directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject directory-kerby git commit: [DIRKRB-126]-Implementing TokenPreauth mechanism.
Date Wed, 27 May 2015 08:22:38 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/master c0f382089 -> f46f994f9


[DIRKRB-126]-Implementing TokenPreauth mechanism.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/f46f994f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/f46f994f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/f46f994f

Branch: refs/heads/master
Commit: f46f994f9046fef28071b4798054c35dd029631d
Parents: c0f3820
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Wed May 27 16:27:06 2015 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Wed May 27 16:27:06 2015 +0800

----------------------------------------------------------------------
 .../kerby/kerberos/kdc/WithTokenKdcTest.java    | 62 +++++++++++---
 .../kerby/kerberos/kerb/client/KrbClient.java   |  3 +-
 .../client/impl/AbstractInternalKrbClient.java  |  2 +
 .../kerb/client/preauth/token/TokenPreauth.java | 58 ++++++++++---
 .../kerb/client/request/ArmoredAsRequest.java   |  2 -
 .../kerberos/kerb/client/request/AsRequest.java |  6 +-
 .../kerb/client/request/AsRequestWithToken.java |  8 +-
 .../kerb/client/request/TgsRequest.java         |  2 +-
 .../kerby/kerberos/kerb/spec/KerberosTime.java  | 15 +++-
 .../kerby/kerberos/kerb/spec/base/KeyUsage.java |  4 +-
 .../kerby/kerberos/kerb/spec/base/KrbToken.java | 18 +++--
 .../kerby/kerberos/kerb/server/KdcTestBase.java |  6 +-
 .../kerby/kerberos/kerb/server/KdcConfig.java   |  4 +
 .../kerberos/kerb/server/KdcConfigKey.java      |  1 +
 .../kerb/server/preauth/PreauthHandler.java     | 15 +++-
 .../kerb/server/preauth/token/TokenPreauth.java | 79 ++++++++++++++++++
 .../kerberos/kerb/server/request/AsRequest.java | 38 +++++++--
 .../kerb/server/request/KdcRequest.java         | 85 +++++++++++++++-----
 .../kerb/server/request/TgsRequest.java         | 29 +++++--
 .../kerb/server/request/TickertIssuer.java      |  8 +-
 .../kerby/kerberos/kerb/ccache/Credential.java  |  3 +-
 21 files changed, 367 insertions(+), 81 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
index dce118c..3af335c 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithTokenKdcTest.java
@@ -21,14 +21,19 @@ package org.apache.kerby.kerberos.kdc;
 
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.ccache.Credential;
+import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
 import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
 import org.apache.kerby.kerberos.kerb.server.KdcTestBase;
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
 import org.apache.kerby.kerberos.kerb.spec.ticket.ServiceTicket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TgtTicket;
-import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
 import org.apache.kerby.kerberos.provider.token.JwtTokenProvider;
 import org.junit.Before;
+import org.junit.Test;
 
+import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -36,11 +41,13 @@ import java.util.List;
 import static org.assertj.core.api.Assertions.assertThat;
 
 public class WithTokenKdcTest extends KdcTestBase {
+
     static final String SUBJECT = "test-sub";
     static final String AUDIENCE = "krbtgt@EXAMPLE.COM";
     static final String ISSUER = "oauth2.com";
     static final String GROUP = "sales-group";
     static final String ROLE = "ADMIN";
+    private File cCacheFile;
 
     private TokenEncoder tokenEncoder;
 
@@ -83,24 +90,61 @@ public class WithTokenKdcTest extends KdcTestBase {
     @Override
     protected void prepareKdcServer() throws Exception {
         super.prepareKdcServer();
-        kdcServer.createPrincipals(clientPrincipal);
     }
 
-    //@Test
+    @Override
+    protected void createPrincipals() {
+        super.createPrincipals();
+        kdcServer.createPrincipal(clientPrincipal, TEST_PASSWORD);
+    }
+
+    @Test
     public void testKdc() throws Exception {
         kdcServer.start();
         krbClnt.init();
 
-        TgtTicket tgt;
+        createCredentialCache(clientPrincipal, TEST_PASSWORD);
+
+        TgtTicket tgt = null;
         try {
-            tgt = krbClnt.requestTgtWithToken(authToken);
-        } catch (KrbException te) {
-            assertThat(te.getMessage().contains("timeout")).isTrue();
+            tgt = krbClnt.requestTgtWithToken(authToken, cCacheFile.getPath());
+        } catch (KrbException e) {
+            assertThat(e.getMessage().contains("timeout")).isTrue();
             return;
         }
-        assertThat(tgt).isNull();
+        assertThat(tgt).isNotNull();
+        assertThat(tgt.getClientPrincipal()).isEqualTo(SUBJECT + "@" + kdcRealm);
+        assertThat(tgt.getRealm()).isEqualTo(kdcRealm);
+        assertThat(tgt.getTicket()).isNotNull();
+        assertThat(tgt.getEncKdcRepPart()).isNotNull();
+        assertThat(tgt.getSessionKey()).isNotNull();
 
         ServiceTicket tkt = krbClnt.requestServiceTicketWithTgt(tgt, serverPrincipal);
-        assertThat(tkt).isNull();
+        assertThat(tkt).isNotNull();
+        assertThat(tkt.getRealm()).isEqualTo(kdcRealm);
+        assertThat(tkt.getTicket()).isNotNull();
+        assertThat(tkt.getSessionKey()).isNotNull();
+        assertThat(tkt.getEncKdcRepPart()).isNotNull();
+    }
+
+    private void createCredentialCache(String principal,
+                                       String password) throws Exception {
+        TgtTicket tgt = krbClnt.requestTgtWithPassword(principal, password);
+        writeTgtToCache(tgt, principal);
+    }
+
+    /**
+     * Write tgt into credentials cache.
+     */
+    private void writeTgtToCache(
+            TgtTicket tgt, String principal) throws IOException {
+        Credential credential = new Credential(tgt);
+        CredentialCache cCache = new CredentialCache();
+        cCache.addCredential(credential);
+        cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
+
+        String fileName = "krb5_" + principal + ".cc";
+        cCacheFile = new File(getTestDir().getPath(), fileName);
+        cCache.store(cCacheFile);
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
index 55a0c9c..3ca2407 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/KrbClient.java
@@ -218,13 +218,14 @@ public class KrbClient {
      * @return TGT
      * @throws KrbException
      */
-    public TgtTicket requestTgtWithToken(AuthToken token) throws KrbException {
+    public TgtTicket requestTgtWithToken(AuthToken token, String armorCache) throws KrbException
{
         if (! token.isIdToken()) {
             throw new IllegalArgumentException("Identity token is expected");
         }
 
         KOptions requestOptions = new KOptions();
         requestOptions.add(KrbOption.TOKEN_USER_ID_TOKEN, token);
+        requestOptions.add(KrbOption.ARMOR_CACHE, armorCache);
         return requestTgtWithOptions(requestOptions);
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
index 662f42a..5437174 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/impl/AbstractInternalKrbClient.java
@@ -116,6 +116,8 @@ public abstract class AbstractInternalKrbClient implements InternalKrbClient
{
             asRequest = new AsRequestWithCert(context);
         } else if (requestOptions.contains(KrbOption.USE_TOKEN)) {
             asRequest = new AsRequestWithToken(context);
+        } else if (requestOptions.contains(KrbOption.TOKEN_USER_ID_TOKEN)) {
+            asRequest = new AsRequestWithToken(context);
         }
 
         if (asRequest == null) {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
index 23269c6..840c0f1 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/preauth/token/TokenPreauth.java
@@ -19,21 +19,29 @@
  */
 package org.apache.kerby.kerberos.kerb.client.preauth.token;
 
+import org.apache.kerby.KOption;
+import org.apache.kerby.KOptions;
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
 import org.apache.kerby.kerberos.kerb.client.KrbOption;
-import org.apache.kerby.KOptions;
 import org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
-import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
 import org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.preauth.PaFlag;
 import org.apache.kerby.kerberos.kerb.preauth.PaFlags;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
 import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
-import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.spec.base.TokenFormat;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
-import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.PaTokenRequest;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.TokenInfo;
 
 import java.util.Collections;
 import java.util.List;
@@ -93,16 +101,23 @@ public class TokenPreauth extends AbstractPreauthPlugin {
     public void tryFirst(KdcRequest kdcRequest,
                          PluginRequestContext requestContext,
                          PaData outPadata) throws KrbException {
-
+        if (kdcRequest.getAsKey() == null) {
+            kdcRequest.needAsKey();
+        }
+        outPadata.addElement(makeEntry(kdcRequest));
     }
 
     @Override
     public boolean process(KdcRequest kdcRequest,
-                        PluginRequestContext requestContext,
-                        PaDataEntry inPadata,
-                        PaData outPadata) throws KrbException {
+                           PluginRequestContext requestContext,
+                           PaDataEntry inPadata,
+                           PaData outPadata) throws KrbException {
 
-        return false;
+        if (kdcRequest.getAsKey() == null) {
+            kdcRequest.needAsKey();
+        }
+        outPadata.addElement(makeEntry(kdcRequest));
+        return true;
     }
 
     @Override
@@ -121,4 +136,27 @@ public class TokenPreauth extends AbstractPreauthPlugin {
 
         return paFlags;
     }
-}
+
+    private PaDataEntry makeEntry(KdcRequest kdcRequest) throws KrbException {
+        KOptions options = kdcRequest.getPreauthOptions();
+
+        KOption option = options.getOption(KrbOption.TOKEN_USER_ID_TOKEN);
+        AuthToken authToken = (AuthToken)option.getValue();
+
+        KrbToken krbToken = new KrbToken(authToken, TokenFormat.JWT);
+        PaTokenRequest tokenPa = new PaTokenRequest();
+        tokenPa.setToken(krbToken);
+        TokenInfo info = new TokenInfo();
+        info.setTokenVendor("vendor");
+        tokenPa.setTokenInfo(info);
+
+        EncryptedData paDataValue = EncryptionUtil.seal(tokenPa,
+            kdcRequest.getAsKey(), KeyUsage.PA_TOKEN);
+
+        PaDataEntry paDataEntry = new PaDataEntry();
+        paDataEntry.setPaDataType(PaDataType.TOKEN_REQUEST);
+        paDataEntry.setPaDataValue(paDataValue.encode());
+
+        return paDataEntry;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
index 8ad5a88..a0cf189 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredAsRequest.java
@@ -30,7 +30,6 @@ import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
-import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApOptions;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
 import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
@@ -40,7 +39,6 @@ import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
 import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
-import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
 import org.apache.kerby.kerberos.kerb.spec.fast.ArmorType;
 import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
 import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmoredReq;

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
index 5aeba91..073c2c8 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
@@ -23,6 +23,7 @@ import org.apache.kerby.kerberos.kerb.KrbErrorCode;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
+import org.apache.kerby.kerberos.kerb.client.KrbOption;
 import org.apache.kerby.kerberos.kerb.common.KrbUtil;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
 import org.apache.kerby.kerberos.kerb.spec.base.HostAddress;
@@ -88,7 +89,8 @@ public class AsRequest extends KdcRequest {
         PrincipalName clientPrincipal = getKdcRep().getCname();
         String clientRealm = getKdcRep().getCrealm();
         clientPrincipal.setRealm(clientRealm);
-        if (! clientPrincipal.equals(getClientPrincipal())) {
+        if (!getKrbOptions().contains(KrbOption.TOKEN_USER_ID_TOKEN)
+            && !clientPrincipal.equals(getClientPrincipal())) {
             throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_NAME_MISMATCH);
         }
 
@@ -142,4 +144,4 @@ public class AsRequest extends KdcRequest {
 
         return cc;
     }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
index 0d08415..cd1517d 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequestWithToken.java
@@ -19,7 +19,6 @@
  */
 package org.apache.kerby.kerberos.kerb.client.request;
 
-import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.KOptions;
 import org.apache.kerby.kerberos.kerb.client.KrbContext;
 import org.apache.kerby.kerberos.kerb.client.KrbOption;
@@ -37,11 +36,6 @@ public class AsRequestWithToken extends ArmoredAsRequest {
     }
 
     @Override
-    public void process() throws KrbException {
-        throw new RuntimeException("To be implemented");
-    }
-
-    @Override
     public KOptions getPreauthOptions() {
         KOptions results = super.getPreauthOptions();
         KOptions krbOptions = getKrbOptions();
@@ -52,4 +46,4 @@ public class AsRequestWithToken extends ArmoredAsRequest {
 
         return results;
     }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
index c9d1144..f4367be 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
@@ -94,7 +94,7 @@ public class TgsRequest extends KdcRequest {
         EncryptedData authnData = EncryptionUtil.seal(authenticator,
                 sessionKey, KeyUsage.TGS_REQ_AUTH);
         apReq.setEncryptedAuthenticator(authnData);
-
+        apReq.setAuthenticator(authenticator);
         apReq.setTicket(tgt.getTicket());
         ApOptions apOptions = new ApOptions();
         apReq.setApOptions(apOptions);

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/KerberosTime.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/KerberosTime.java
index 8ed8061..db105fe 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/KerberosTime.java
@@ -57,12 +57,15 @@ public class KerberosTime extends Asn1GeneralizedTime {
     }
 
     /**
-     * time in milliseconds
+     * @param time set time in milliseconds
      */
     public void setTime(long time) {
         setValue(new Date(time));
     }
 
+    /**
+     * get the time in seconds
+     */
     public long getTimeInSeconds() {
         return getTime() / 1000;
     }
@@ -71,10 +74,16 @@ public class KerberosTime extends Asn1GeneralizedTime {
         return getValue().compareTo(ktime.getValue()) < 0;
     }
 
+    /**
+     * @param time in milliseconds
+     */
     public boolean lessThan(long time) {
-        return getValue().getTime() <= time * 1000;
+        return getValue().getTime() <= time;
     }
 
+    /**
+     * @param ktime compare with milliseconds
+     */
     public boolean greaterThan(KerberosTime ktime) {
         return getValue().compareTo(ktime.getValue()) > 0;
     }
@@ -125,4 +134,4 @@ public class KerberosTime extends Asn1GeneralizedTime {
     public int hashCode() {
         return getValue().hashCode();
     }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KeyUsage.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KeyUsage.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KeyUsage.java
index 7f5a492..ba317b7 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KeyUsage.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KeyUsage.java
@@ -99,7 +99,9 @@ public enum KeyUsage implements KrbEnum
     FAST_FINISHED(53),
     ENC_CHALLENGE_CLIENT(54),
     ENC_CHALLENGE_KDC(55),
-    AS_REQ(56);
+    AS_REQ(56),
+    //PA-TOKEN padata,encrypted with the client key
+    PA_TOKEN(57);
 
     private int value;
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
index 686feb5..3bc5caa 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/spec/base/KrbToken.java
@@ -58,14 +58,20 @@ public class KrbToken extends KrbSequenceType implements AuthToken {
         super(fieldInfos);
     }
 
-    @Override
-    public void encode(ByteBuffer buffer) {
+    public KrbToken(AuthToken authToken, TokenFormat format) {
+        this();
+
+        this.innerToken = authToken;
+        setTokenFormat(format);
         try {
-            setTokenValue(getTokenEncoder().encodeAsBytes(this));
+            setTokenValue(getTokenEncoder().encodeAsBytes(innerToken));
         } catch (KrbException e) {
-            throw new RuntimeException(e);
+            throw new RuntimeException("Failed to encode AuthToken", e);
         }
-        super.encode(buffer);
+    }
+
+    public AuthToken getAuthToken() {
+        return innerToken;
     }
 
     @Override
@@ -192,6 +198,6 @@ public class KrbToken extends KrbSequenceType implements AuthToken {
 
     @Override
     public void addAttribute(String name, Object value) {
-
+        innerToken.addAttribute(name, value);
     }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
b/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
index 0389dd7..f1c7115 100644
--- a/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
+++ b/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -84,6 +84,10 @@ public abstract class KdcTestBase {
         FileUtils.deleteDirectory(TEST_DIR);
     }
 
+    public File getTestDir() {
+        return TEST_DIR;
+    }
+
     protected boolean allowUdp() {
         return true;
     }
@@ -194,7 +198,7 @@ public abstract class KdcTestBase {
             krbClnt.setKdcUdpPort(udpPort);
         }
 
-        krbClnt.setTimeout(50);
+        krbClnt.setTimeout(1000);
         krbClnt.setKdcRealm(kdcServer.getKdcRealm());
     }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
index 216660b..15e2347 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfig.java
@@ -86,6 +86,10 @@ public class KdcConfig extends Conf {
         return getBoolean(KdcConfigKey.PREAUTH_REQUIRED);
     }
 
+    public boolean isAllowTokenPreauth() {
+        return getBoolean(KdcConfigKey.ALLOW_TOKEN_PREAUTH);
+    }
+
     public long getAllowableClockSkew() {
         return getLong(KdcConfigKey.ALLOWABLE_CLOCKSKEW);
     }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index 1c05cd4..a2a3ed6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@ -33,6 +33,7 @@ public enum KdcConfigKey implements SectionConfigKey {
     KDC_DOMAIN("example.com"),
     KDC_REALM("EXAMPLE.COM", "kdcdefaults"),
     PREAUTH_REQUIRED(true),
+    ALLOW_TOKEN_PREAUTH(true),
     ALLOWABLE_CLOCKSKEW(5 * 60L),
     EMPTY_ADDRESSES_ALLOWED(true),
     PA_ENC_TIMESTAMP_REQUIRED(true),

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
index 1d17105..ccd7a2e 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java
@@ -19,11 +19,12 @@
  */
 package org.apache.kerby.kerberos.kerb.server.preauth;
 
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.server.KdcContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.builtin.EncTsPreauth;
 import org.apache.kerby.kerberos.kerb.server.preauth.builtin.TgtPreauth;
+import org.apache.kerby.kerberos.kerb.server.preauth.token.TokenPreauth;
 import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
-import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaData;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
@@ -50,6 +51,9 @@ public class PreauthHandler {
 
         preauth = new TgtPreauth();
         preauths.add(preauth);
+
+        preauth = new TokenPreauth();
+        preauths.add(preauth);
     }
 
     /**
@@ -120,4 +124,13 @@ public class PreauthHandler {
             preauth.destroy();
         }
     }
+
+    public static boolean isToken(PaData paData) {
+        for (PaDataEntry paEntry : paData.getElements()) {
+            if (paEntry.getPaDataType() == PaDataType.TOKEN_REQUEST) {
+                return true;
+            }
+        }
+        return false;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
new file mode 100644
index 0000000..49fbd40
--- /dev/null
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -0,0 +1,79 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.kerby.kerberos.kerb.server.preauth.token;
+
+import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.KrbRuntime;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
+import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
+import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
+import org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
+import org.apache.kerby.kerberos.kerb.server.request.AsRequest;
+import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.KrbToken;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
+import org.apache.kerby.kerberos.kerb.spec.pa.PaDataType;
+import org.apache.kerby.kerberos.kerb.spec.pa.token.PaTokenRequest;
+
+import java.io.IOException;
+
+public class TokenPreauth extends AbstractPreauthPlugin {
+
+    public TokenPreauth() {
+        super(new TokenPreauthMeta());
+    }
+
+    @Override
+    public boolean verify(KdcRequest kdcRequest, PluginRequestContext requestContext,
+                          PaDataEntry paData) throws KrbException {
+
+        if (paData.getPaDataType() == PaDataType.TOKEN_REQUEST) {
+            EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
+            EncryptionKey clientKey = kdcRequest.getArmorKey();
+            kdcRequest.setClientKey(clientKey);
+
+            PaTokenRequest paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
+                KeyUsage.PA_TOKEN, PaTokenRequest.class);
+
+            KrbToken token = paTokenRequest.getToken();
+
+            TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+            AuthToken authToken = null;
+            try {
+                authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
+            } catch (IOException e) {
+                throw new KrbException("Decoding failed", e);
+            }
+
+            AsRequest asRequest = (AsRequest) kdcRequest;
+            asRequest.setToken(authToken);
+
+            return true;
+        } else {
+            return false;
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index c402926..33a5507 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -24,8 +24,19 @@ import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
 import org.apache.kerby.kerberos.kerb.server.KdcContext;
 import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
-import org.apache.kerby.kerberos.kerb.spec.base.*;
-import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReq;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReqEntry;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReqType;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.AsRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.AsReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncAsRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
 import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
 import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlag;
 
@@ -37,16 +48,26 @@ public class AsRequest extends KdcRequest {
 
     @Override
     protected void checkClient() throws KrbException {
-        KdcReq request = getKdcReq();
 
-        PrincipalName clientPrincipal = request.getReqBody().getCname();
+        KdcReq request = getKdcReq();
+        PrincipalName clientPrincipal;
+        if (isToken()) {
+            clientPrincipal = new PrincipalName(getToken().getSubject());
+        } else {
+            clientPrincipal = request.getReqBody().getCname();
+        }
         String clientRealm = request.getReqBody().getRealm();
         if (clientRealm == null || clientRealm.isEmpty()) {
             clientRealm = getKdcContext().getKdcRealm();
         }
         clientPrincipal.setRealm(clientRealm);
-
-        KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
+        KrbIdentity clientEntry;
+        if (isToken()) {
+            clientEntry = new KrbIdentity(clientPrincipal.getName());
+            clientEntry.setExpireTime(new KerberosTime(getToken().getExpiredTime().getTime()));
+        } else {
+            clientEntry = getEntry(clientPrincipal.getName());
+        }
         setClientEntry(clientEntry);
 
         for (EncryptionType encType : request.getReqBody().getEtypes()) {
@@ -67,20 +88,21 @@ public class AsRequest extends KdcRequest {
 
     @Override
     protected void makeReply() throws KrbException {
+
         Ticket ticket = getTicket();
 
         AsRep reply = new AsRep();
+        reply.setTicket(ticket);
 
         reply.setCname(getClientEntry().getPrincipal());
         reply.setCrealm(getKdcContext().getKdcRealm());
-        reply.setTicket(ticket);
 
         EncKdcRepPart encKdcRepPart = makeEncKdcRepPart();
         reply.setEncPart(encKdcRepPart);
 
         EncryptionKey clientKey = getClientKey();
         EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
-                clientKey, KeyUsage.AS_REP_ENCPART);
+            clientKey, KeyUsage.AS_REP_ENCPART);
         reply.setEncryptedEncPart(encryptedData);
 
         setReply(reply);

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 82cce78..abbdc02 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -19,7 +19,11 @@
  */
 package org.apache.kerby.kerberos.kerb.server.request;
 
-import org.apache.kerby.kerberos.kerb.*;
+import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbErrorException;
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.common.KrbUtil;
 import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
@@ -32,7 +36,20 @@ import org.apache.kerby.kerberos.kerb.server.preauth.PreauthContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
 import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
-import org.apache.kerby.kerberos.kerb.spec.base.*;
+import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;
+import org.apache.kerby.kerberos.kerb.spec.base.CheckSum;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.EtypeInfo;
+import org.apache.kerby.kerberos.kerb.spec.base.EtypeInfo2;
+import org.apache.kerby.kerberos.kerb.spec.base.EtypeInfo2Entry;
+import org.apache.kerby.kerberos.kerb.spec.base.EtypeInfoEntry;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.KrbError;
+import org.apache.kerby.kerberos.kerb.spec.base.KrbMessage;
+import org.apache.kerby.kerberos.kerb.spec.base.MethodData;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
 import org.apache.kerby.kerberos.kerb.spec.fast.ArmorType;
 import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmor;
 import org.apache.kerby.kerberos.kerb.spec.fast.KrbFastArmoredReq;
@@ -70,6 +87,8 @@ public abstract class KdcRequest {
     private KdcFastContext fastContext;
     private PrincipalName serverPrincipal;
     private byte[] innerBodyout;
+    private AuthToken token;
+    private Boolean isToken = false;
 
     public KdcRequest(KdcReq kdcReq, KdcContext kdcContext) {
         this.kdcReq = kdcReq;
@@ -94,15 +113,28 @@ public abstract class KdcRequest {
 
     public void process() throws KrbException {
         checkVersion();
+        checkTgsEntry();
         kdcFindFast();
-        checkClient();
-        checkServer();
-        preauth();
+        if (PreauthHandler.isToken(getKdcReq().getPaData())) {
+            isToken = true;
+            preauth();
+            checkClient();
+            checkServer();
+        } else {
+            checkClient();
+            checkServer();
+            preauth();
+        }
         authenticate();
         issueTicket();
         makeReply();
     }
 
+    private void checkTgsEntry() throws KrbException {
+        KrbIdentity tgsEntry = getEntry(getTgsPrincipal().getName());
+        setTgsEntry(tgsEntry);
+    }
+
     private void kdcFindFast() throws KrbException {
 
         PaData paData = getKdcReq().getPaData();
@@ -264,16 +296,18 @@ public abstract class KdcRequest {
     protected void checkPolicy() throws KrbException {
         KrbIdentity entry = getClientEntry();
 
-        if (entry.isDisabled()) {
-            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
-        }
-
-        if (entry.isLocked()) {
-            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
-        }
+        // if we can not get the client entry, maybe it is token preauth, ignore it.
+        if (entry != null) {
+            if (entry.isDisabled()) {
+                throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
+            }
 
-        if (entry.getExpireTime().lessThan(new Date().getTime())) {
-            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
+            if (entry.isLocked()) {
+                throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
+            }
+            if (entry.getExpireTime().lessThan(new Date().getTime())) {
+                throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
+            }
         }
     }
 
@@ -282,6 +316,10 @@ public abstract class KdcRequest {
     protected void preauth() throws KrbException {
         KdcReq request = getKdcReq();
 
+        if (!kdcContext.getConfig().isAllowTokenPreauth()) {
+            return;
+        }
+
         PaData preAuthData = request.getPaData();
 
         if (preauthContext.isPreauthRequired()) {
@@ -331,9 +369,6 @@ public abstract class KdcRequest {
     private void checkServer() throws KrbException {
         KdcReq request = getKdcReq();
 
-        KrbIdentity tgsEntry = getEntry(getTgsPrincipal().getName());
-        setTgsEntry(tgsEntry);
-
         PrincipalName principal = request.getReqBody().getSname();
         String serverRealm = request.getReqBody().getRealm();
         if (serverRealm == null || serverRealm.isEmpty()) {
@@ -407,9 +442,9 @@ public abstract class KdcRequest {
         }
 
         if (entry == null) {
-            throw new KrbException(krbErrorCode);
+            // Maybe it is the token preauth, now we ignore check client entry.
+            return null;
         }
-
         return entry;
     }
 
@@ -432,4 +467,16 @@ public abstract class KdcRequest {
     public byte[] getInnerBodyout() {
         return innerBodyout;
     }
+
+    public boolean isToken() {
+        return isToken;
+    }
+
+    public void setToken(AuthToken authToken) {
+        this.token = authToken;
+    }
+
+    public AuthToken getToken() {
+        return token;
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 34e21c2..9025e97 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -19,19 +19,32 @@
  */
 package org.apache.kerby.kerberos.kerb.server.request;
 
-import org.apache.kerby.kerberos.kerb.KrbErrorCode;
 import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbConstant;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
 import org.apache.kerby.kerberos.kerb.server.KdcContext;
-import org.apache.kerby.kerberos.kerb.KrbConstant;
-import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApOption;
 import org.apache.kerby.kerberos.kerb.spec.ap.ApReq;
 import org.apache.kerby.kerberos.kerb.spec.ap.Authenticator;
-import org.apache.kerby.kerberos.kerb.spec.base.*;
-import org.apache.kerby.kerberos.kerb.spec.kdc.*;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
+import org.apache.kerby.kerberos.kerb.spec.base.HostAddresses;
+import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
+import org.apache.kerby.kerberos.kerb.spec.base.KrbMessageType;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReq;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReqEntry;
+import org.apache.kerby.kerberos.kerb.spec.base.LastReqType;
+import org.apache.kerby.kerberos.kerb.spec.base.PrincipalName;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncKdcRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.EncTgsRepPart;
+import org.apache.kerby.kerberos.kerb.spec.kdc.KdcReq;
+import org.apache.kerby.kerberos.kerb.spec.kdc.TgsRep;
+import org.apache.kerby.kerberos.kerb.spec.kdc.TgsReq;
 import org.apache.kerby.kerberos.kerb.spec.pa.PaDataEntry;
 import org.apache.kerby.kerberos.kerb.spec.ticket.EncTicketPart;
 import org.apache.kerby.kerberos.kerb.spec.ticket.Ticket;
@@ -156,7 +169,11 @@ public class TgsRequest extends KdcRequest {
 
         TgsRep reply = new TgsRep();
 
-        reply.setCname(getClientEntry().getPrincipal());
+        if (getClientEntry() == null) {
+            reply.setCname(ticket.getEncPart().getCname());
+        } else {
+            reply.setCname(getClientEntry().getPrincipal());
+        }
         reply.setCrealm(getKdcContext().getKdcRealm());
         reply.setTicket(ticket);
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
index 372bd02..8dce0d3 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TickertIssuer.java
@@ -65,7 +65,7 @@ public abstract class TickertIssuer {
         EncryptionKey encryptionKey = getTicketEncryptionKey();
 
         EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart,
-                encryptionKey, KeyUsage.KDC_REP_TICKET);
+            encryptionKey, KeyUsage.KDC_REP_TICKET);
         issuedTicket.setEncryptedEncPart(encryptedData);
         issuedTicket.setEncPart(encTicketPart);
 
@@ -201,7 +201,11 @@ public abstract class TickertIssuer {
     }
 
     protected PrincipalName getclientPrincipal() {
-        return getKdcReq().getReqBody().getCname();
+        if (kdcRequest.isToken()) {
+            return new PrincipalName(kdcRequest.getToken().getSubject());
+        } else {
+            return getKdcReq().getReqBody().getCname();
+        }
     }
 
     protected PrincipalName getServerPrincipal() {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/f46f994f/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
index cd33c92..ed1c033 100644
--- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
+++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/kerberos/kerb/ccache/Credential.java
@@ -32,8 +32,7 @@ import org.apache.kerby.kerberos.kerb.spec.ticket.TicketFlags;
 
 import java.io.IOException;
 
-public class Credential
-{
+public class Credential {
     private static String CONF_REALM = "X-CACHECONF:";
 
     private PrincipalName clientName;


Mime
View raw message