directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r264826 - /directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/
Date Tue, 30 Aug 2005 18:56:12 GMT
Author: erodriguez
Date: Tue Aug 30 11:56:01 2005
New Revision: 264826

URL: http://svn.apache.org/viewcvs?rev=264826&view=rev
Log:
Kerberos Ticket Granting Service (TGS) as chain.

Added:
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java   (with props)
    directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java   (with props)

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,61 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.LastRequest;
+import org.apache.kerberos.messages.value.TicketFlags;
+
+public class BuildReply extends CommandBase
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcRequest request = tgsContext.getRequest();
+        Ticket tgt = tgsContext.getTgt();
+        Ticket newTicket = tgsContext.getNewTicket();
+        EncryptionKey sessionKey = tgsContext.getSessionKey();
+
+        TicketGrantReply reply = new TicketGrantReply();
+        reply.setClientPrincipal( tgt.getClientPrincipal() );
+        reply.setTicket( newTicket );
+        reply.setKey( sessionKey );
+        reply.setNonce( request.getNonce() );
+        // TODO - resp.last-req := fetch_last_request_info(client); requires store
+        reply.setLastRequest( new LastRequest() );
+        reply.setFlags( newTicket.getFlags() );
+        reply.setClientAddresses( newTicket.getClientAddresses() );
+        reply.setAuthTime( newTicket.getAuthTime() );
+        reply.setStartTime( newTicket.getStartTime() );
+        reply.setEndTime( newTicket.getEndTime() );
+        reply.setServerPrincipal( newTicket.getServerPrincipal() );
+
+        if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
+        {
+            reply.setRenewTill( newTicket.getRenewTill() );
+        }
+
+        tgsContext.setReply( reply );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/BuildReply.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,36 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.replay.InMemoryReplayCache;
+import org.apache.kerberos.replay.ReplayCache;
+
+public class ConfigureTicketGrantingChain extends CommandBase
+{
+    private static final ReplayCache replayCache = new InMemoryReplayCache();
+
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+        tgsContext.setReplayCache( replayCache );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/ConfigureTicketGrantingChain.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,410 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.RandomKey;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
+import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
+import org.apache.kerberos.messages.components.EncTicketPartModifier;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.AuthorizationData;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.KdcOptions;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class GenerateTicket extends CommandBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( GenerateTicket.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcRequest request = tgsContext.getRequest();
+        Ticket tgt = tgsContext.getTgt();
+        Authenticator authenticator = tgsContext.getAuthenticator();
+
+        KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
+        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getEncryptionKey();
+        KdcConfiguration config = tgsContext.getConfig();
+
+        // TODO - quite possibly its own chain command
+        EncryptionKey sessionKey = new RandomKey().getNewSessionKey();
+        tgsContext.setSessionKey( sessionKey );
+
+        EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+
+        newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+
+        processFlags( config, request, tgt, newTicketBody );
+
+        newTicketBody.setSessionKey( sessionKey );
+        newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+
+        AuthorizationData authData = processAuthorizationData( request, authenticator, tgt );
+        newTicketBody.setAuthorizationData( authData );
+
+        processTransited( newTicketBody, tgt );
+
+        processTimes( config, request, newTicketBody, tgt );
+
+        EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+
+        EncryptedData encryptedData = encryptTicketPart( ticketPart, serverKey, request );
+
+        Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
+        newTicket.setEncTicketPart( ticketPart );
+
+        tgsContext.setNewTicket( newTicket );
+
+        return CONTINUE_CHAIN;
+    }
+
+    private void processFlags( KdcConfiguration config, KdcRequest request, Ticket tgt,
+            EncTicketPartModifier newTicketBody ) throws KerberosException
+    {
+        if ( request.getOption( KdcOptions.FORWARDABLE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+        }
+
+        if ( request.getOption( KdcOptions.FORWARDED ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+            newTicketBody.setFlag( TicketFlags.FORWARDED );
+            newTicketBody.setClientAddresses( request.getAddresses() );
+            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+        }
+
+        if ( tgt.getFlag( TicketFlags.FORWARDED ) )
+        {
+            newTicketBody.setFlag( TicketFlags.FORWARDED );
+        }
+
+        if ( request.getOption( KdcOptions.PROXIABLE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.PROXIABLE );
+        }
+
+        if ( request.getOption( KdcOptions.PROXY ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.PROXY );
+            newTicketBody.setClientAddresses( request.getAddresses() );
+            // reply.setClientAddresses(request.getClientAddresses()); moved to getReply
+        }
+
+        if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+        }
+
+        if ( request.getOption( KdcOptions.POSTDATED ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            newTicketBody.setFlag( TicketFlags.POSTDATED );
+            newTicketBody.setFlag( TicketFlags.INVALID );
+
+            if ( !config.isPostdateAllowed() )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+            }
+
+            newTicketBody.setStartTime( request.getFrom() );
+        }
+
+        if ( request.getOption( KdcOptions.VALIDATE ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.INVALID ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+            }
+
+            if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
+            }
+
+            /*
+             if (check_hot_list(tgt)) then
+             error_out(KRB_AP_ERR_REPEAT);
+             endif
+             */
+
+            echoTicket( newTicketBody, tgt );
+            newTicketBody.clearFlag( TicketFlags.INVALID );
+        }
+
+        if ( request.getOption( KdcOptions.RESERVED ) || request.getOption( KdcOptions.RENEWABLE_OK ) )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+        }
+    }
+
+    private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPartModifier newTicketBody,
+            Ticket tgt ) throws KerberosException
+    {
+        KerberosTime now = new KerberosTime();
+
+        newTicketBody.setAuthTime( tgt.getAuthTime() );
+
+        KerberosTime renewalTime = null;
+
+        if ( request.getOption( KdcOptions.RENEW ) )
+        {
+            if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
+            {
+                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            }
+
+            if ( tgt.getRenewTill().greaterThan( now ) )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+            }
+
+            echoTicket( newTicketBody, tgt );
+
+            newTicketBody.setStartTime( now );
+            long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
+            newTicketBody.setEndTime( new KerberosTime( Math
+                    .min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) );
+        }
+        else
+        {
+            newTicketBody.setStartTime( now );
+            KerberosTime till;
+            if ( request.getTill().isZero() )
+            {
+                till = KerberosTime.INFINITY;
+            }
+            else
+            {
+                till = request.getTill();
+            }
+
+            // TODO - config; requires store
+            /*
+             new_tkt.starttime+client.max_life,
+             new_tkt.starttime+server.max_life,
+             */
+            List minimizer = new ArrayList();
+            minimizer.add( till );
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
+            minimizer.add( tgt.getEndTime() );
+            KerberosTime minTime = (KerberosTime) Collections.min( minimizer );
+            newTicketBody.setEndTime( minTime );
+
+            if ( request.getOption( KdcOptions.RENEWABLE_OK ) && minTime.lessThan( request.getTill() )
+                    && tgt.getFlag( TicketFlags.RENEWABLE ) )
+            {
+                // we set the RENEWABLE option for later processing                           
+                request.setOption( KdcOptions.RENEWABLE );
+                long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
+                renewalTime = new KerberosTime( rtime );
+            }
+        }
+
+        if ( renewalTime == null )
+        {
+            renewalTime = request.getRtime();
+        }
+
+        KerberosTime rtime;
+        if ( renewalTime != null && renewalTime.isZero() )
+        {
+            rtime = KerberosTime.INFINITY;
+        }
+        else
+        {
+            rtime = renewalTime;
+        }
+
+        if ( request.getOption( KdcOptions.RENEWABLE ) && tgt.getFlag( TicketFlags.RENEWABLE ) )
+        {
+            newTicketBody.setFlag( TicketFlags.RENEWABLE );
+
+            /*
+             new_tkt.starttime+client.max_rlife,
+             new_tkt.starttime+server.max_rlife,
+             */
+            // TODO - client and server configurable; requires store
+            List minimizer = new ArrayList();
+
+            /*
+             * 'rtime' KerberosTime is OPTIONAL
+             */
+            if ( rtime != null )
+            {
+                minimizer.add( rtime );
+            }
+
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
+            minimizer.add( tgt.getRenewTill() );
+            newTicketBody.setRenewTill( (KerberosTime) Collections.min( minimizer ) );
+        }
+    }
+
+    private AuthorizationData processAuthorizationData( KdcRequest request, Authenticator authHeader, Ticket tgt )
+            throws KerberosException
+    {
+        AuthorizationData authData = null;
+
+        if ( request.getEncAuthorizationData() != null )
+        {
+            try
+            {
+                EncryptionEngine engine = EncryptionEngineFactory
+                        .getEncryptionEngineFor( authHeader.getSubSessionKey() );
+
+                byte[] decryptedAuthData = engine.getDecryptedData( authHeader.getSubSessionKey(), request
+                        .getEncAuthorizationData() );
+                AuthorizationDataDecoder decoder = new AuthorizationDataDecoder();
+                authData = decoder.decode( decryptedAuthData );
+            }
+            catch ( KerberosException e )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+            }
+            catch ( IOException ioe )
+            {
+                throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+            }
+
+            AuthorizationData ticketData = tgt.getAuthorizationData();
+            authData.add( ticketData );
+        }
+
+        return authData;
+    }
+
+    /*
+     if (realm_tgt_is_for(tgt) := tgt.realm) then
+     // tgt issued by local realm
+     new_tkt.transited := tgt.transited;
+     else
+     // was issued for this realm by some other realm
+     if (tgt.transited.tr-type not supported) then
+     error_out(KDC_ERR_TRTYPE_NOSUPP);
+     endif
+     new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
+     endif
+     */
+    private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
+    {
+        // TODO - currently no transited support other than local
+        newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+    }
+
+    protected void echoTicket( EncTicketPartModifier newTicketBody, Ticket tgt )
+    {
+        newTicketBody.setAuthorizationData( tgt.getAuthorizationData() );
+        newTicketBody.setAuthTime( tgt.getAuthTime() );
+        newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+        newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+        newTicketBody.setEndTime( tgt.getEndTime() );
+        newTicketBody.setFlags( tgt.getFlags() );
+        newTicketBody.setRenewTill( tgt.getRenewTill() );
+        newTicketBody.setSessionKey( tgt.getSessionKey() );
+        newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+    }
+
+    private EncryptedData encryptTicketPart( EncTicketPart newTicketBody, EncryptionKey serverKey, KdcRequest request )
+            throws KerberosException
+    {
+        byte[] encodedTicket = null;
+
+        EncTicketPartEncoder encoder = new EncTicketPartEncoder();
+        try
+        {
+            encodedTicket = encoder.encode( newTicketBody );
+        }
+        catch ( IOException ioe )
+        {
+            log.error( "failed while encoding new ticket body", ioe );
+        }
+
+        if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+        {
+            /*
+             if (server not specified) then
+             server = req.second_ticket.client;
+             endif
+             if ((req.second_ticket is not a TGT) or
+             (req.second_ticket.client != server)) then
+             error_out(KDC_ERR_POLICY);
+             endif
+             new_tkt.enc-part := encrypt OCTET STRING
+             using etype_for_key(second-ticket.key), second-ticket.key;
+             */
+        }
+        else
+        {
+            // encrypt with serverKey
+        }
+
+        EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( serverKey );
+
+        return engine.getEncryptedData( serverKey, encodedTicket );
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GenerateTicket.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,74 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataType;
+
+/*
+ * differs from the changepw getAuthHeader by verifying the presence of TGS_REQ
+ */
+public class GetAuthHeader extends CommandBase
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcRequest request = tgsContext.getRequest();
+
+        ApplicationRequest authHeader = getAuthHeader( request );
+        Ticket tgt = authHeader.getTicket();
+
+        tgsContext.setAuthHeader( authHeader );
+        tgsContext.setTgt( tgt );
+
+        return CONTINUE_CHAIN;
+    }
+
+    protected ApplicationRequest getAuthHeader( KdcRequest request ) throws KerberosException, IOException
+    {
+        byte[] undecodedAuthHeader = null;
+        PreAuthenticationData[] preAuthData = request.getPreAuthData();
+
+        for ( int ii = 0; ii < preAuthData.length; ii++ )
+        {
+            if ( preAuthData[ ii ].getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
+            {
+                undecodedAuthHeader = preAuthData[ ii ].getDataValue();
+            }
+        }
+
+        if ( undecodedAuthHeader == null )
+        {
+            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
+        }
+
+        ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();
+        ApplicationRequest authHeader = decoder.decode( undecodedAuthHeader );
+
+        return authHeader;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetAuthHeader.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,41 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class GetRequestPrincipalEntry extends GetPrincipalStoreEntry
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+        KerberosPrincipal principal = tgsContext.getRequest().getServerPrincipal();
+        PrincipalStore store = tgsContext.getStore();
+
+        PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+        tgsContext.setRequestPrincipalEntry( entry );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,41 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.service.GetPrincipalStoreEntry;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class GetTicketPrincipalEntry extends GetPrincipalStoreEntry
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+        KerberosPrincipal principal = tgsContext.getTgt().getServerPrincipal();
+        PrincipalStore store = tgsContext.getStore();
+
+        PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+        tgsContext.setTicketPrincipalEntry( entry );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,91 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.store.PrincipalStore;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MonitorContext extends CommandBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( MonitorContext.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        if ( log.isDebugEnabled() )
+        {
+            try
+            {
+                TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+                PrincipalStore store = tgsContext.getStore();
+                ApplicationRequest authHeader = tgsContext.getAuthHeader();
+                Ticket tgt = tgsContext.getTgt();
+                long clockSkew = tgsContext.getConfig().getClockSkew();
+                ReplayCache replayCache = tgsContext.getReplayCache();
+
+                StringBuffer sb = new StringBuffer();
+
+                sb.append( "\n\t" + "store                  " + store );
+                sb.append( "\n\t" + "authHeader             " + authHeader );
+                sb.append( "\n\t" + "tgt                    " + tgt );
+                sb.append( "\n\t" + "replayCache            " + replayCache );
+                sb.append( "\n\t" + "clock skew             " + clockSkew );
+
+                KerberosPrincipal requestServerPrincipal = tgsContext.getRequest().getServerPrincipal();
+                PrincipalStoreEntry requestPrincipal = tgsContext.getRequestPrincipalEntry();
+
+                sb.append( "\n\t" + "principal              " + requestServerPrincipal );
+                sb.append( "\n\t" + "cn                     " + requestPrincipal.getCommonName() );
+                sb.append( "\n\t" + "realm                  " + requestPrincipal.getRealmName() );
+                sb.append( "\n\t" + "principal              " + requestPrincipal.getPrincipal() );
+                sb.append( "\n\t" + "SAM type               " + requestPrincipal.getSamType() );
+                sb.append( "\n\t" + "Key type               " + requestPrincipal.getEncryptionKey().getKeyType() );
+                sb.append( "\n\t" + "Key version            " + requestPrincipal.getEncryptionKey().getKeyVersion() );
+
+                KerberosPrincipal ticketServerPrincipal = tgsContext.getTgt().getServerPrincipal();
+                PrincipalStoreEntry ticketPrincipal = tgsContext.getTicketPrincipalEntry();
+
+                sb.append( "\n\t" + "principal              " + ticketServerPrincipal );
+                sb.append( "\n\t" + "cn                     " + ticketPrincipal.getCommonName() );
+                sb.append( "\n\t" + "realm                  " + ticketPrincipal.getRealmName() );
+                sb.append( "\n\t" + "principal              " + ticketPrincipal.getPrincipal() );
+                sb.append( "\n\t" + "SAM type               " + ticketPrincipal.getSamType() );
+                sb.append( "\n\t" + "Key type               " + ticketPrincipal.getEncryptionKey().getKeyType() );
+                sb.append( "\n\t" + "Key version            " + ticketPrincipal.getEncryptionKey().getKeyVersion() );
+
+                log.debug( sb.toString() );
+            }
+            catch ( Exception e )
+            {
+                // This is a monitor.  No exceptions should bubble up.
+                log.error( "Error in context monitor", e );
+            }
+        }
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/MonitorContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,75 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.encryption.EncryptionEngine;
+import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
+import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
+import org.apache.kerberos.messages.TicketGrantReply;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SealReply extends CommandBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( SealReply.class );
+
+    public boolean execute( Context ctx ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) ctx;
+        TicketGrantReply reply = (TicketGrantReply) tgsContext.getReply();
+        Ticket tgt = tgsContext.getTgt();
+
+        Authenticator authenticator = tgsContext.getAuthenticator();
+
+        if ( authenticator.getSubSessionKey() != null )
+        {
+            encryptReplyPart( reply, authenticator.getSubSessionKey() );
+        }
+        else
+        {
+            encryptReplyPart( reply, tgt.getSessionKey() );
+        }
+
+        return CONTINUE_CHAIN;
+    }
+
+    private void encryptReplyPart( TicketGrantReply reply, EncryptionKey key )
+    {
+        EncTgsRepPartEncoder encoder = new EncTgsRepPartEncoder();
+        try
+        {
+            byte[] plainText = encoder.encode( reply );
+            EncryptionEngine engine = EncryptionEngineFactory.getEncryptionEngineFor( key );
+
+            EncryptedData cipherText = engine.getEncryptedData( key, plainText );
+
+            reply.setEncPart( cipherText );
+
+        }
+        catch ( Exception e )
+        {
+            log.error( "Failed to encrypt the reply part", e );
+        }
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/SealReply.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,166 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.kdc.KdcContext;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.store.PrincipalStoreEntry;
+
+public class TicketGrantingContext extends KdcContext
+{
+    private ApplicationRequest authHeader;
+    private Ticket tgt;
+    private Ticket newTicket;
+    private EncryptionKey sessionKey;
+    private Authenticator authenticator;
+    private ReplayCache replayCache;
+
+    private PrincipalStoreEntry ticketPrincipalEntry;
+    private PrincipalStoreEntry requestPrincipalEntry;
+
+    /**
+     * @return Returns the requestPrincipalEntry.
+     */
+    public PrincipalStoreEntry getRequestPrincipalEntry()
+    {
+        return requestPrincipalEntry;
+    }
+
+    /**
+     * @param requestPrincipalEntry The requestPrincipalEntry to set.
+     */
+    public void setRequestPrincipalEntry( PrincipalStoreEntry requestPrincipalEntry )
+    {
+        this.requestPrincipalEntry = requestPrincipalEntry;
+    }
+
+    /**
+     * @return Returns the ticketPrincipalEntry.
+     */
+    public PrincipalStoreEntry getTicketPrincipalEntry()
+    {
+        return ticketPrincipalEntry;
+    }
+
+    /**
+     * @param ticketPrincipalEntry The ticketPrincipalEntry to set.
+     */
+    public void setTicketPrincipalEntry( PrincipalStoreEntry ticketPrincipalEntry )
+    {
+        this.ticketPrincipalEntry = ticketPrincipalEntry;
+    }
+
+    /**
+     * @return Returns the replayCache.
+     */
+    public ReplayCache getReplayCache()
+    {
+        return replayCache;
+    }
+
+    /**
+     * @param replayCache The replayCache to set.
+     */
+    public void setReplayCache( ReplayCache replayCache )
+    {
+        this.replayCache = replayCache;
+    }
+
+    /**
+     * @return Returns the authenticator.
+     */
+    public Authenticator getAuthenticator()
+    {
+        return authenticator;
+    }
+
+    /**
+     * @param authenticator The authenticator to set.
+     */
+    public void setAuthenticator( Authenticator authenticator )
+    {
+        this.authenticator = authenticator;
+    }
+
+    /**
+     * @return Returns the newTicket.
+     */
+    public Ticket getNewTicket()
+    {
+        return newTicket;
+    }
+
+    /**
+     * @param newTicket The newTicket to set.
+     */
+    public void setNewTicket( Ticket newTicket )
+    {
+        this.newTicket = newTicket;
+    }
+
+    /**
+     * @return Returns the sessionKey.
+     */
+    public EncryptionKey getSessionKey()
+    {
+        return sessionKey;
+    }
+
+    /**
+     * @param sessionKey The sessionKey to set.
+     */
+    public void setSessionKey( EncryptionKey sessionKey )
+    {
+        this.sessionKey = sessionKey;
+    }
+
+    /**
+     * @return Returns the tgt.
+     */
+    public Ticket getTgt()
+    {
+        return tgt;
+    }
+
+    /**
+     * @param tgt The tgt to set.
+     */
+    public void setTgt( Ticket tgt )
+    {
+        this.tgt = tgt;
+    }
+
+    /**
+     * @return Returns the authHeader.
+     */
+    public ApplicationRequest getAuthHeader()
+    {
+        return authHeader;
+    }
+
+    /**
+     * @param authHeader The authHeader to set.
+     */
+    public void setAuthHeader( ApplicationRequest authHeader )
+    {
+        this.authHeader = authHeader;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,49 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.ErrorMessage;
+import org.apache.kerberos.service.ErrorMessageHandler;
+
+public class TicketGrantingExceptionHandler extends ErrorMessageHandler
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        return CONTINUE_CHAIN;
+    }
+
+    public boolean postprocess( Context context, Exception exception )
+    {
+        if ( exception == null )
+        {
+            return CONTINUE_CHAIN;
+        }
+
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcConfiguration config = tgsContext.getConfig();
+        KerberosException ke = (KerberosException) exception;
+
+        ErrorMessage errorMessage = getErrorMessage( config.getKdcPrincipal(), ke );
+
+        tgsContext.setReply( errorMessage );
+
+        return STOP_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingExceptionHandler.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,64 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.impl.ChainBase;
+import org.apache.kerberos.kdc.MonitorReply;
+import org.apache.kerberos.kdc.MonitorRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * KRB_TGS_REQ verification and KRB_TGS_REP generation
+ */
+public class TicketGrantingServiceChain extends ChainBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( TicketGrantingServiceChain.class );
+
+    public TicketGrantingServiceChain()
+    {
+        super();
+        addCommand( new TicketGrantingExceptionHandler() );
+
+        if ( log.isDebugEnabled() )
+        {
+            addCommand( new MonitorRequest() );
+        }
+
+        addCommand( new ConfigureTicketGrantingChain() );
+        addCommand( new GetAuthHeader() );
+        addCommand( new VerifyTgt() );
+        addCommand( new GetTicketPrincipalEntry() );
+        addCommand( new VerifyTgtAuthHeader() );
+        addCommand( new GetRequestPrincipalEntry() );
+        addCommand( new GenerateTicket() );
+        addCommand( new BuildReply() );
+
+        if ( log.isDebugEnabled() )
+        {
+            addCommand( new MonitorContext() );
+        }
+
+        if ( log.isDebugEnabled() )
+        {
+            addCommand( new MonitorReply() );
+        }
+
+        addCommand( new SealReply() );
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/TicketGrantingServiceChain.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,85 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import java.io.IOException;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.crypto.checksum.ChecksumEngine;
+import org.apache.kerberos.crypto.checksum.RsaMd5Checksum;
+import org.apache.kerberos.exceptions.ErrorType;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
+import org.apache.kerberos.messages.KdcRequest;
+import org.apache.kerberos.messages.value.Checksum;
+
+public class VerifyBodyChecksum extends CommandBase
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcRequest request = tgsContext.getRequest();
+        Checksum checksum = tgsContext.getAuthenticator().getChecksum();
+
+        verifyBodyChecksum( checksum, request );
+
+        return CONTINUE_CHAIN;
+    }
+
+    private void verifyBodyChecksum( Checksum authChecksum, KdcRequest request ) throws KerberosException
+    {
+        if ( authChecksum == null )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
+        }
+
+        /*
+         if (auth_hdr.authenticator.cksum type is not supported) then
+         error_out(KDC_ERR_SUMTYPE_NOSUPP);
+         endif
+         */
+
+        /*
+         if (auth_hdr.authenticator.cksum is not both collision-proof and keyed)  then
+         error_out(KRB_AP_ERR_INAPP_CKSUM);
+         endif
+         */
+
+        KdcReqBodyEncoder encoder = new KdcReqBodyEncoder();
+        byte[] bytes = null;
+
+        try
+        {
+            bytes = encoder.encode( request );
+        }
+        catch ( IOException ioe )
+        {
+            ioe.printStackTrace();
+        }
+
+        ChecksumEngine digester = new RsaMd5Checksum();
+        Checksum newChecksum = new Checksum( digester.checksumType(), digester.calculateChecksum( bytes ) );
+
+        boolean equal = newChecksum.equals( authChecksum );
+
+        if ( !equal )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_MODIFIED );
+        }
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,40 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.kdc.KdcConfiguration;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.service.VerifyTicket;
+
+public class VerifyTgt extends VerifyTicket
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+        KdcConfiguration config = tgsContext.getConfig();
+        Ticket tgt = tgsContext.getTgt();
+        String primaryRealm = config.getPrimaryRealm();
+        KerberosPrincipal serverPrincipal = tgsContext.getRequest().getServerPrincipal();
+
+        verifyTicket( tgt, primaryRealm, serverPrincipal );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgt.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=264826&view=auto
==============================================================================
--- directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (added)
+++ directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Tue Aug 30 11:56:01 2005
@@ -0,0 +1,45 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.kerberos.kdc.ticketgrant;
+
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.replay.ReplayCache;
+import org.apache.kerberos.service.VerifyAuthHeader;
+
+public class VerifyTgtAuthHeader extends VerifyAuthHeader
+{
+    public boolean execute( Context context ) throws Exception
+    {
+        TicketGrantingContext tgsContext = (TicketGrantingContext) context;
+
+        ApplicationRequest authHeader = tgsContext.getAuthHeader();
+        Ticket tgt = tgsContext.getTgt();
+        EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getEncryptionKey();
+        long clockSkew = tgsContext.getConfig().getClockSkew();
+        ReplayCache replayCache = tgsContext.getReplayCache();
+
+        Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache );
+
+        tgsContext.setAuthenticator( authenticator );
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/kerberos/branches/refactor-to-chain/src/java/org/apache/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message