directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r578743 [11/12] - in /directory/apacheds/branches/apacheds-kerberos: kerberos-shared/ kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/ kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypt...
Date Mon, 24 Sep 2007 10:18:45 GMT
Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.java Mon Sep 24 03:18:05 2007
@@ -27,18 +27,18 @@
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
-import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
 import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.KdcOption;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 import org.slf4j.Logger;
@@ -63,114 +63,71 @@
 
         KdcRequest request = authContext.getRequest();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
-        KerberosPrincipal serverPrincipal = request.getServerPrincipal();
+        PrincipalName serverPrincipal = request.getServerPrincipalName();
 
         EncryptionType encryptionType = authContext.getEncryptionType();
         EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
 
         KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
-        EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+        EncTicketPart ticketPart = new EncTicketPart();
         KdcConfiguration config = authContext.getConfig();
 
         // The INITIAL flag indicates that a ticket was issued using the AS protocol.
-        newTicketBody.setFlag( TicketFlags.INITIAL );
+        ticketPart.setFlag( TicketFlag.INITIAL );
 
         // The PRE-AUTHENT flag indicates that the client used pre-authentication.
         if ( authContext.isPreAuthenticated() )
         {
-            newTicketBody.setFlag( TicketFlags.PRE_AUTHENT );
+            ticketPart.setFlag( TicketFlag.PRE_AUTHENT );
         }
 
-        if ( request.getOption( KdcOptions.FORWARDABLE ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.FORWARDABLE ) )
         {
-            if ( !config.isForwardableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+            ticketPart.setFlag( TicketFlag.FORWARDABLE );
         }
 
-        if ( request.getOption( KdcOptions.PROXIABLE ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.PROXIABLE ) )
         {
-            if ( !config.isProxiableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            newTicketBody.setFlag( TicketFlags.PROXIABLE );
+            ticketPart.setFlag( TicketFlag.PROXIABLE );
         }
 
-        if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.ALLOW_POSTDATE ) )
         {
-            if ( !config.isPostdatedAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+            ticketPart.setFlag( TicketFlag.MAY_POSTDATE );
         }
 
-        if ( request.getOption( KdcOptions.RENEW ) || request.getOption( KdcOptions.VALIDATE )
-            || request.getOption( KdcOptions.PROXY ) || request.getOption( KdcOptions.FORWARDED )
-            || request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.RENEW ) || 
+             request.getKdcOptions().isFlagSet( KdcOption.VALIDATE ) || 
+             request.getKdcOptions().isFlagSet( KdcOption.PROXY ) || 
+             request.getKdcOptions().isFlagSet( KdcOption.FORWARDED ) || 
+             request.getKdcOptions().isFlagSet( KdcOption.ENC_TKT_IN_SKEY ) )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
         }
 
         EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( authContext.getEncryptionType() );
-        newTicketBody.setSessionKey( sessionKey );
+        ticketPart.setSessionKey( sessionKey );
 
-        newTicketBody.setClientPrincipal( request.getClientPrincipal() );
-        newTicketBody.setTransitedEncoding( new TransitedEncoding() );
+        ticketPart.setClientPrincipal( request.getClientPrincipal() );
+        ticketPart.setTransitedEncoding( new TransitedEncoding() );
 
         KerberosTime now = new KerberosTime();
+        ticketPart.setAuthTime( now );
 
-        newTicketBody.setAuthTime( now );
-
-        KerberosTime startTime = request.getFrom();
-
-        /*
-         * "If the requested starttime is absent, indicates a time in the past,
-         * or is within the window of acceptable clock skew for the KDC and the
-         * POSTDATE option has not been specified, then the starttime of the
-         * ticket is set to the authentication server's current time."
-         */
-        if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
-            && !request.getOption( KdcOptions.POSTDATED ) )
-        {
-            startTime = now;
-        }
-
-        /*
-         * "If it indicates a time in the future beyond the acceptable clock skew,
-         * but the POSTDATED option has not been specified, then the error
-         * KDC_ERR_CANNOT_POSTDATE is returned."
-         */
-        if ( startTime != null && startTime.greaterThan( now )
-            && !startTime.isInClockSkew( config.getAllowableClockSkew() ) && !request.getOption( KdcOptions.POSTDATED ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.POSTDATED ) )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
-        }
-
-        /*
-         * "Otherwise the requested starttime is checked against the policy of the
-         * local realm and if the ticket's starttime is acceptable, it is set as
-         * requested, and the INVALID flag is set in the new ticket."
-         */
-        if ( request.getOption( KdcOptions.POSTDATED ) )
-        {
-            if ( !config.isPostdatedAllowed() )
+            // TODO - possibly allow req.from range
+            if ( !config.isPostdateAllowed() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
             }
 
-            newTicketBody.setFlag( TicketFlags.POSTDATED );
-            newTicketBody.setFlag( TicketFlags.INVALID );
-            newTicketBody.setStartTime( startTime );
+            ticketPart.setFlag( TicketFlag.INVALID );
+            ticketPart.setStartTime( request.getFrom() );
         }
 
         long till = 0;
+        
         if ( request.getTill().getTime() == 0 )
         {
             till = Long.MAX_VALUE;
@@ -179,87 +136,53 @@
         {
             till = request.getTill().getTime();
         }
-
-        /*
-         * The end time is the minimum of (a) the requested till time or (b)
-         * the start time plus maximum lifetime as configured in policy.
-         */
-        long endTime = Math.min( till, startTime.getTime() + config.getMaximumTicketLifetime() );
+        
+        long endTime = Math.min( now.getTime() + config.getMaximumTicketLifetime(), till );
         KerberosTime kerberosEndTime = new KerberosTime( endTime );
-        newTicketBody.setEndTime( kerberosEndTime );
+        ticketPart.setEndTime( kerberosEndTime );
 
-        /*
-         * "If the requested expiration time minus the starttime (as determined
-         * above) is less than a site-determined minimum lifetime, an error
-         * message with code KDC_ERR_NEVER_VALID is returned."
-         */
-        if ( kerberosEndTime.lessThan( startTime ) )
+        long tempRenewtime = 0;
+        
+        if ( request.getKdcOptions().isFlagSet( KdcOption.RENEWABLE_OK ) && 
+            request.getTill().greaterThan( kerberosEndTime ) )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+            request.getKdcOptions().setFlag( KdcOption.RENEWABLE );
+            tempRenewtime = request.getTill().getTime();
         }
 
-        long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
-        if ( ticketLifeTime < config.getAllowableClockSkew() )
+        if ( tempRenewtime == 0 || request.getRenewtime() == null )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+            tempRenewtime = request.getTill().getTime();
         }
-
-        /*
-         * "If the requested expiration time for the ticket exceeds what was determined
-         * as above, and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
-         * flag is set in the new ticket, and the renew-till value is set as if the
-         * 'RENEWABLE' option were requested."
-         */
-        KerberosTime tempRtime = request.getRtime();
-
-        if ( request.getOption( KdcOptions.RENEWABLE_OK ) && request.getTill().greaterThan( kerberosEndTime ) )
+        else
         {
-            if ( !config.isRenewableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            request.setOption( KdcOptions.RENEWABLE );
-            tempRtime = request.getTill();
+            tempRenewtime = request.getRenewtime().getTime();
         }
 
-        if ( request.getOption( KdcOptions.RENEWABLE ) )
+        if ( request.getKdcOptions().isFlagSet( KdcOption.RENEWABLE ) )
         {
-            if ( !config.isRenewableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
+            ticketPart.setFlag( TicketFlag.RENEWABLE );
 
-            newTicketBody.setFlag( TicketFlags.RENEWABLE );
+            /*
+             * 'from' KerberosTime is OPTIONAL
+             */
+            KerberosTime fromTime = request.getFrom();
 
-            if ( tempRtime == null || tempRtime.isZero() )
+            if ( fromTime == null )
             {
-                tempRtime = KerberosTime.INFINITY;
+                fromTime = new KerberosTime();
             }
 
-            /*
-             * The renew-till time is the minimum of (a) the requested renew-till
-             * time or (b) the start time plus maximum renewable lifetime as
-             * configured in policy.
-             */
-            long renewTill = Math.min( tempRtime.getTime(), startTime.getTime() + config.getMaximumRenewableLifetime() );
-            newTicketBody.setRenewTill( new KerberosTime( renewTill ) );
+            long renewTill = Math.min( fromTime.getTime() + config.getMaximumRenewableLifetime(), tempRenewtime );
+            ticketPart.setRenewTill( new KerberosTime( renewTill ) );
         }
 
-        if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
-            && request.getAddresses().getAddresses().length > 0 )
-        {
-            newTicketBody.setClientAddresses( request.getAddresses() );
-        }
-        else
+        if ( request.getAddresses() != null )
         {
-            if ( !config.isEmptyAddressesAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
+            ticketPart.setClientAddresses( request.getAddresses() );
         }
 
-        EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
+        //EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
 
         EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
 

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetClientEntry.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.mina.common.IoSession;
@@ -41,7 +41,7 @@
         KerberosPrincipal principal = authContext.getRequest().getClientPrincipal();
         PrincipalStore store = authContext.getStore();
 
-        authContext.setClientEntry( getEntry( principal, store, ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ) );
+        authContext.setClientEntry( getEntry( principal, store, KerberosErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN ) );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/GetServerEntry.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.mina.common.IoSession;
@@ -41,7 +41,7 @@
         KerberosPrincipal principal = authContext.getRequest().getServerPrincipal();
         PrincipalStore store = authContext.getStore();
 
-        authContext.setServerEntry( getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
+        authContext.setServerEntry( getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/SealReply.java Mon Sep 24 03:18:05 2007
@@ -22,7 +22,7 @@
 
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.messages.AuthenticationReply;
+import org.apache.directory.server.kerberos.shared.messages.AuthServerReply;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.mina.common.IoSession;
@@ -42,7 +42,7 @@
     {
         AuthenticationContext authContext = ( AuthenticationContext ) session.getAttribute( getContextKey() );
 
-        AuthenticationReply reply = ( AuthenticationReply ) authContext.getReply();
+        AuthServerReply reply = ( AuthServerReply ) authContext.getReply();
         EncryptionKey clientKey = authContext.getClientKey();
         CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
 

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/VerifyPolicy.java Mon Sep 24 03:18:05 2007
@@ -22,8 +22,8 @@
 
 import java.util.Date;
 
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -45,17 +45,17 @@
 
         if ( entry.isDisabled() )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
         }
 
         if ( entry.isLockedOut() )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
         }
 
         if ( entry.getExpiration().getTime() < new Date().getTime() )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_CLIENT_REVOKED );
         }
 
         next.execute( session, message );

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifierBase.java Mon Sep 24 03:18:05 2007
@@ -27,8 +27,7 @@
 import org.apache.directory.server.kerberos.shared.io.encoder.PreAuthenticationDataEncoder;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionTypeInfoEntry;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataModifier;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
 
@@ -52,13 +51,12 @@
     {
         PreAuthenticationData[] paDataSequence = new PreAuthenticationData[2];
 
-        PreAuthenticationDataModifier modifier = new PreAuthenticationDataModifier();
-        modifier.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
-        modifier.setDataValue( new byte[0] );
+        PreAuthenticationData preAuthData = new PreAuthenticationData( PreAuthenticationDataType.PA_ENC_TIMESTAMP, new byte[0] );
 
-        paDataSequence[0] = modifier.getPreAuthenticationData();
+        paDataSequence[0] = preAuthData;
 
         EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[encryptionTypes.length];
+        
         for ( int ii = 0; ii < encryptionTypes.length; ii++ )
         {
             entries[ii] = new EncryptionTypeInfoEntry( encryptionTypes[ii], null );
@@ -75,11 +73,10 @@
             return null;
         }
 
-        PreAuthenticationDataModifier encTypeModifier = new PreAuthenticationDataModifier();
-        encTypeModifier.setDataType( PreAuthenticationDataType.PA_ETYPE_INFO );
-        encTypeModifier.setDataValue( encTypeInfo );
+        PreAuthenticationData encType = new PreAuthenticationData( 
+            PreAuthenticationDataType.PA_ENCTYPE_INFO, encTypeInfo );
 
-        paDataSequence[1] = encTypeModifier.getPreAuthenticationData();
+        paDataSequence[1] = encType;
 
         try
         {

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.java Mon Sep 24 03:18:05 2007
@@ -21,21 +21,22 @@
 
 
 import java.io.IOException;
+import java.util.List;
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
-import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
+import org.apache.directory.server.kerberos.shared.messages.value.PreAuthEncryptedTimestamp;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.slf4j.Logger;
@@ -74,9 +75,7 @@
         {
             if ( log.isDebugEnabled() )
             {
-                log.debug(
-                    "Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.",
-                    clientName );
+                log.debug( "Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.", clientName );
             }
 
             EncryptionType encryptionType = authContext.getEncryptionType();
@@ -84,68 +83,55 @@
 
             if ( clientKey == null )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_NULL_KEY );
             }
 
             if ( config.isPaEncTimestampRequired() )
             {
-                PreAuthenticationData[] preAuthData = request.getPreAuthData();
+                List<PreAuthenticationData> preAuthDatas = request.getPreAuthData();
 
-                if ( preAuthData == null )
+                if ( preAuthDatas == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                    throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED,
                         preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
-                EncryptedTimeStamp timestamp = null;
+                PreAuthEncryptedTimestamp timestamp = null;
 
-                for ( int ii = 0; ii < preAuthData.length; ii++ )
+                for ( PreAuthenticationData preAuthData:preAuthDatas )
                 {
-                    if ( preAuthData[ii].getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+                    if ( preAuthData.getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
                     {
                         EncryptedData dataValue;
 
                         try
                         {
-                            dataValue = EncryptedDataDecoder.decode( preAuthData[ii].getDataValue() );
+                            dataValue = EncryptedDataDecoder.decode( preAuthData.getDataValue() );
                         }
                         catch ( IOException ioe )
                         {
-                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
+                            throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BAD_INTEGRITY, ioe );
                         }
                         catch ( ClassCastException cce )
                         {
-                            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
+                            throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BAD_INTEGRITY, cce );
                         }
 
-                        timestamp = ( EncryptedTimeStamp ) cipherTextHandler.unseal( EncryptedTimeStamp.class,
+                        timestamp = ( PreAuthEncryptedTimestamp ) cipherTextHandler.unseal( PreAuthEncryptedTimestamp.class,
                             clientKey, dataValue, KeyUsage.NUMBER1 );
                     }
                 }
 
-                if ( preAuthData.length > 0 && timestamp == null )
-                {
-                    throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
-                }
-
                 if ( timestamp == null )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
+                    throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED,
                         preparePreAuthenticationError( config.getEncryptionTypes() ) );
                 }
 
                 if ( !timestamp.getTimeStamp().isInClockSkew( config.getAllowableClockSkew() ) )
                 {
-                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
+                    throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_FAILED );
                 }
-
-                /*
-                 * if(decrypted_enc_timestamp and usec is replay)
-                 *         error_out(KDC_ERR_PREAUTH_FAILED);
-                 * endif
-                 * 
-                 * add decrypted_enc_timestamp and usec to replay cache;
-                 */
             }
         }
 

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/preauthentication/VerifySam.java Mon Sep 24 03:18:05 2007
@@ -20,6 +20,8 @@
 package org.apache.directory.server.kerberos.kdc.preauthentication;
 
 
+import java.util.List;
+
 import javax.security.auth.kerberos.KerberosKey;
 
 import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
@@ -28,12 +30,12 @@
 import org.apache.directory.server.kerberos.sam.SamSubsystem;
 import org.apache.directory.server.kerberos.sam.TimestampChecker;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.slf4j.Logger;
@@ -75,22 +77,22 @@
                 log.debug( "Entry for client principal {} has a valid SAM type.  Invoking SAM subsystem for pre-authentication.", clientName );
             }
 
-            PreAuthenticationData[] preAuthData = request.getPreAuthData();
+            List<PreAuthenticationData> preAuthDatas = request.getPreAuthData();
 
-            if ( preAuthData == null || preAuthData.length == 0 )
+            if ( ( preAuthDatas == null ) || ( preAuthDatas.size() == 0 ) )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
+                throw new KerberosException( KerberosErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
                     .getEncryptionTypes() ) );
             }
 
             try
             {
-                for ( int ii = 0; ii < preAuthData.length; ii++ )
+                for ( PreAuthenticationData preAuthData:preAuthDatas )
                 {
-                    if ( preAuthData[ii].getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
+                    if ( preAuthData.getDataType().equals( PreAuthenticationDataType.PA_ENC_TIMESTAMP ) )
                     {
                         KerberosKey samKey = SamSubsystem.getInstance().verify( clientEntry,
-                            preAuthData[ii].getDataValue() );
+                            preAuthData.getDataValue() );
                         clientKey = new EncryptionKey( EncryptionType.getTypeByOrdinal( samKey.getKeyType() ), samKey
                             .getEncoded() );
                     }
@@ -98,7 +100,7 @@
             }
             catch ( SamException se )
             {
-                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, se );
+                throw new KerberosException( KerberosErrorType.KRB_ERR_GENERIC, se );
             }
 
             authContext.setClientKey( clientKey );

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/BuildReply.java Mon Sep 24 03:18:05 2007
@@ -24,7 +24,6 @@
 import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.LastRequest;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -59,7 +58,7 @@
         reply.setEndTime( newTicket.getEndTime() );
         reply.setServerPrincipal( newTicket.getServerPrincipal() );
 
-        if ( newTicket.getFlag( TicketFlags.RENEWABLE ) )
+        if ( newTicket.getFlags().isRenewable() )
         {
             reply.setRenewTill( newTicket.getRenewTill() );
         }

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.java Mon Sep 24 03:18:05 2007
@@ -20,6 +20,7 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
+import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -31,19 +32,19 @@
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
-import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
-import org.apache.directory.server.kerberos.shared.messages.value.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.KdcOption;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
+import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlags;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -72,312 +73,197 @@
 
         KdcConfiguration config = tgsContext.getConfig();
 
-        EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
+        EncTicketPart ticketPart = new EncTicketPart();
 
-        newTicketBody.setClientAddresses( tgt.getClientAddresses() );
+        ticketPart.setClientAddresses( tgt.getClientAddresses() );
 
-        processFlags( config, request, tgt, newTicketBody );
+        processFlags( config, request, tgt, ticketPart );
 
         EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( tgsContext.getEncryptionType() );
-        newTicketBody.setSessionKey( sessionKey );
+        ticketPart.setSessionKey( sessionKey );
 
-        newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
+        ticketPart.setClientPrincipal( tgt.getClientPrincipal() );
 
         if ( request.getEncAuthorizationData() != null )
         {
             AuthorizationData authData = ( AuthorizationData ) cipherTextHandler.unseal( AuthorizationData.class,
                 authenticator.getSubSessionKey(), request.getEncAuthorizationData(), KeyUsage.NUMBER4 );
             authData.add( tgt.getAuthorizationData() );
-            newTicketBody.setAuthorizationData( authData );
+            ticketPart.setAuthorizationData( authData );
         }
 
-        processTransited( newTicketBody, tgt );
+        processTransited( ticketPart, tgt );
 
-        processTimes( config, request, newTicketBody, tgt );
+        processTimes( config, request, ticketPart, tgt );
 
-        EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
-
-        if ( request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
+        if ( request.getOption( KdcOption.ENC_TKT_IN_SKEY ) )
         {
             /*
-             * if (server not specified) then
-             *         server = req.second_ticket.client;
-             * endif
-             * 
-             * if ((req.second_ticket is not a TGT) or
-             *     (req.second_ticket.client != server)) then
-             *         error_out(KDC_ERR_POLICY);
-             * endif
-             * 
-             * new_tkt.enc-part := encrypt OCTET STRING using etype_for_key(second-ticket.key), second-ticket.key;
+             if (server not specified) then
+             server = req.second_ticket.client;
+             endif
+             if ((req.second_ticket is not a TGT) or
+             (req.second_ticket.client != server)) then
+             error_out(KDC_ERR_POLICY);
+             endif
+             new_tkt.enc-part := encrypt OCTET STRING
+             using etype_for_key(second-ticket.key), second-ticket.key;
              */
-            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_SVC_UNAVAILABLE );
         }
-        else
-        {
-            EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
 
-            Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
-            newTicket.setEncTicketPart( ticketPart );
+        EncryptedData encryptedData = cipherTextHandler.seal( serverKey, ticketPart, KeyUsage.NUMBER2 );
 
-            tgsContext.setNewTicket( newTicket );
-        }
+        Ticket newTicket = new Ticket( ticketPrincipal, encryptedData );
+        newTicket.setEncTicketPart( ticketPart );
+
+        tgsContext.setNewTicket( newTicket );
 
         next.execute( session, message );
     }
 
 
     private void processFlags( KdcConfiguration config, KdcRequest request, Ticket tgt,
-        EncTicketPartModifier newTicketBody ) throws KerberosException
+        EncTicketPart ticketPart ) throws KerberosException
     {
-        if ( tgt.getFlag( TicketFlags.PRE_AUTHENT ) )
+    	TicketFlags tgtFlags = tgt.getFlags();
+
+        if ( tgtFlags.isFlagSet( TicketFlag.PRE_AUTHENT ) )
         {
-            newTicketBody.setFlag( TicketFlags.PRE_AUTHENT );
+            ticketPart.setFlag( TicketFlag.PRE_AUTHENT );
         }
 
-        if ( request.getOption( KdcOptions.FORWARDABLE ) )
+        if ( request.getOption( KdcOption.FORWARDABLE ) )
         {
-            if ( !config.isForwardableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
+            if ( !tgtFlags.isForwardable() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlags.FORWARDABLE );
+            ticketPart.setFlag( TicketFlag.FORWARDABLE );
         }
 
-        if ( request.getOption( KdcOptions.FORWARDED ) )
+        if ( request.getOption( KdcOption.FORWARDED ) )
         {
-            if ( !config.isForwardableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            if ( !tgt.getFlag( TicketFlags.FORWARDABLE ) )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-            }
-
-            if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
-                && request.getAddresses().getAddresses().length > 0 )
-            {
-                newTicketBody.setClientAddresses( request.getAddresses() );
-            }
-            else
+            if ( !tgtFlags.isForwardable() )
             {
-                if ( !config.isEmptyAddressesAllowed() )
-                {
-                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-                }
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
-
-            newTicketBody.setFlag( TicketFlags.FORWARDED );
+            
+            ticketPart.setFlag( TicketFlag.FORWARDED );
+            ticketPart.setClientAddresses( request.getAddresses() );
         }
 
-        if ( tgt.getFlag( TicketFlags.FORWARDED ) )
+        if ( tgtFlags.isForwarded() )
         {
-            newTicketBody.setFlag( TicketFlags.FORWARDED );
+            ticketPart.setFlag( TicketFlag.FORWARDED );
         }
 
-        if ( request.getOption( KdcOptions.PROXIABLE ) )
+        if ( request.getOption( KdcOption.PROXIABLE ) )
         {
-            if ( !config.isProxiableAllowed() )
+            if ( !tgtFlags.isProxiable() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-            }
-
-            newTicketBody.setFlag( TicketFlags.PROXIABLE );
+            ticketPart.setFlag( TicketFlag.PROXIABLE );
         }
 
-        if ( request.getOption( KdcOptions.PROXY ) )
+        if ( request.getOption( KdcOption.PROXY ) )
         {
-            if ( !config.isProxiableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            if ( !tgt.getFlag( TicketFlags.PROXIABLE ) )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-            }
-
-            if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
-                && request.getAddresses().getAddresses().length > 0 )
+            if ( !tgtFlags.isProxiable() )
             {
-                newTicketBody.setClientAddresses( request.getAddresses() );
-            }
-            else
-            {
-                if ( !config.isEmptyAddressesAllowed() )
-                {
-                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-                }
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            newTicketBody.setFlag( TicketFlags.PROXY );
+            ticketPart.setFlag( TicketFlag.PROXY );
+            ticketPart.setClientAddresses( request.getAddresses() );
         }
 
-        if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
+        if ( request.getOption( KdcOption.ALLOW_POSTDATE ) )
         {
-            if ( !config.isPostdatedAllowed() )
+            if ( !tgtFlags.isMayPosdate() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
-            }
-
-            newTicketBody.setFlag( TicketFlags.MAY_POSTDATE );
+            ticketPart.setFlag( TicketFlag.MAY_POSTDATE );
         }
 
-        /*
-         * "Otherwise, if the TGT has the MAY-POSTDATE flag set, then the resulting
-         * ticket will be postdated, and the requested starttime is checked against
-         * the policy of the local realm.  If acceptable, the ticket's starttime is
-         * set as requested, and the INVALID flag is set.  The postdated ticket MUST
-         * be validated before use by presenting it to the KDC after the starttime
-         * has been reached.  However, in no case may the starttime, endtime, or
-         * renew-till time of a newly-issued postdated ticket extend beyond the
-         * renew-till time of the TGT."
-         */
-        if ( request.getOption( KdcOptions.POSTDATED ) )
+        if ( request.getOption( KdcOption.POSTDATED ) )
         {
-            if ( !config.isPostdatedAllowed() )
+            if ( !tgtFlags.isMayPosdate() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            if ( !tgt.getFlag( TicketFlags.MAY_POSTDATE ) )
+            ticketPart.setFlag( TicketFlag.POSTDATED );
+            ticketPart.setFlag( TicketFlag.INVALID );
+
+            if ( !config.isPostdateAllowed() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
             }
 
-            newTicketBody.setFlag( TicketFlags.POSTDATED );
-            newTicketBody.setFlag( TicketFlags.INVALID );
-
-            newTicketBody.setStartTime( request.getFrom() );
+            ticketPart.setStartTime( request.getFrom() );
         }
 
-        if ( request.getOption( KdcOptions.VALIDATE ) )
+        if ( request.getOption( KdcOption.VALIDATE ) )
         {
-            if ( !config.isPostdatedAllowed() )
+            if ( !tgtFlags.isInvalid() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_POLICY );
             }
 
-            if ( !tgt.getFlag( TicketFlags.INVALID ) )
+            if ( tgt.getStartTime().greaterThan( new KerberosTime() ) )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
+                throw new KerberosException( KerberosErrorType.KRB_AP_ERR_TKT_NYV );
             }
 
-            KerberosTime startTime = ( tgt.getStartTime() != null ) ? tgt.getStartTime() : tgt.getAuthTime();
-
-            if ( startTime.greaterThan( new KerberosTime() ) )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
-            }
-
-            /*
-             * if (check_hot_list(tgt)) then
-             *         error_out(KRB_AP_ERR_REPEAT);
-             * endif
-             */
-
-            echoTicket( newTicketBody, tgt );
-            newTicketBody.clearFlag( TicketFlags.INVALID );
+            echoTicket( ticketPart, tgt );
+            ticketPart.clearFlag( TicketFlag.INVALID );
         }
 
-        if ( request.getOption( KdcOptions.RESERVED ) )
+        if ( request.getOption( KdcOption.RESERVED ) || request.getOption( KdcOption.RENEWABLE_OK ) )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
         }
     }
 
 
-    private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPartModifier newTicketBody,
+    private void processTimes( KdcConfiguration config, KdcRequest request, EncTicketPart ticketPart,
         Ticket tgt ) throws KerberosException
     {
         KerberosTime now = new KerberosTime();
 
-        newTicketBody.setAuthTime( tgt.getAuthTime() );
-
-        KerberosTime startTime = request.getFrom();
-
-        /*
-         * "If the requested starttime is absent, indicates a time in the past,
-         * or is within the window of acceptable clock skew for the KDC and the
-         * POSTDATE option has not been specified, then the starttime of the
-         * ticket is set to the authentication server's current time."
-         */
-        if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
-            && !request.getOption( KdcOptions.POSTDATED ) )
-        {
-            startTime = now;
-        }
-
-        /*
-         * "If it indicates a time in the future beyond the acceptable clock skew,
-         * but the POSTDATED option has not been specified or the MAY-POSTDATE flag
-         * is not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
-         * returned."
-         */
-        if ( startTime != null && startTime.greaterThan( now )
-            && !startTime.isInClockSkew( config.getAllowableClockSkew() )
-            && ( !request.getOption( KdcOptions.POSTDATED ) || !tgt.getFlag( TicketFlags.MAY_POSTDATE ) ) )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
-        }
+        ticketPart.setAuthTime( tgt.getAuthTime() );
 
         KerberosTime renewalTime = null;
-        KerberosTime kerberosEndTime = null;
 
-        if ( request.getOption( KdcOptions.RENEW ) )
+        if ( request.getOption( KdcOption.RENEW ) )
         {
-            if ( !config.isRenewableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            if ( !tgt.getFlag( TicketFlags.RENEWABLE ) )
+            if ( !tgt.getFlags().isRenewable() )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
+                throw new KerberosException( KerberosErrorType.KDC_ERR_BADOPTION );
             }
 
-            if ( tgt.getRenewTill().lessThan( now ) )
+            if ( tgt.getRenewTill().greaterThan( now ) )
             {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
+                throw new KerberosException( KerberosErrorType.KRB_AP_ERR_TKT_EXPIRED );
             }
 
-            echoTicket( newTicketBody, tgt );
+            echoTicket( ticketPart, tgt );
 
-            newTicketBody.setStartTime( now );
-
-            KerberosTime tgtStartTime = ( tgt.getStartTime() != null ) ? tgt.getStartTime() : tgt.getAuthTime();
-
-            long oldLife = tgt.getEndTime().getTime() - tgtStartTime.getTime();
-
-            kerberosEndTime = new KerberosTime( Math.min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) );
-            newTicketBody.setEndTime( kerberosEndTime );
+            ticketPart.setStartTime( now );
+            long oldLife = tgt.getEndTime().getTime() - tgt.getStartTime().getTime();
+            ticketPart.setEndTime( new KerberosTime( Math
+                .min( tgt.getRenewTill().getTime(), now.getTime() + oldLife ) ) );
         }
         else
         {
-            if ( newTicketBody.getEncTicketPart().getStartTime() == null )
-            {
-                newTicketBody.setStartTime( now );
-            }
-
+            ticketPart.setStartTime( now );
             KerberosTime till;
+            
             if ( request.getTill().isZero() )
             {
                 till = KerberosTime.INFINITY;
@@ -387,29 +273,19 @@
                 till = request.getTill();
             }
 
-            /*
-             * The end time is the minimum of (a) the requested till time or (b)
-             * the start time plus maximum lifetime as configured in policy or (c)
-             * the end time of the TGT.
-             */
+            // TODO - config; requires store
             List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
             minimizer.add( till );
-            minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumTicketLifetime() ) );
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumTicketLifetime() ) );
             minimizer.add( tgt.getEndTime() );
-            kerberosEndTime = Collections.min( minimizer );
-
-            newTicketBody.setEndTime( kerberosEndTime );
+            KerberosTime minTime = Collections.min( minimizer );
+            ticketPart.setEndTime( minTime );
 
-            if ( request.getOption( KdcOptions.RENEWABLE_OK ) && kerberosEndTime.lessThan( request.getTill() )
-                && tgt.getFlag( TicketFlags.RENEWABLE ) )
+            if ( request.getOption( KdcOption.RENEWABLE_OK ) && minTime.lessThan( request.getTill() )
+                && tgt.getFlags().isRenewable() )
             {
-                if ( !config.isRenewableAllowed() )
-                {
-                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-                }
-
-                // We set the RENEWABLE option for later processing.                           
-                request.setOption( KdcOptions.RENEWABLE );
+                // we set the RENEWABLE option for later processing                           
+                request.setOption( KdcOption.RENEWABLE );
                 long rtime = Math.min( request.getTill().getTime(), tgt.getRenewTill().getTime() );
                 renewalTime = new KerberosTime( rtime );
             }
@@ -417,7 +293,7 @@
 
         if ( renewalTime == null )
         {
-            renewalTime = request.getRtime();
+            renewalTime = request.getRenewtime();
         }
 
         KerberosTime rtime;
@@ -430,20 +306,11 @@
             rtime = renewalTime;
         }
 
-        if ( request.getOption( KdcOptions.RENEWABLE ) && tgt.getFlag( TicketFlags.RENEWABLE ) )
+        if ( request.getOption( KdcOption.RENEWABLE ) && ( tgt.getFlags().isRenewable() ) )
         {
-            if ( !config.isRenewableAllowed() )
-            {
-                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
-            }
-
-            newTicketBody.setFlag( TicketFlags.RENEWABLE );
+            ticketPart.setFlag( TicketFlag.RENEWABLE );
 
-            /*
-             * The renew-till time is the minimum of (a) the requested renew-till
-             * time or (b) the start time plus maximum renewable lifetime as
-             * configured in policy or (c) the renew-till time of the TGT.
-             */
+            // TODO - client and server configurable; requires store
             List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
 
             /*
@@ -454,60 +321,40 @@
                 minimizer.add( rtime );
             }
 
-            minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumRenewableLifetime() ) );
+            minimizer.add( new KerberosTime( now.getTime() + config.getMaximumRenewableLifetime() ) );
             minimizer.add( tgt.getRenewTill() );
-            newTicketBody.setRenewTill( Collections.min( minimizer ) );
-        }
-
-        /*
-         * "If the requested expiration time minus the starttime (as determined
-         * above) is less than a site-determined minimum lifetime, an error
-         * message with code KDC_ERR_NEVER_VALID is returned."
-         */
-        if ( kerberosEndTime.lessThan( startTime ) )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
-        }
-
-        long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
-        if ( ticketLifeTime < config.getAllowableClockSkew() )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
+            ticketPart.setRenewTill( Collections.min( minimizer ) );
         }
     }
 
 
-    /*
-     * if (realm_tgt_is_for(tgt) := tgt.realm) then
-     *         // tgt issued by local realm
-     *         new_tkt.transited := tgt.transited;
-     * else
-     *         // was issued for this realm by some other realm
-     *         if (tgt.transited.tr-type not supported) then
-     *                 error_out(KDC_ERR_TRTYPE_NOSUPP);
-     *         endif
-     * 
-     *         new_tkt.transited := compress_transited(tgt.transited + tgt.realm)
-     * endif
-     */
-    private void processTransited( EncTicketPartModifier newTicketBody, Ticket tgt )
+    private void processTransited( EncTicketPart ticketPart, Ticket tgt )
     {
         // TODO - currently no transited support other than local
-        newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+        ticketPart.setTransitedEncoding( tgt.getTransitedEncoding() );
     }
 
 
-    protected void echoTicket( EncTicketPartModifier newTicketBody, Ticket tgt )
+    protected void echoTicket( EncTicketPart ticketPart, Ticket tgt ) 
     {
-        newTicketBody.setAuthorizationData( tgt.getAuthorizationData() );
-        newTicketBody.setAuthTime( tgt.getAuthTime() );
-        newTicketBody.setClientAddresses( tgt.getClientAddresses() );
-        newTicketBody.setClientPrincipal( tgt.getClientPrincipal() );
-        newTicketBody.setEndTime( tgt.getEndTime() );
-        newTicketBody.setFlags( tgt.getFlags() );
-        newTicketBody.setRenewTill( tgt.getRenewTill() );
-        newTicketBody.setSessionKey( tgt.getSessionKey() );
-        newTicketBody.setTransitedEncoding( tgt.getTransitedEncoding() );
+        ticketPart.setAuthorizationData( tgt.getAuthorizationData() );
+        ticketPart.setAuthTime( tgt.getAuthTime() );
+        ticketPart.setClientAddresses( tgt.getClientAddresses() );
+        
+        try
+        {
+            ticketPart.setClientPrincipal( tgt.getClientPrincipal() );
+        }
+        catch ( ParseException pe )
+        {
+            // Do nothing
+        }
+        
+        ticketPart.setEndTime( tgt.getEndTime() );
+        ticketPart.setFlags( tgt.getFlags() );
+        ticketPart.setRenewTill( tgt.getRenewTill() );
+        ticketPart.setSessionKey( tgt.getSessionKey() );
+        ticketPart.setTransitedEncoding( tgt.getTransitedEncoding() );
     }
 
 

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetAuthHeader.java Mon Sep 24 03:18:05 2007
@@ -21,15 +21,16 @@
 
 
 import java.io.IOException;
+import java.util.List;
 
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
-import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.types.PreAuthenticationDataType;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 
@@ -37,10 +38,6 @@
 /**
  * Differs from the changepw getAuthHeader by verifying the presence of TGS_REQ.
  * 
- * Note that reading the application request requires first determining the server
- * for which a ticket was issued, and choosing the correct key for decryption.  The
- * name of the server appears in the plaintext part of the ticket.
- * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
@@ -66,26 +63,20 @@
 
     protected ApplicationRequest getAuthHeader( KdcRequest request ) throws KerberosException, IOException
     {
-        PreAuthenticationData[] preAuthData = request.getPreAuthData();
-
-        if ( preAuthData == null || preAuthData.length < 1 )
-        {
-            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
-        }
-
         byte[] undecodedAuthHeader = null;
+        List<PreAuthenticationData> preAuthData = request.getPreAuthData();
 
-        for ( int ii = 0; ii < preAuthData.length; ii++ )
+        for ( PreAuthenticationData paData:preAuthData )
         {
-            if ( preAuthData[ii].getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
+            if ( paData.getDataType() == PreAuthenticationDataType.PA_TGS_REQ )
             {
-                undecodedAuthHeader = preAuthData[ii].getDataValue();
+                undecodedAuthHeader = paData.getDataValue();
             }
         }
 
         if ( undecodedAuthHeader == null )
         {
-            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
+            throw new KerberosException( KerberosErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
         }
 
         ApplicationRequestDecoder decoder = new ApplicationRequestDecoder();

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetRequestPrincipalEntry.java Mon Sep 24 03:18:05 2007
@@ -20,9 +20,8 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import javax.security.auth.kerberos.KerberosPrincipal;
-
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
@@ -39,10 +38,10 @@
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
 
-        KerberosPrincipal principal = tgsContext.getRequest().getServerPrincipal();
+        PrincipalName principal = tgsContext.getRequest().getServerPrincipalName();
         PrincipalStore store = tgsContext.getStore();
 
-        PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+        PrincipalStoreEntry entry = getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
         tgsContext.setRequestPrincipalEntry( entry );
 
         next.execute( session, message );

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/GetTicketPrincipalEntry.java Mon Sep 24 03:18:05 2007
@@ -20,9 +20,8 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import javax.security.auth.kerberos.KerberosPrincipal;
-
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.messages.value.PrincipalName;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.service.GetPrincipalStoreEntry;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
@@ -39,10 +38,10 @@
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
 
-        KerberosPrincipal principal = tgsContext.getTgt().getServerPrincipal();
+        PrincipalName principal = tgsContext.getTgt().getServerPrincipalName();
         PrincipalStore store = tgsContext.getStore();
 
-        PrincipalStoreEntry entry = getEntry( principal, store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
+        PrincipalStoreEntry entry = getEntry( principal, store, KerberosErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN );
         tgsContext.setTicketPrincipalEntry( entry );
 
         next.execute( session, message );

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/MonitorContext.java Mon Sep 24 03:18:05 2007
@@ -26,9 +26,12 @@
 
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
 import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
+import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
+import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
@@ -45,22 +48,9 @@
     /** the log for this class */
     private static final Logger log = LoggerFactory.getLogger( MonitorContext.class );
 
-    private String serviceName;
-
     private String contextKey = "context";
 
 
-    /**
-     * Creates a new instance of MonitorContext.
-     *
-     * @param serviceName
-     */
-    public MonitorContext( String serviceName )
-    {
-        this.serviceName = serviceName;
-    }
-
-
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         if ( log.isDebugEnabled() )
@@ -69,8 +59,11 @@
             {
                 TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
 
+                PrincipalStore store = tgsContext.getStore();
+                ApplicationRequest authHeader = tgsContext.getAuthHeader();
                 Ticket tgt = tgsContext.getTgt();
                 long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
+                ReplayCache replayCache = tgsContext.getReplayCache();
                 ChecksumType checksumType = tgsContext.getAuthenticator().getChecksum().getChecksumType();
                 InetAddress clientAddress = tgsContext.getClientAddress();
                 HostAddresses clientAddresses = tgt.getClientAddresses();
@@ -83,8 +76,10 @@
 
                 StringBuffer sb = new StringBuffer();
 
-                sb.append( "Monitoring " + serviceName + " context:" );
-
+                sb.append( "\n\t" + "store                  " + store );
+                sb.append( "\n\t" + "authHeader             " + authHeader );
+                sb.append( "\n\t" + "tgt                    " + tgt );
+                sb.append( "\n\t" + "replayCache            " + replayCache );
                 sb.append( "\n\t" + "clockSkew              " + clockSkew );
                 sb.append( "\n\t" + "checksumType           " + checksumType );
                 sb.append( "\n\t" + "clientAddress          " + clientAddress );

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingContext.java Mon Sep 24 03:18:05 2007
@@ -21,7 +21,7 @@
 
 
 import org.apache.directory.server.kerberos.kdc.KdcContext;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
+import org.apache.directory.server.kerberos.shared.messages.application.ApplicationRequest;
 import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
 import org.apache.directory.server.kerberos.shared.replay.ReplayCache;

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyBodyChecksum.java Mon Sep 24 03:18:05 2007
@@ -20,12 +20,11 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.mina.common.IoSession;
 import org.apache.mina.handler.chain.IoHandlerCommand;
 import org.slf4j.Logger;
@@ -48,23 +47,18 @@
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
-        KdcConfiguration config = tgsContext.getConfig();
+        byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+        Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
 
-        if ( config.isBodyChecksumVerified() )
+        if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+            || authenticatorChecksum.getChecksumValue() == null )
         {
-            byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
-            Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
-
-            if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
-                || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
-            {
-                throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
-            }
+            throw new KerberosException( KerberosErrorType.KRB_AP_ERR_INAPP_CKSUM );
+        }
 
-            log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
+        log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
 
-            checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
-        }
+        checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
 
         next.execute( session, message );
     }

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/VerifyTgtAuthHeader.java Mon Sep 24 03:18:05 2007
@@ -20,50 +20,52 @@
 package org.apache.directory.server.kerberos.kdc.ticketgrant;
 
 
-import java.net.InetAddress;
-
-import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
-import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
-import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
-import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
-import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
-import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
-import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
-import org.apache.directory.server.kerberos.shared.service.VerifyAuthHeader;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
+import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.mina.common.IoSession;
+import org.apache.mina.handler.chain.IoHandlerCommand;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /**
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
-public class VerifyTgtAuthHeader extends VerifyAuthHeader
+public class VerifyBodyChecksum implements IoHandlerCommand
 {
+    /** the log for this class */
+    private static final Logger log = LoggerFactory.getLogger( VerifyBodyChecksum.class );
+
+    private ChecksumHandler checksumHandler = new ChecksumHandler();
+    private String contextKey = "context";
+
+
     public void execute( NextCommand next, IoSession session, Object message ) throws Exception
     {
         TicketGrantingContext tgsContext = ( TicketGrantingContext ) session.getAttribute( getContextKey() );
+        byte[] bodyBytes = tgsContext.getRequest().getBodyBytes();
+        Checksum authenticatorChecksum = tgsContext.getAuthenticator().getChecksum();
 
-        ApplicationRequest authHeader = tgsContext.getAuthHeader();
-        Ticket tgt = tgsContext.getTgt();
-        
-        boolean isValidate = tgsContext.getRequest().getKdcOptions().get( KdcOptions.VALIDATE );
-
-        EncryptionType encryptionType = tgt.getEncPart().getEncryptionType();
-        EncryptionKey serverKey = tgsContext.getTicketPrincipalEntry().getKeyMap().get( encryptionType );
-
-        long clockSkew = tgsContext.getConfig().getAllowableClockSkew();
-        ReplayCache replayCache = tgsContext.getReplayCache();
-        boolean emptyAddressesAllowed = tgsContext.getConfig().isEmptyAddressesAllowed();
-        InetAddress clientAddress = tgsContext.getClientAddress();
-        CipherTextHandler cipherTextHandler = tgsContext.getCipherTextHandler();
+        if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
+            || authenticatorChecksum.getChecksumValue() == null )
+        {
+            throw new KerberosException( KerberosErrorType.KRB_AP_ERR_INAPP_CKSUM );
+        }
 
-        Authenticator authenticator = verifyAuthHeader( authHeader, tgt, serverKey, clockSkew, replayCache,
-            emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER7, isValidate );
+        log.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
 
-        tgsContext.setAuthenticator( authenticator );
+        checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.NUMBER8 );
 
         next.execute( session, message );
+    }
+
+
+    private String getContextKey()
+    {
+        return ( this.contextKey );
     }
 }

Modified: directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java?rev=578743&r1=578742&r2=578743&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java (original)
+++ directory/apacheds/branches/apacheds-kerberos/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/protocol/KerberosProtocolHandler.java Mon Sep 24 03:18:05 2007
@@ -30,12 +30,11 @@
 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationServiceChain;
 import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingContext;
 import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingServiceChain;
-import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
 import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
-import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
-import org.apache.directory.server.kerberos.shared.messages.ErrorMessageModifier;
+import org.apache.directory.server.kerberos.shared.messages.KerberosError;
 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
+import org.apache.directory.server.kerberos.shared.messages.value.types.KerberosErrorType;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
 import org.apache.mina.common.IdleStatus;
 import org.apache.mina.common.IoHandler;
@@ -179,40 +178,31 @@
 
                 case 11:
                 case 13:
-                    throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );
+                    throw new KerberosException( KerberosErrorType.KRB_AP_ERR_BADDIRECTION );
 
                 default:
-                    throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
+                    throw new KerberosException( KerberosErrorType.KRB_AP_ERR_MSG_TYPE );
             }
         }
         catch ( KerberosException ke )
         {
-            String messageText = ke.getMessage() + " (" + ke.getErrorCode() + ")";
-
             if ( log.isDebugEnabled() )
             {
-                log.warn( messageText, ke );
+                log.warn( ke.getMessage(), ke );
             }
             else
             {
-                log.warn( messageText );
+                log.warn( ke.getMessage() );
             }
 
-            ErrorMessage error = getErrorMessage( config.getServicePrincipal(), ke );
-
-            if ( log.isDebugEnabled() )
-            {
-                logErrorMessage( error );
-            }
-
-            session.write( error );
+            session.write( getErrorMessage( config.getServicePrincipal(), ke ) );
         }
         catch ( Exception e )
         {
             log.error( "Unexpected exception:  " + e.getMessage(), e );
 
             session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
-                ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
+                KerberosErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
         }
     }
 
@@ -226,44 +216,20 @@
     }
 
 
-    protected ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException exception )
+    protected KerberosError getErrorMessage( KerberosPrincipal principal, KerberosException exception )
     {
-        ErrorMessageModifier modifier = new ErrorMessageModifier();
+        KerberosError kerberosError = new KerberosError();
 
         KerberosTime now = new KerberosTime();
 
-        modifier.setErrorCode( exception.getErrorCode() );
-        modifier.setExplanatoryText( exception.getMessage() );
-        modifier.setServerPrincipal( principal );
-        modifier.setServerTime( now );
-        modifier.setServerMicroSecond( 0 );
-        modifier.setExplanatoryData( exception.getExplanatoryData() );
-
-        return modifier.getErrorMessage();
-    }
-
+        kerberosError.setErrorCode( KerberosErrorType.getTypeByOrdinal( exception.getErrorCode() ) );
+        kerberosError.setExplanatoryText( exception.getMessage() );
+        kerberosError.setServerPrincipal( principal );
+        kerberosError.setServerTime( now );
+        kerberosError.setServerMicroseconds( 0 );
+        kerberosError.setExplanatoryData( exception.getExplanatoryData() );
 
-    protected void logErrorMessage( ErrorMessage error )
-    {
-        try
-        {
-            StringBuffer sb = new StringBuffer();
-
-            sb.append( "Responding to request with error:" );
-            sb.append( "\n\t" + "explanatory text:      " + error.getExplanatoryText() );
-            sb.append( "\n\t" + "error code:            " + error.getErrorCode() );
-            sb.append( "\n\t" + "clientPrincipal:       " + error.getClientPrincipal() );
-            sb.append( "\n\t" + "client time:           " + error.getServerTime() );
-            sb.append( "\n\t" + "serverPrincipal:       " + error.getServerPrincipal() );
-            sb.append( "\n\t" + "server time:           " + error.getClientTime() );
-
-            log.debug( sb.toString() );
-        }
-        catch ( Exception e )
-        {
-            // This is a monitor.  No exceptions should bubble up.
-            log.error( "Error in reply monitor", e );
-        }
+        return kerberosError;
     }
 
 



Mime
View raw message