directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r292627 - in /directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw: exceptions/ service/
Date Fri, 30 Sep 2005 04:31:33 GMT
Author: erodriguez
Date: Thu Sep 29 21:31:26 2005
New Revision: 292627

URL: http://svn.apache.org/viewcvs?rev=292627&view=rev
Log:
Updates to changepw-protocol to support DIRCHANGEPW-2 (Add basic password policy check):
o  Split password extraction and password changing to separate chain commands.
o  Spliced password validation into the chain.
o  Updated the configuration to support new password validation settings.
o  Fixed a latent issue with proper error result encoding per RFC 3244.
o  Extended changepw exception to leverage the Kerberos exception hierarchy.
o  Added context support.
o  Added context monitoring support.

http://issues.apache.org/jira/browse/DIRCHANGEPW-2

Added:
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java
  (with props)
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java
  (with props)
Modified:
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/exceptions/ChangePasswordException.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordChain.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordConfiguration.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordExceptionHandler.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/MonitorContext.java
    directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/exceptions/ChangePasswordException.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/exceptions/ChangePasswordException.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/exceptions/ChangePasswordException.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/exceptions/ChangePasswordException.java
Thu Sep 29 21:31:26 2005
@@ -17,25 +17,16 @@
 
 package org.apache.changepw.exceptions;
 
+import org.apache.kerberos.exceptions.KerberosException;
+
 /**
  * The root of the Change Password exception hierarchy.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- * @version $Rev$
+ * @version $Rev$, $Date$
  */
-public class ChangePasswordException extends Exception
+public class ChangePasswordException extends KerberosException
 {
-    /**
-     * The Change Password error code associated with this exception
-     */
-    private final int errorCode;
-
-    /**
-     * Additional data about the error for use by the application
-     * to help it recover from or handle the error.
-     */
-    private byte[] explanatoryData;
-
     // ------------------------------------------------------------------------
     // C O N S T R U C T O R S
     // ------------------------------------------------------------------------
@@ -48,9 +39,7 @@
      */
     public ChangePasswordException( int errorCode, String msg )
     {
-        super( msg );
-
-        this.errorCode = errorCode;
+        super( errorCode, msg );
     }
 
     /**
@@ -63,9 +52,7 @@
      */
     public ChangePasswordException( int errorCode, String msg, Throwable cause )
     {
-        super( msg, cause );
-
-        this.errorCode = errorCode;
+        super( errorCode, msg, cause );
     }
 
     /**
@@ -75,9 +62,7 @@
      */
     public ChangePasswordException( ErrorType errorType )
     {
-        super( errorType.getMessage() );
-
-        this.errorCode = errorType.getOrdinal();
+        super( errorType.getOrdinal(), errorType.getMessage() );
     }
 
     /**
@@ -89,29 +74,6 @@
      */
     public ChangePasswordException( ErrorType errorType, byte[] explanatoryData )
     {
-        super( errorType.getMessage() );
-
-        this.errorCode = errorType.getOrdinal();
-        this.explanatoryData = explanatoryData;
-    }
-
-    /**
-     * Gets the protocol error code associated with this ChangePasswordException.
-     *
-     * @return the error code associated with this ChangePasswordException
-     */
-    public int getErrorCode()
-    {
-        return this.errorCode;
-    }
-
-    /**
-     * Gets the explanatory data associated with this ChangePasswordException.
-     *
-     * @return the explanatory data associated with this ChangePasswordException
-     */
-    public byte[] getExplanatoryData()
-    {
-        return explanatoryData;
+        super( errorType.getOrdinal(), errorType.getMessage(), explanatoryData );
     }
 }

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordChain.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordChain.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordChain.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordChain.java
Thu Sep 29 21:31:26 2005
@@ -44,11 +44,14 @@
         addCommand( new GetServerEntry() );
         addCommand( new VerifyServiceTicketAuthHeader() );
 
+        addCommand( new ExtractPassword() );
+
         if ( log.isDebugEnabled() )
         {
             addCommand( new MonitorContext() );
         }
 
+        addCommand( new CheckPasswordPolicy() );
         addCommand( new ProcessPasswordChange() );
         addCommand( new BuildReply() );
 

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordConfiguration.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordConfiguration.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordConfiguration.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordConfiguration.java
Thu Sep 29 21:31:26 2005
@@ -55,6 +55,16 @@
     /** the default changepw buffer size */
     private static final int CHANGEPW_DEFAULT_BUFFER_SIZE = 1024;
 
+    /** the prop key constants for password policy */
+    public static final String CHANGEPW_PASSWORD_LENGTH_KEY = "changepw.password.length";
+    public static final String CHANGEPW_CATEGORY_COUNT_KEY = "changepw.category.count";
+    public static final String CHANGEPW_TOKEN_SIZE_KEY = "changepw.token.size";
+
+    /** the default change password password policies */
+    public static final int CHANGEPW_DEFAULT_PASSWORD_LENGTH = 6;
+    public static final int CHANGEPW_DEFAULT_CATEGORY_COUNT = 3;
+    public static final int CHANGEPW_DEFAULT_TOKEN_SIZE = 3;
+
     private static final int MINUTE = 60000;
     private final Properties properties = new Properties();
     private EncryptionType[] encryptionTypes;
@@ -154,6 +164,42 @@
         }
 
         return true;
+    }
+
+    public int getPasswordLengthPolicy()
+    {
+        String key = CHANGEPW_PASSWORD_LENGTH_KEY;
+
+        if ( properties.containsKey( key ) )
+        {
+            return Integer.parseInt( properties.getProperty( key ) );
+        }
+
+        return CHANGEPW_DEFAULT_PASSWORD_LENGTH;
+    }
+
+    public int getCategoryCountPolicy()
+    {
+        String key = CHANGEPW_CATEGORY_COUNT_KEY;
+
+        if ( properties.containsKey( key ) )
+        {
+            return Integer.parseInt( properties.getProperty( key ) );
+        }
+
+        return CHANGEPW_DEFAULT_CATEGORY_COUNT;
+    }
+
+    public int getTokenSizePolicy()
+    {
+        String key = CHANGEPW_TOKEN_SIZE_KEY;
+
+        if ( properties.containsKey( key ) )
+        {
+            return Integer.parseInt( properties.getProperty( key ) );
+        }
+
+        return CHANGEPW_DEFAULT_TOKEN_SIZE;
     }
 
     private void prepareEncryptionTypes()

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordContext.java
Thu Sep 29 21:31:26 2005
@@ -42,6 +42,7 @@
     private PrincipalStoreEntry serverEntry;
     private ReplayCache replayCache;
     private LockBox lockBox;
+    private String password;
 
     /**
      * @return Returns the replayCache.
@@ -217,5 +218,21 @@
     public void setClientAddress( InetAddress clientAddress )
     {
         this.clientAddress = clientAddress;
+    }
+
+    /**
+     * @return Returns the password.
+     */
+    public String getPassword()
+    {
+        return password;
+    }
+
+    /**
+     * @param password The password to set.
+     */
+    public void setPassword( String password )
+    {
+        this.password = password;
     }
 }

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordExceptionHandler.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordExceptionHandler.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordExceptionHandler.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ChangePasswordExceptionHandler.java
Thu Sep 29 21:31:26 2005
@@ -16,15 +16,31 @@
  */
 package org.apache.changepw.service;
 
+import java.nio.ByteBuffer;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.changepw.exceptions.ChangePasswordException;
 import org.apache.changepw.messages.ChangePasswordErrorModifier;
+import org.apache.kerberos.chain.Command;
 import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.Filter;
+import org.apache.kerberos.chain.impl.CommandBase;
 import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.messages.ErrorMessage;
-import org.apache.kerberos.service.ErrorMessageHandler;
+import org.apache.kerberos.messages.ErrorMessageModifier;
+import org.apache.kerberos.messages.value.KerberosTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class ChangePasswordExceptionHandler extends ErrorMessageHandler
+/**
+ * A {@link Command} for helping convert a {@link ChangePasswordException} into
+ * an {@link ErrorMessage} to be returned to clients.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class ChangePasswordExceptionHandler extends CommandBase implements Filter
 {
     private static final Logger log = LoggerFactory.getLogger( ChangePasswordExceptionHandler.class
);
 
@@ -51,9 +67,9 @@
 
         ChangePasswordContext changepwContext = (ChangePasswordContext) context;
         ChangePasswordConfiguration config = changepwContext.getConfig();
-        KerberosException ke = (KerberosException) exception;
+        ChangePasswordException cpe = (ChangePasswordException) exception;
 
-        ErrorMessage errorMessage = getErrorMessage( config.getChangepwPrincipal(), ke );
+        ErrorMessage errorMessage = getErrorMessage( config.getChangepwPrincipal(), cpe );
 
         ChangePasswordErrorModifier modifier = new ChangePasswordErrorModifier();
         modifier.setErrorMessage( errorMessage );
@@ -61,5 +77,37 @@
         changepwContext.setReply( modifier.getChangePasswordError() );
 
         return STOP_CHAIN;
+    }
+
+    private ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException
exception )
+    {
+        ErrorMessageModifier modifier = new ErrorMessageModifier();
+
+        KerberosTime now = new KerberosTime();
+
+        modifier.setErrorCode( exception.getErrorCode() );
+        modifier.setExplanatoryText( exception.getMessage() );
+        modifier.setServerPrincipal( principal );
+        modifier.setServerTime( now );
+        modifier.setServerMicroSecond( 0 );
+        modifier.setExplanatoryData( buildExplanatoryData( exception ) );
+
+        return modifier.getErrorMessage();
+    }
+
+    private byte[] buildExplanatoryData( KerberosException exception )
+    {
+        short resultCode = (short) exception.getErrorCode();
+        byte[] resultString = exception.getExplanatoryData();
+
+        ByteBuffer byteBuffer = ByteBuffer.allocate( 256 );
+        byteBuffer.putShort( resultCode );
+        byteBuffer.put( resultString );
+
+        byteBuffer.flip();
+        byte[] explanatoryData = new byte[ byteBuffer.remaining() ];
+        byteBuffer.get( explanatoryData, 0, explanatoryData.length );
+
+        return explanatoryData;
     }
 }

Added: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java?rev=292627&view=auto
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java
(added)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java
Thu Sep 29 21:31:26 2005
@@ -0,0 +1,206 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.changepw.service;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+
+import org.apache.changepw.exceptions.ChangePasswordException;
+import org.apache.changepw.exceptions.ErrorType;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A basic password policy check using well-established methods.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class CheckPasswordPolicy extends CommandBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( CheckPasswordPolicy.class
);
+
+    public boolean execute( Context context ) throws Exception
+    {
+        ChangePasswordContext changepwContext = (ChangePasswordContext) context;
+
+        ChangePasswordConfiguration config = changepwContext.getConfig();
+        Authenticator authenticator = changepwContext.getAuthenticator();
+        KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
+
+        String password = changepwContext.getPassword();
+        String username = clientPrincipal.getName();
+
+        int passwordLength = config.getPasswordLengthPolicy();
+        int categoryCount = config.getCategoryCountPolicy();
+        int tokenSize = config.getTokenSizePolicy();
+
+        if ( isValid( username, password, passwordLength, categoryCount, tokenSize ) )
+        {
+            return CONTINUE_CHAIN;
+        }
+
+        String explanation = buildErrorMessage( username, password, passwordLength, categoryCount,
tokenSize );
+        log.error( explanation );
+
+        byte[] explanatoryData = explanation.getBytes( "UTF-8" );
+
+        throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, explanatoryData
);
+    }
+
+    /**
+     * Tests that:
+     * The password is at least six characters long.
+     * The password contains a mix of characters.
+     * The password does not contain three letter (or more) tokens from the user's account
name.
+     */
+    boolean isValid( String username, String password, int passwordLength, int categoryCount,
int tokenSize )
+    {
+        return isValidPasswordLength( password, passwordLength ) && isValidCategoryCount(
password, categoryCount )
+                && isValidUsernameSubstring( username, password, tokenSize );
+    }
+
+    /**
+     * The password is at least six characters long.
+     */
+    boolean isValidPasswordLength( String password, int passwordLength )
+    {
+        return password.length() >= passwordLength;
+    }
+
+    /**
+     * The password contains characters from at least three of the following four categories:
+     * English uppercase characters (A - Z)
+     * English lowercase characters (a - z)
+     * Base 10 digits (0 - 9)
+     * Any non-alphanumeric character (for example: !, $, #, or %)
+     */
+    boolean isValidCategoryCount( String password, int categoryCount )
+    {
+        int uppercase = 0;
+        int lowercase = 0;
+        int digit = 0;
+        int nonAlphaNumeric = 0;
+
+        char[] characters = password.toCharArray();
+
+        for ( int ii = 0; ii < characters.length; ii++ )
+        {
+            if ( Character.isLowerCase( characters[ ii ] ) )
+            {
+                lowercase = 1;
+            }
+            else
+            {
+                if ( Character.isUpperCase( characters[ ii ] ) )
+                {
+                    uppercase = 1;
+                }
+                else
+                {
+                    if ( Character.isDigit( characters[ ii ] ) )
+                    {
+                        digit = 1;
+                    }
+                    else
+                    {
+                        if ( !Character.isLetterOrDigit( characters[ ii ] ) )
+                        {
+                            nonAlphaNumeric = 1;
+                        }
+                    }
+                }
+            }
+        }
+
+        return ( uppercase + lowercase + digit + nonAlphaNumeric ) >= categoryCount;
+    }
+
+    /**
+     * The password does not contain three letter (or more) tokens from the user's account
name.
+     * 
+     * If the account name is less than three characters long, this check is not performed
+     * because the rate at which passwords would be rejected is too high. For each token
that is
+     * three or more characters long, that token is searched for in the password; if it is
present,
+     * the password change is rejected. For example, the name "First M. Last" would be split
into
+     * three tokens: "First", "M", and "Last". Because the second token is only one character
long,
+     * it would be ignored. Therefore, this user could not have a password that included
either
+     * "first" or "last" as a substring anywhere in the password. All of these checks are
+     * case-insensitive.
+     */
+    boolean isValidUsernameSubstring( String username, String password, int tokenSize )
+    {
+        String[] tokens = username.split( "[^a-zA-Z]" );
+
+        for ( int ii = 0; ii < tokens.length; ii++ )
+        {
+            if ( tokens[ ii ].length() >= tokenSize )
+            {
+                if ( password.matches( "(?i).*" + tokens[ ii ] + ".*" ) )
+                {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
+    private String buildErrorMessage( String username, String password, int passwordLength,
int categoryCount,
+            int tokenSize )
+    {
+        List violations = new ArrayList();
+
+        if ( !isValidPasswordLength( password, passwordLength ) )
+        {
+            violations.add( "length too short" );
+        }
+
+        if ( !isValidCategoryCount( password, categoryCount ) )
+        {
+            violations.add( "insufficient character mix" );
+        }
+
+        if ( !isValidUsernameSubstring( username, password, tokenSize ) )
+        {
+            violations.add( "contains portions of username" );
+        }
+
+        StringBuffer sb = new StringBuffer( "Password violates policy:  " );
+
+        Iterator it = violations.iterator();
+
+        while ( it.hasNext() )
+        {
+            sb.append( (String) it.next() );
+
+            if ( it.hasNext() )
+            {
+                sb.append( ", " );
+            }
+        }
+
+        return sb.toString();
+    }
+}

Propchange: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/CheckPasswordPolicy.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java?rev=292627&view=auto
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java
(added)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java
Thu Sep 29 21:31:26 2005
@@ -0,0 +1,102 @@
+/*
+ *   Copyright 2005 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.changepw.service;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.changepw.exceptions.ChangePasswordException;
+import org.apache.changepw.exceptions.ErrorType;
+import org.apache.changepw.io.ChangePasswordDataDecoder;
+import org.apache.changepw.messages.ChangePasswordRequest;
+import org.apache.changepw.value.ChangePasswordData;
+import org.apache.changepw.value.ChangePasswordDataModifier;
+import org.apache.kerberos.chain.Context;
+import org.apache.kerberos.chain.impl.CommandBase;
+import org.apache.kerberos.exceptions.KerberosException;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncKrbPrivPart;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.service.LockBox;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class ExtractPassword extends CommandBase
+{
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( ExtractPassword.class );
+
+    public boolean execute( Context context ) throws Exception
+    {
+        ChangePasswordContext changepwContext = (ChangePasswordContext) context;
+
+        ChangePasswordRequest request = (ChangePasswordRequest) changepwContext.getRequest();
+        Authenticator authenticator = changepwContext.getAuthenticator();
+        LockBox lockBox = changepwContext.getLockBox();
+
+        // TODO - check ticket is for service authorized to change passwords
+        // ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
+
+        // TODO - check client principal in ticket is authorized to change password
+
+        // get the subsession key from the Authenticator
+        EncryptionKey subSessionKey = authenticator.getSubSessionKey();
+
+        // decrypt the request's private message with the subsession key
+        EncryptedData encReqPrivPart = request.getPrivateMessage().getEncryptedPart();
+
+        EncKrbPrivPart privatePart;
+
+        try
+        {
+            privatePart = (EncKrbPrivPart) lockBox.unseal( EncKrbPrivPart.class, subSessionKey,
encReqPrivPart );
+        }
+        catch ( KerberosException ke )
+        {
+            log.error( ke.getMessage(), ke );
+            throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR );
+        }
+
+        ChangePasswordData passwordData = null;
+
+        if ( request.getVersionNumber() == (short) 1 )
+        {
+            // Use protocol version 0x0001, the legacy Kerberos change password protocol
+            ChangePasswordDataModifier modifier = new ChangePasswordDataModifier();
+            modifier.setNewPassword( privatePart.getUserData() );
+            passwordData = modifier.getChangePasswdData();
+        }
+        else
+        {
+            // Use protocol version 0xFF80, the backwards-compatible MS protocol
+            ChangePasswordDataDecoder passwordDecoder = new ChangePasswordDataDecoder();
+            passwordData = passwordDecoder.decodeChangePasswordData( privatePart.getUserData()
);
+        }
+
+        try
+        {
+            changepwContext.setPassword( new String( passwordData.getPassword(), "UTF-8"
) );
+        }
+        catch ( UnsupportedEncodingException uee )
+        {
+            log.error( uee.getMessage(), uee );
+            throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR );
+        }
+
+        return CONTINUE_CHAIN;
+    }
+}

Propchange: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ExtractPassword.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/MonitorContext.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/MonitorContext.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/MonitorContext.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/MonitorContext.java
Thu Sep 29 21:31:26 2005
@@ -54,6 +54,7 @@
 
                 Authenticator authenticator = changepwContext.getAuthenticator();
                 KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
+                String desiredPassword = changepwContext.getPassword();
 
                 InetAddress clientAddress = changepwContext.getClientAddress();
                 HostAddresses clientAddresses = ticket.getClientAddresses();
@@ -73,6 +74,7 @@
                 sb.append( "\n\t" + "replayCache            " + replayCache );
                 sb.append( "\n\t" + "clockSkew              " + clockSkew );
                 sb.append( "\n\t" + "clientPrincipal        " + clientPrincipal );
+                sb.append( "\n\t" + "desiredPassword        " + desiredPassword );
                 sb.append( "\n\t" + "clientAddress          " + clientAddress );
                 sb.append( "\n\t" + "clientAddresses        " + clientAddresses );
                 sb.append( "\n\t" + "caddr contains sender  " + caddrContainsSender );

Modified: directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java
URL: http://svn.apache.org/viewcvs/directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java?rev=292627&r1=292626&r2=292627&view=diff
==============================================================================
--- directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java
(original)
+++ directory/protocol-providers/changepw/trunk/src/java/org/apache/changepw/service/ProcessPasswordChange.java
Thu Sep 29 21:31:26 2005
@@ -21,18 +21,9 @@
 
 import org.apache.changepw.exceptions.ChangePasswordException;
 import org.apache.changepw.exceptions.ErrorType;
-import org.apache.changepw.io.ChangePasswordDataDecoder;
-import org.apache.changepw.messages.ChangePasswordRequest;
-import org.apache.changepw.value.ChangePasswordData;
-import org.apache.changepw.value.ChangePasswordDataModifier;
 import org.apache.kerberos.chain.Context;
 import org.apache.kerberos.chain.impl.CommandBase;
-import org.apache.kerberos.exceptions.KerberosException;
 import org.apache.kerberos.messages.components.Authenticator;
-import org.apache.kerberos.messages.components.EncKrbPrivPart;
-import org.apache.kerberos.messages.value.EncryptedData;
-import org.apache.kerberos.messages.value.EncryptionKey;
-import org.apache.kerberos.service.LockBox;
 import org.apache.kerberos.store.PrincipalStore;
 import org.apache.kerberos.store.operations.ChangePassword;
 import org.slf4j.Logger;
@@ -47,56 +38,15 @@
     {
         ChangePasswordContext changepwContext = (ChangePasswordContext) context;
 
-        ChangePasswordRequest request = (ChangePasswordRequest) changepwContext.getRequest();
         PrincipalStore store = changepwContext.getStore();
         Authenticator authenticator = changepwContext.getAuthenticator();
-        LockBox lockBox = changepwContext.getLockBox();
-
-        // TODO - check ticket is for service authorized to change passwords
-        // ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
-
-        // TODO - check client principal in ticket is authorized to change password
-
-        // get the subsession key from the Authenticator
-        EncryptionKey subSessionKey = authenticator.getSubSessionKey();
-
-        // decrypt the request's private message with the subsession key
-        EncryptedData encReqPrivPart = request.getPrivateMessage().getEncryptedPart();
-
-        EncKrbPrivPart privatePart;
-
-        try
-        {
-            privatePart = (EncKrbPrivPart) lockBox.unseal( EncKrbPrivPart.class, subSessionKey,
encReqPrivPart );
-        }
-        catch ( KerberosException ke )
-        {
-            log.error( ke.getMessage(), ke );
-            throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR );
-        }
-
-        ChangePasswordData passwordData = null;
-
-        if ( request.getVersionNumber() == (short) 1 )
-        {
-            // Use protocol version 0x0001, the legacy Kerberos change password protocol
-            ChangePasswordDataModifier modifier = new ChangePasswordDataModifier();
-            modifier.setNewPassword( privatePart.getUserData() );
-            passwordData = modifier.getChangePasswdData();
-        }
-        else
-        {
-            // Use protocol version 0xFF80, the backwards-compatible MS protocol
-            ChangePasswordDataDecoder passwordDecoder = new ChangePasswordDataDecoder();
-            passwordData = passwordDecoder.decodeChangePasswordData( privatePart.getUserData()
);
-        }
+        String password = changepwContext.getPassword();
 
         // usec and seq-number must be present per MS but aren't in legacy kpasswd
         // seq-number must have same value as authenticator
         // ignore r-address
 
         // generate key from password
-        String password = new String( passwordData.getPassword() );
         KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
         KerberosKey newKey = new KerberosKey( clientPrincipal, password.toCharArray(), "DES"
);
 



Mime
View raw message