private KdcOptions getKdcOptions() { KdcOptions kdcOptions = new KdcOptions(); // By default enforce these flags kdcOptions.setFlag(KdcOption.FORWARDABLE); kdcOptions.setFlag(KdcOption.PROXIABLE); kdcOptions.setFlag(KdcOption.RENEWABLE_OK); return kdcOptions; }
public boolean isAnonymous() { return getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS); }
public KdcOptions(int value) { setFlags(value); } }
protected void processKdcOptions() { // By default enforce these flags kdcOptions.setFlag(KdcOption.FORWARDABLE); kdcOptions.setFlag(KdcOption.PROXIABLE); kdcOptions.setFlag(KdcOption.RENEWABLE_OK); for (KOption kOpt: requestOptions.getOptions()) { if (kOpt.getOptionInfo().getGroup() == KrbOptionGroup.KDC_FLAGS) { KrbKdcOption krbKdcOption = (KrbKdcOption) kOpt; boolean flagValue = requestOptions.getBooleanOption(kOpt, true); if (kOpt.equals(KrbKdcOption.NOT_FORWARDABLE)) { krbKdcOption = KrbKdcOption.FORWARDABLE; flagValue = !flagValue; } if (kOpt.equals(KrbKdcOption.NOT_PROXIABLE)) { krbKdcOption = KrbKdcOption.PROXIABLE; flagValue = !flagValue; } KdcOption kdcOption = KdcOption.valueOf(krbKdcOption.name()); kdcOptions.setFlag(kdcOption, flagValue); } } } }
if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) { if (!config.isForwardableAllowed()) { LOG.warn("Forward is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) { if (!config.isProxiableAllowed()) { LOG.warn("Proxy is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) { if (!config.isPostdatedAllowed()) { LOG.warn("Post date is not allowed."); && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) { throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE); if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) { if (!config.isPostdatedAllowed()) { throw new KrbException(KrbErrorCode.KDC_ERR_POLICY); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) { kdcOptions.setFlag(KdcOption.RENEWABLE); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) { if (!config.isRenewableAllowed()) { throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
protected void processKdcOptions() { // By default enforce these flags kdcOptions.setFlag(KdcOption.FORWARDABLE); kdcOptions.setFlag(KdcOption.PROXIABLE); kdcOptions.setFlag(KdcOption.RENEWABLE_OK); for (KOption kOpt: requestOptions.getOptions()) { if (kOpt.getOptionInfo().getGroup() == KrbOptionGroup.KDC_FLAGS) { KrbKdcOption krbKdcOption = (KrbKdcOption) kOpt; boolean flagValue = requestOptions.getBooleanOption(kOpt, true); if (kOpt.equals(KrbKdcOption.NOT_FORWARDABLE)) { krbKdcOption = KrbKdcOption.FORWARDABLE; flagValue = !flagValue; } if (kOpt.equals(KrbKdcOption.NOT_PROXIABLE)) { krbKdcOption = KrbKdcOption.PROXIABLE; flagValue = !flagValue; } KdcOption kdcOption = KdcOption.valueOf(krbKdcOption.name()); kdcOptions.setFlag(kdcOption, flagValue); } } } }
if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) { if (!config.isForwardableAllowed()) { LOG.warn("Forward is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) { if (!config.isProxiableAllowed()) { LOG.warn("Proxy is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) { if (!config.isPostdatedAllowed()) { LOG.warn("Post date is not allowed."); && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) { throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE); if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) { if (!config.isPostdatedAllowed()) { throw new KrbException(KrbErrorCode.KDC_ERR_POLICY); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) { kdcOptions.setFlag(KdcOption.RENEWABLE); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) { if (!config.isRenewableAllowed()) { throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
@Override public KOptions getPreauthOptions() { KOptions results = new KOptions(); KOptions krbOptions = getRequestOptions(); results.add(krbOptions.getOption(PkinitOption.X509_CERTIFICATE)); results.add(krbOptions.getOption(PkinitOption.X509_ANCHORS)); results.add(krbOptions.getOption(PkinitOption.X509_PRIVATE_KEY)); results.add(krbOptions.getOption(PkinitOption.X509_IDENTITY)); results.add(krbOptions.getOption(PkinitOption.USING_RSA)); if (krbOptions.contains(PkinitOption.USE_ANONYMOUS)) { getKdcOptions().setFlag(KdcOption.REQUEST_ANONYMOUS); } return results; }
private KdcOptions getKdcOptions() { KdcOptions kdcOptions = new KdcOptions(); // By default enforce these flags kdcOptions.setFlag(KdcOption.FORWARDABLE); kdcOptions.setFlag(KdcOption.PROXIABLE); kdcOptions.setFlag(KdcOption.RENEWABLE_OK); return kdcOptions; }
public boolean isAnonymous() { return getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS); }
public KdcOptions(int value) { setFlags(value); } }
@Override public KOptions getPreauthOptions() { KOptions results = new KOptions(); KOptions krbOptions = getRequestOptions(); results.add(krbOptions.getOption(PkinitOption.X509_CERTIFICATE)); results.add(krbOptions.getOption(PkinitOption.X509_ANCHORS)); results.add(krbOptions.getOption(PkinitOption.X509_PRIVATE_KEY)); results.add(krbOptions.getOption(PkinitOption.X509_IDENTITY)); results.add(krbOptions.getOption(PkinitOption.USING_RSA)); if (krbOptions.contains(PkinitOption.USE_ANONYMOUS)) { getKdcOptions().setFlag(KdcOption.REQUEST_ANONYMOUS); } return results; }
if (kdcRequest.getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS) && !KrbUtil.pricipalCompareIgnoreRealm(clientPrincial, anonymousPrincipal)) { String errMsg = "Pkinit request not signed, but client not anonymous.";
if (kdcRequest.getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS) && !KrbUtil.pricipalCompareIgnoreRealm(clientPrincial, anonymousPrincipal)) { String errMsg = "Pkinit request not signed, but client not anonymous.";