verification and KRB_TGS_REP generation
  */
 public class TicketGrantingService extends KerberosService
 {
-	public TicketGrantingService( KdcConfiguration config, PrincipalStore store )
+    private static final Log log = LogFactory.getLog( TicketGrantingService.class );
+
+    public TicketGrantingService( KdcConfiguration config, PrincipalStore store )
     {
         super( config, store );
-	}
-	
-	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
-	{
-		ApplicationRequest authHeader = getAuthHeader( request );
-		
-		Ticket tgt = authHeader.getTicket();
-		
-		Authenticator authenticator = verifyAuthHeader( authHeader, tgt );
-		
-		verifyTicket( tgt, request.getServerPrincipal() );
-		
-		/*
-		verifyBodyChecksum( authenticator.getChecksum(), request );
-		*/
-		
-		EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
-		
-		EncryptionType eType = getBestEncryptionType( request.getEType() );
-		
-		Ticket newTicket = getNewTicket( request, tgt, sessionKey, authenticator );
-		
-		TicketGrantReply reply = getReply( tgt, newTicket, sessionKey, request );
-		
-		if ( authenticator.getSubSessionKey() != null )
-		{
-			EncryptionKey subKey = authenticator.getSubSessionKey();
-			encryptReplyPart( reply, subKey );
-		}
-		else
-		{
-			encryptReplyPart( reply, tgt.getSessionKey() );
-		}
-		
-		return reply;
-	}
-	
-	private ApplicationRequest getAuthHeader( KdcRequest request )
-			throws KerberosException, IOException
-	{
-		if ( request.getPreAuthData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ
)
-		{
-			throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
-		}
-		
-		byte[] undecodedAuthHeader = request.getPreAuthData()[0].getDataValue();
-		ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();
-		ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader );
-		
-		return authHeader;
-	}
-
-	// TODO - configurable checksum
-	private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request )
-			throws KerberosException
-	{
-		if ( authChecksum == null )
-		{
-			throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
-		}
-		
-		/*
-		if (auth_hdr.authenticator.cksum type is not supported) then
-        	error_out(KDC_ERR_SUMTYPE_NOSUPP);
-		endif
-		*/
-
-		/*
-		if (auth_hdr.authenticator.cksum is not both collision-proof and keyed)  then
-			error_out(KRB_AP_ERR_INAPP_CKSUM);
-		endif
-		*/
-		
-		KdcReqBodyEncoder encoder = new KdcReqBodyEncoder();
-		byte[] bytes = null;
-		try
-		{
-			bytes = encoder.encode( request );
-		}
-		catch (IOException ioe)
-		{
-			ioe.printStackTrace();
-		}
-		
-		ChecksumEngine digester = new RsaMd5Checksum();
-		Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum(
bytes ) );
-		
-		boolean equal = newChecksum.equals( authChecksum );
-		
-		if ( !equal )
-		{
-			throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
-		}
-	}
-	
-	private Ticket getNewTicket( KdcRequest request, Ticket tgt, EncryptionKey sessionKey,
-			Authenticator authenticator ) throws KerberosException
-	{
-		KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
-
-		EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
-		
-		newTicketBody.setClientAddresses( tgt.getClientAddresses() );
-		
-		processFlags( request, tgt, newTicketBody );
-		
-		newTicketBody.setSessionKey( sessionKey );
-		newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
-		
-		AuthorizationData authData = processAuthorizationData( request, authenticator, tgt );
-		newTicketBody.setAuthorizationData( authData );
-		
-		processTransited( newTicketBody, tgt );
-		
-		processTimes( request, newTicketBody, tgt );
-		
-		EncryptionKey serverKey = getServerKey( request.getServerPrincipal() );
-		
-		EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
-		
-		EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request );
-		
-		Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
-		newTicket.setEncTicketPart( ticketPart );
-		
-		return newTicket;
-	}
-	
-	private void processFlags( KdcRequest request, Ticket tgt, EncTicketPartModifier newTicketBody
) 
-			throws KerberosException
-	{
-		if ( request.getOption( KdcOptions.FORWARDABLE ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			newTicketBody.setFlag( TicketFlags.FORWARDABLE );
-		}
-
-		if ( request.getOption( KdcOptions.FORWARDED ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			newTicketBody.setFlag( TicketFlags.FORWARDED );
-			newTicketBody.setClientAddresses( request.getAddresses() );
-			// reply.setClientAddresses(request.getClientAddresses()); moved to getReply
-		}
-		
-		if ( tgt.getFlag( TicketFlags.FORWARDED ) )
-		{
-			newTicketBody.setFlag(TicketFlags.FORWARDED);
-		}
-
-		if ( request.getOption( KdcOptions.PROXIABLE ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			newTicketBody.setFlag( TicketFlags.PROXIABLE );
-		}
-		
-		if ( request.getOption( KdcOptions.PROXY ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			newTicketBody.setFlag( TicketFlags.PROXY );
-			newTicketBody.setClientAddresses( request.getAddresses() );
-			// reply.setClientAddresses(request.getClientAddresses()); moved to getReply
-		}
-		
-		if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
-		}
-		
-		if ( request.getOption( KdcOptions.POSTDATED ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			newTicketBody.setFlag( TicketFlags.POSTDATED );
-			newTicketBody.setFlag( TicketFlags.INVALID );
-			
-			if ( !config.isPostdateAllowed() )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-			}
-			
-			newTicketBody.setStartTime( request.getFrom() );
-		}
-
-		if ( request.getOption( KdcOptions.VALIDATE ) )
-		{
-			if ( !tgt.getFlag( TicketFlags.INVALID ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-			}
-			
-			if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
-			{
-				throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
-			}
-			
-			/*
-	        if (check_hot_list(tgt)) then
-            	error_out(KRB_AP_ERR_REPEAT);
-	        endif
-	        */
-			
-			echoTicket( newTicketBody, tgt );
-			newTicketBody.clearFlag( TicketFlags.INVALID );
-		}
-
-		if ( request.getOption( KdcOptions.RESERVED ) ||
-				request.getOption( KdcOptions.RENEWABLE_OK ) )
-		{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-		}
-	}
-	
-	private void processTimes( KdcRequest request, EncTicketPartModifier newTicketBody, Ticket
tgt )
-			throws KerberosException
-	{
-		KerberosTime now = new KerberosTime();
-		
-		newTicketBody.setAuthTime( tgt.getAuthTime() );
-		
-		KerberosTime renewalTime = null;
-		
-		if ( request.getOption( KdcOptions.RENEW ) )
-        {
-			if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
-			{
-				throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-			}
-			
-			if ( tgt.getRenewTill().greaterThan( now ) )
-			{
-				throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
-			}
+    }
+
+    public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
+    {
+        if ( log.isDebugEnabled() )
+        {
+            log.debug( "Responding to authentication request:"
+                    + "\n\trealm:                 " + request.getRealm()
+                    + "\n\tserverPrincipal:       " + request.getServerPrincipal()
+                    + "\n\tclientPrincipal:       " + request.getClientPrincipal()
+                    + "\n\thostAddresses:         " + request.getAddresses()
+                    + "\n\tencryptionType:        " + request.getEType()
+                    + "\n\tfrom krb time:         " + request.getFrom()
+                    + "\n\trealm krb time:        " + request.getRtime()
+                    + "\n\tkdcOptions:            " + request.getKdcOptions()
+                    + "\n\tmessageType:           " + request.getMessageType()
+                    + "\n\tnonce:                 " + request.getNonce()
+                    + "\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber()
+                    + "\n\ttill:                  " + request.getTill()
+                     );
+        }
+
+        ApplicationRequest authHeader = getAuthHeader( request );
+
+        Ticket tgt = authHeader.getTicket();
+
+        Authenticator authenticator = verifyAuthHeader( authHeader, tgt );
+
+        verifyTicket( tgt, request.getServerPrincipal() );
+
+        /*
+        verifyBodyChecksum( authenticator.getChecksum(), request );
+        */
+
+        EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
+
+        Ticket newTicket = getNewTicket( request, tgt, sessionKey, authenticator );
+
+        TicketGrantReply reply = getReply( tgt, newTicket, sessionKey, request );
+
+        if ( authenticator.getSubSessionKey() != null )
+        {
+            EncryptionKey subKey = authenticator.getSubSessionKey();
+            encryptReplyPart( reply, subKey );
+        }
+        else
+        {
+            encryptReplyPart( reply, tgt.getSessionKey() );
+        }
+
+        return reply;
+    }
+
+    private ApplicationRequest getAuthHeader( KdcRequest request )
+            throws KerberosException, IOException
+    {
+        if ( request.getPreAuthData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ
)
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
+        }
+
+        byte[] undecodedAuthHeader = request.getPreAuthData()[0].getDataValue();
+        ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();
+        ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader );
+
+        return authHeader;
+    }
+
+    // TODO - configurable checksum
+//    private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request )
+//            throws KerberosException
+//    {
+//        if ( authChecksum == null )
+//        {
+//            throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+//        }
+//
+//        /*
+//        if (auth_hdr.authenticator.cksum type is not supported) then
+//            error_out(KDC_ERR_SUMTYPE_NOSUPP);
+//        endif
+//        */
+//
+//        /*
+//        if (auth_hdr.authenticator.cksum is not both collision-proof and keyed)  then
+//            error_out(KRB_AP_ERR_INAPP_CKSUM);
+//        endif
+//        */
+//
+//        KdcReqBodyEncoder encoder = new KdcReqBodyEncoder();
+//        byte[] bytes = null;
+//        try
+//        {
+//            bytes = encoder.encode( request );
+//        }
+//        catch (IOException ioe)
+//        {
+//            ioe.printStackTrace();
+//        }
+//
+//        ChecksumEngine digester = new RsaMd5Checksum();
+//        Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum(
bytes ) );
+//
+//        boolean equal = newChecksum.equals( authChecksum );
+//
+//        if ( !equal )
+//        {
+//            throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
+//        }
+//    }
+
+    private Ticket getNewTicket( KdcRequest request, Ticket tgt, EncryptionKey sessionKey,
+            Authenticator authenticator ) throws KerberosException
+    {
+        KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
+
+        EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+
+        newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+
+        processFlags( request, tgt, newTicketBody );
+
+        newTicketBody.setSessionKey( sessionKey );
+        newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+
+        AuthorizationData authData = processAuthorizationData( request, authenticator, tgt
);
+        newTicketBody.setAuthorizationData( authData );
+
+        processTransited( newTicketBody, tgt );
+
+        processTimes( request, newTicketBody, tgt );
+
+        EncryptionKey serverKey = getServerKey( request.getServerPrincipal() );
+
+        EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+        EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request );
+
+        Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
+        newTicket.setEncTicketPart( ticketPart );
+
+        return newTicket;
+    }
+
+    private void processFlags( KdcRequest request, Ticket tgt, EncTicketPartModifier newTicketBody
)
+            throws KerberosException
+    {
+        if ( request.getOption( KdcOptions.FORWARDABLE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+        }
+
+        if ( request.getOption( KdcOptions.FORWARDED ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+            newTicketBody.setFlag( TicketFlags.FORWARDED );
+            newTicketBody.setClientAddresses( request.getAddresses() );
+            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+        }
+
+        if ( tgt.getFlag( TicketFlags.FORWARDED ) )
+        {
+            newTicketBody.setFlag(TicketFlags.FORWARDED);
+        }
+
+        if ( request.getOption( KdcOptions.PROXIABLE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.PROXIABLE );
+        }
+
+        if ( request.getOption( KdcOptions.PROXY ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.PROXY );
+            newTicketBody.setClientAddresses( request.getAddresses() );
+            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+        }
+
+        if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+        }
+
+        if ( request.getOption( KdcOptions.POSTDATED ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.POSTDATED );
+            newTicketBody.setFlag( TicketFlags.INVALID );
+
+            if ( !config.isPostdateAllowed() )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+            }
+
+            newTicketBody.setStartTime( request.getFrom() );
+        }
+
+        if ( request.getOption( KdcOptions.VALIDATE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.INVALID ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+            }
+
+            if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
+            }
+
+            /*
+            if (check_hot_list(tgt)) then
+                error_out(KRB_AP_ERR_REPEAT);
+            endif
+            */
 
             echoTicket( newTicketBody, tgt );
+            newTicketBody.clearFlag( TicketFlags.INVALID );
+        }
+
+        if ( request.getOption( KdcOptions.RESERVED ) ||
+                request.getOption( KdcOptions.RENEWABLE_OK ) )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+        }
+    }
+
+    private void processTimes( KdcRequest request, EncTicketPartModifier newTicketBody, Ticket
tgt )
+            throws KerberosException
+    {
+        KerberosTime now = new KerberosTime();
+
+        newTicketBody.setAuthTime( tgt.getAuthTime() );
+
+        KerberosTime renewalTime = null;
+
+        if ( request.getOption( KdcOptions.RENEW ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            if ( tgt.getRenewTill().greaterThan( now ) )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+            }
 
+            echoTicket( newTicketBody, tgt );
+
+            newTicketBody.setStartTime( now );
+            long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
+            newTicketBody.setEndTime( new KerberosTime( Math.min( tgt.getRenewTill().getTime(),
now.getTime() + oldLife ) ) );
+        }
+        else
+        {
             newTicketBody.setStartTime( now );
-			long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
-			newTicketBody.setEndTime( new KerberosTime( Math.min( tgt.getRenewTill().getTime(), now.getTime()
+ oldLife ) ) );
-		}
-		else
-		{
-			newTicketBody.setStartTime( now );
-			KerberosTime till;
-			if ( request.getTill().isZero() )
-			{
-				till = KerberosTime.INFINITY;
-			}
-			else
-			{
-				till = request.getTill();
-			}
-			
-			// TODO - config; requires store
-			/*
+            KerberosTime till;
+            if ( request.getTill().isZero() )
+            {
+                till = KerberosTime.INFINITY;
+            }
+            else
+            {
+                till = request.getTill();
+            }
+
+            // TODO - config; requires store
+            /*
             new_tkt.starttime+client.max_life,
             new_tkt.starttime+server.max_life,
             */
-			List minimizer = new ArrayList();
-			minimizer.add( till );
-			minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
-			minimizer.add( tgt.getEndTime() );
-			KerberosTime minTime = (KerberosTime)Collections.min( minimizer );
-			newTicketBody.setEndTime( minTime );
-			
-			if ( request.getOption( KdcOptions.RENEWABLE_OK ) &&
-					minTime.lessThan( request.getTill() ) &&
-					tgt.getFlag( TicketFlags.RENEWABLE ) )
-			{
+            List minimizer = new ArrayList();
+            minimizer.add( till );
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime()
) );
+            minimizer.add( tgt.getEndTime() );
+            KerberosTime minTime = (KerberosTime)Collections.min( minimizer );
+            newTicketBody.setEndTime( minTime );
+
+            if ( request.getOption( KdcOptions.RENEWABLE_OK ) &&
+                    minTime.lessThan( request.getTill() ) &&
+                    tgt.getFlag( TicketFlags.RENEWABLE ) )
+            {
                 // we set the RENEWABLE option for later processing                     
     
-				request.setOption( KdcOptions.RENEWABLE );
-				long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
-				renewalTime = new KerberosTime( rtime );
-			}
-		}
-		
-		if ( renewalTime == null )
-		{
-			renewalTime = request.getRtime();
-		}
-		
-		KerberosTime rtime;
-		if ( renewalTime != null && renewalTime.isZero() )
-		{
-			rtime = KerberosTime.INFINITY;
-		}
-		else
-		{
-			rtime = renewalTime;
-		}
-		
-		if ( request.getOption( KdcOptions.RENEWABLE ) &&
-				tgt.getFlag( TicketFlags.RENEWABLE ) )
-		{
-			newTicketBody.setFlag( TicketFlags.RENEWABLE );
-			
-			/*
-	        new_tkt.starttime+client.max_rlife,
-	        new_tkt.starttime+server.max_rlife,
-	        */
-			// TODO - client and server configurable; requires store 
-			List minimizer = new ArrayList();
-			
-			/*
-			 * 'rtime' KerberosTime is OPTIONAL
-			 */
-			if ( rtime != null )
-			{
-			    minimizer.add( rtime );
-			}
-			
-			minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime()
) );
-			minimizer.add( tgt.getRenewTill() );
-			newTicketBody.setRenewTill( (KerberosTime)Collections.min( minimizer ) );
-		}
-	}
+                request.setOption( KdcOptions.RENEWABLE );
+                long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime()
);
+                renewalTime = new KerberosTime( rtime );
+            }
+        }
+
+        if ( renewalTime == null )
+        {
+            renewalTime = request.getRtime();
+        }
+
+        KerberosTime rtime;
+        if ( renewalTime != null && renewalTime.isZero() )
+        {
+            rtime = KerberosTime.INFINITY;
+        }
+        else
+        {
+            rtime = renewalTime;
+        }
+
+        if ( request.getOption( KdcOptions.RENEWABLE ) &&
+                tgt.getFlag( TicketFlags.RENEWABLE ) )
+        {
+            newTicketBody.setFlag( TicketFlags.RENEWABLE );
+
+            /*
+            new_tkt.starttime+client.max_rlife,
+            new_tkt.starttime+server.max_rlife,
+            */
+            // TODO - client and server configurable; requires store
+            List minimizer = new ArrayList();
+
+            /*
+             * 'rtime' KerberosTime is OPTIONAL
+             */
+            if ( rtime != null )
+            {
+                minimizer.add( rtime );
+            }
+
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime()
) );
+            minimizer.add( tgt.getRenewTill() );
+            newTicketBody.setRenewTill( (KerberosTime)Collections.min( minimizer ) );
+        }
+    }
 
     private AuthorizationData processAuthorizationData( KdcRequest request,
-			Authenticator authHeader, Ticket tgt ) throws KerberosException
-	{
-		AuthorizationData authData = null;
-
-		if ( request.getEncAuthorizationData() != null )
-		{
-			try
-			{
+            Authenticator authHeader, Ticket tgt ) throws KerberosException
+    {
+        AuthorizationData authData = null;
+
+        if ( request.getEncAuthorizationData() != null )
+        {
+            try
+            {
                 EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor(
authHeader.getSubSessionKey() );
                 
-				byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(),
-						request.getEncAuthorizationData() );
-				AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
-				authData = decoder.decode( decryptedAuthData );
-			}
-			catch (KerberosException e)
-			{
-				throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-			}
-			catch (IOException ioe)
-			{
-				throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
-			}
-
-			AuthorizationData ticketData = tgt.getAuthorizationData();
-			authData.add( ticketData );
-		}
-		
-		return authData;
-	}
-	
-	/*
-	if (realm_tgt_is_for(tgt) := tgt.realm) then
-	        // tgt issued by local realm
-	        new_tkt.transited := tgt.transited;
-	else
-	        // was issued for this realm by some other realm
-	        if (tgt.transited.tr-type not supported) then
-	                error_out(KDC_ERR_TRTYPE_NOSUPP);
-	        endif
-	        new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
-	endif
-	*/
-	private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
-	{
-		// TODO - currently no transited support other than local
-		newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
-	}
-	
-	private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey,
-			KdcRequest request ) throws KerberosException
-	{
-		byte[] encodedTicket = null;
-		
-		EncTicketPartEncoder encoder = new EncTicketPartEncoder();
-		try
+                byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(),
+                        request.getEncAuthorizationData() );
+                AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
+                authData = decoder.decode( decryptedAuthData );
+            }
+            catch (KerberosException e)
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+            }
+            catch (IOException ioe)
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+            }
+
+            AuthorizationData ticketData = tgt.getAuthorizationData();
+            authData.add( ticketData );
+        }
+
+        return authData;
+    }
+
+    /*
+    if (realm_tgt_is_for(tgt) := tgt.realm) then
+            // tgt issued by local realm
+            new_tkt.transited := tgt.transited;
+    else
+            // was issued for this realm by some other realm
+            if (tgt.transited.tr-type not supported) then
+                    error_out(KDC_ERR_TRTYPE_NOSUPP);
+            endif
+            new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+    endif
+    */
+    private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
+    {
+        // TODO - currently no transited support other than local
+        newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+    }
+
+    private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey,
+            KdcRequest request ) throws KerberosException
+    {
+        byte[] encodedTicket = null;
+
+        EncTicketPartEncoder encoder = new EncTicketPartEncoder();
+        try
         {
-			encodedTicket = encoder.encode( newTicketBody );
-		}
+            encodedTicket = encoder.encode( newTicketBody );
+        }
         catch (IOException ioe)
         {
-			ioe.printStackTrace();
-		}
-		
-		if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
-		{
-			/*
-			if (server not specified) then
-				server = req.second_ticket.client;
-			endif
-			if ((req.second_ticket is not a TGT) or
-				(req.second_ticket.client != server)) then
-				error_out(KDC_ERR_POLICY);
-			endif
-			new_tkt.enc-part := encrypt OCTET STRING
-				using etype_for_key(second-ticket.key), second-ticket.key;
-			*/
-		}
-		else
-		{
-			// encrypt with serverKey
-		}
-		
+            log.error( "failed while encoding new ticket body", ioe );
+        }
+
+        if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+        {
+            /*
+            if (server not specified) then
+                server = req.second_ticket.client;
+            endif
+            if ((req.second_ticket is not a TGT) or
+                (req.second_ticket.client != server)) then
+                error_out(KDC_ERR_POLICY);
+            endif
+            new_tkt.enc-part := encrypt OCTET STRING
+                using etype_for_key(second-ticket.key), second-ticket.key;
+            */
+        }
+        else
+        {
+            // encrypt with serverKey
+        }
+
         EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey
);
 
-		return engine.getEncryptedData( serverKey, encodedTicket );
-	}
-	
-	private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key )
-	{
-		EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
-		try
-		{
-			byte[] plainText = encoder.encode( reply );
+        return engine.getEncryptedData( serverKey, encodedTicket );
+    }
+
+    private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key )
+    {
+        EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
+        try
+        {
+            byte[] plainText = encoder.encode( reply );
             EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key
);
 
-			EncryptedData cipherText = engine.getEncryptedData( key, plainText );
+            EncryptedData cipherText = engine.getEncryptedData( key, plainText );
+
+            reply.setEncPart( cipherText );
+
+        }
+        catch ( Exception e )
+        {
+            log.error( "failed to encrypt the reply part", e );
+        }
+    }
+
+    private TicketGrantReply getReply( Ticket tgt, Ticket newTicket,
+            EncryptionKey sessionKey, KdcRequest request )
+    {
+        TicketGrantReply reply = new TicketGrantReply();
+        reply.setClientPrincipal( tgt.getClientPrincipal() );
+        reply.setTicket( newTicket );
+        reply.setKey( sessionKey );
+        reply.setNonce( request.getNonce() );
+        // TODO - resp.last-req := fetch_last_request_info(client); requires store
+        reply.setLastRequest( new LastRequest() );
+        reply.setFlags( newTicket.getFlags() );
+        reply.setClientAddresses( newTicket.getClientAddresses() );
+        reply.setAuthTime( newTicket.getAuthTime() );
+        reply.setStartTime( newTicket.getStartTime() );
+        reply.setEndTime( newTicket.getEndTime() );
+        reply.setServerPrincipal( newTicket.getServerPrincipal() );
+
+        if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
+        {
+            reply.setRenewTill( newTicket.getRenewTill() );
+        }
 
-			reply.setEncPart( cipherText );
-			
-		}
-		catch (Exception e)
-		{
-			e.printStackTrace();
-		}
-	}
-	
-	private TicketGrantReply getReply( Ticket tgt, Ticket newTicket,
-			EncryptionKey sessionKey, KdcRequest request )
-	{
-		TicketGrantReply reply = new TicketGrantReply();
-		reply.setClientPrincipal( tgt.getClientPrincipal() );
-		reply.setTicket( newTicket );
-		reply.setKey( sessionKey );
-		reply.setNonce( request.getNonce() );
-		// TODO - resp.last-req := fetch_last_request_info(client); requires store
-		reply.setLastRequest( new LastRequest() );
-		reply.setFlags( newTicket.getFlags() );
-		reply.setClientAddresses( newTicket.getClientAddresses() );
-		reply.setAuthTime( newTicket.getAuthTime() );
-		reply.setStartTime( newTicket.getStartTime() );
-		reply.setEndTime( newTicket.getEndTime() );
-		reply.setServerPrincipal( newTicket.getServerPrincipal() );
-		
-		if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
-		{
-			reply.setRenewTill( newTicket.getRenewTill() );
-		}
-		
-		return reply;
-	}
+        return reply;
+    }
 }
 



Mime
View raw message