Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 63916 invoked from network); 21 Jul 2007 11:14:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Jul 2007 11:14:13 -0000 Received: (qmail 97626 invoked by uid 500); 21 Jul 2007 11:14:15 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 97585 invoked by uid 500); 21 Jul 2007 11:14:15 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 97573 invoked by uid 99); 21 Jul 2007 11:14:15 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Jul 2007 04:14:15 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 21 Jul 2007 04:14:12 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id 9B07A1A981A; Sat, 21 Jul 2007 04:13:52 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r558297 - in /directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay: InMemoryReplayCache.java ReplayCache.java Date: Sat, 21 Jul 2007 11:13:52 -0000 To: commits@directory.apache.org From: erodriguez@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20070721111352.9B07A1A981A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: erodriguez Date: Sat Jul 21 04:13:51 2007 New Revision: 558297 URL: http://svn.apache.org/viewvc?view=rev&rev=558297 Log: Added more Authenticator elements to the replay cache, to help prevent rambunctious replay detection during testing. Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/ReplayCache.java Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java?view=diff&rev=558297&r1=558296&r2=558297 ============================================================================== --- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java (original) +++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/InMemoryReplayCache.java Sat Jul 21 04:13:51 2007 @@ -31,6 +31,10 @@ /** + * "The replay cache will store at least the server name, along with the client name, + * time, and microsecond fields from the recently-seen authenticators, and if a + * matching tuple is found, the KRB_AP_ERR_REPEAT error is returned." + * * @author Apache Directory Project * @version $Rev$, $Date$ */ @@ -41,25 +45,30 @@ private List list = new ArrayList(); - public synchronized boolean isReplay( KerberosTime clientTime, KerberosPrincipal clientPrincipal ) + public synchronized boolean isReplay( KerberosPrincipal serverPrincipal, KerberosPrincipal clientPrincipal, + KerberosTime clientTime, int clientMicroSeconds ) { - ReplayCacheEntry testEntry = new ReplayCacheEntry( clientTime, clientPrincipal ); - Iterator it = list.iterator(); + ReplayCacheEntry testEntry = new ReplayCacheEntry( serverPrincipal, clientPrincipal, clientTime, + clientMicroSeconds ); + + Iterator it = list.iterator(); while ( it.hasNext() ) { - ReplayCacheEntry entry = ( ReplayCacheEntry ) it.next(); + ReplayCacheEntry entry = it.next(); if ( entry.equals( testEntry ) ) { return true; } } + return false; } - public synchronized void save( KerberosTime clientTime, KerberosPrincipal clientPrincipal ) + public synchronized void save( KerberosPrincipal serverPrincipal, KerberosPrincipal clientPrincipal, + KerberosTime clientTime, int clientMicroSeconds ) { - list.add( new ReplayCacheEntry( clientTime, clientPrincipal ) ); + list.add( new ReplayCacheEntry( serverPrincipal, clientPrincipal, clientTime, clientMicroSeconds ) ); purgeExpired(); } @@ -73,10 +82,10 @@ KerberosTime age = new KerberosTime( now - TWO_WEEKS ); - Iterator it = list.iterator(); + Iterator it = list.iterator(); while ( it.hasNext() ) { - ReplayCacheEntry entry = ( ReplayCacheEntry ) it.next(); + ReplayCacheEntry entry = it.next(); if ( entry.olderThan( age ) ) { list.remove( entry ); @@ -86,38 +95,47 @@ private class ReplayCacheEntry { - private KerberosTime clientTime; + private KerberosPrincipal serverPrincipal; private KerberosPrincipal clientPrincipal; + private KerberosTime clientTime; + private int clientMicroSeconds; /** * Creates a new instance of ReplayCacheEntry. - * - * @param time - * @param principal + * + * @param serverPrincipal + * @param clientPrincipal + * @param clientTime + * @param clientMicroSeconds */ - public ReplayCacheEntry( KerberosTime time, KerberosPrincipal principal ) + public ReplayCacheEntry( KerberosPrincipal serverPrincipal, KerberosPrincipal clientPrincipal, + KerberosTime clientTime, int clientMicroSeconds ) { - clientTime = time; - clientPrincipal = principal; + this.serverPrincipal = serverPrincipal; + this.clientPrincipal = clientPrincipal; + this.clientTime = clientTime; + this.clientMicroSeconds = clientMicroSeconds; } /** - * Returns whether this {@link ReplayCacheEntry} is equal another {@link ReplayCacheEntry}. - * {@link ReplayCacheEntry}'s are equal when the client time and the client principal are equal. + * Returns whether this {@link ReplayCacheEntry} is equal to another {@link ReplayCacheEntry}. + * {@link ReplayCacheEntry}'s are equal when the server name, client name, client time, and + * the client microseconds are equal. * - * @param other + * @param that * @return true if the ReplayCacheEntry's are equal. */ - public boolean equals( ReplayCacheEntry other ) + public boolean equals( ReplayCacheEntry that ) { - return clientTime.equals( other.clientTime ) && clientPrincipal.equals( other.clientPrincipal ); + return serverPrincipal.equals( that.serverPrincipal ) && clientPrincipal.equals( that.clientPrincipal ) + && clientTime.equals( that.clientTime ) && clientMicroSeconds == that.clientMicroSeconds; } /** - * Return whether this {@link ReplayCacheEntry} is older than a given time. + * Returns whether this {@link ReplayCacheEntry} is older than a given time. * * @param time * @return true if the {@link ReplayCacheEntry} is older. Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/ReplayCache.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/ReplayCache.java?view=diff&rev=558297&r1=558296&r2=558297 ============================================================================== --- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/ReplayCache.java (original) +++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/replay/ReplayCache.java Sat Jul 21 04:13:51 2007 @@ -26,26 +26,38 @@ /** + * "The replay cache will store at least the server name, along with the client name, + * time, and microsecond fields from the recently-seen authenticators, and if a + * matching tuple is found, the KRB_AP_ERR_REPEAT error is returned." + * * @author Apache Directory Project * @version $Rev$, $Date$ */ public interface ReplayCache { /** - * Returns whether a request is a replay, based on the client time and client principal. - * - * @param clientTime + * Returns whether a request is a replay, based on the server principal, client + * principal, time, and microseconds. + * + * @param serverPrincipal * @param clientPrincipal + * @param clientTime + * @param clientMicroSeconds * @return true if the request is a replay. */ - boolean isReplay( KerberosTime clientTime, KerberosPrincipal clientPrincipal ); + boolean isReplay( KerberosPrincipal serverPrincipal, KerberosPrincipal clientPrincipal, KerberosTime clientTime, + int clientMicroSeconds ); /** - * Saves the client time and client principal to the replay cache. + * Saves the server principal, client principal, time, and microseconds to + * the replay cache. * - * @param clientTime + * @param serverPrincipal * @param clientPrincipal + * @param clientTime + * @param clientMicroSeconds */ - void save( KerberosTime clientTime, KerberosPrincipal clientPrincipal ); + void save( KerberosPrincipal serverPrincipal, KerberosPrincipal clientPrincipal, KerberosTime clientTime, + int clientMicroSeconds ); }