KdcReqBody body = new KdcReqBody(); body.setFrom(new KerberosTime(startTime)); body.setCname(cName); body.setRealm(getKrbContext().getKrbSetting().getKdcRealm()); body.setSname(sName); body.setTill(new KerberosTime(startTime + krbContext.getTicketValidTime())); body.setNonce(nonce); body.setKdcOptions(getKdcOptions()); body.setAddresses(addresses); body.setEtypes(getEncryptionTypes());
/** * Get request realm. * @param kdcReq kdc request * @return realm */ private String getRequestRealm(KdcReq kdcReq) { String realm = kdcReq.getReqBody().getRealm(); if (realm == null && kdcReq.getReqBody().getCname() != null) { realm = kdcReq.getReqBody().getCname().getRealm(); } return realm; } }
/** * Check server. * * @throws org.apache.kerby.kerberos.kerb.KrbException e */ private void checkServer() throws KrbException { KdcReq request = getKdcReq(); PrincipalName principal = request.getReqBody().getSname(); String serverRealm = request.getReqBody().getRealm(); if (serverRealm == null || serverRealm.isEmpty()) { LOG.info("Can't get the server realm from request, and try to get from kdcContext."); serverRealm = kdcContext.getKdcRealm(); } principal.setRealm(serverRealm); KrbIdentity serverEntry = getEntry(principal.getName()); if (serverEntry == null) { LOG.error("Principal: " + principal.getName() + " is not known"); throw new KrbException(KrbErrorCode.KDC_ERR_S_PRINCIPAL_UNKNOWN); } setServerEntry(serverEntry); for (EncryptionType encType : request.getReqBody().getEtypes()) { if (serverEntry.getKeys().containsKey(encType)) { EncryptionKey serverKey = serverEntry.getKeys().get(encType); setServerKey(serverKey); break; } } }
if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) { if (!config.isForwardableAllowed()) { LOG.warn("Forward is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) { if (!config.isProxiableAllowed()) { LOG.warn("Proxy is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) { if (!config.isPostdatedAllowed()) { LOG.warn("Post date is not allowed."); encTicketPart.setCrealm(clientPrincipal.getRealm()); } else { encTicketPart.setCrealm(request.getReqBody().getRealm()); KdcOptions kdcOptions = request.getReqBody().getKdcOptions(); KerberosTime krbStartTime = request.getReqBody().getFrom(); if (krbStartTime == null || krbStartTime.lessThan(now) || krbStartTime.isInClockSkew(config.getAllowableClockSkew())) { KerberosTime krbEndTime = request.getReqBody().getTill(); if (krbEndTime == null || krbEndTime.getTime() == 0) { krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000); KerberosTime krbRtime = request.getReqBody().getRtime(); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) { kdcOptions.setFlag(KdcOption.RENEWABLE);
clientPrincipal = new PrincipalName(getToken().getSubject()); } else { clientPrincipal = request.getReqBody().getCname(); throw new KrbException(KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN); String clientRealm = request.getReqBody().getRealm(); if (clientRealm == null || clientRealm.isEmpty()) { clientRealm = getKdcContext().getKdcRealm(); for (EncryptionType encType : request.getReqBody().getEtypes()) { if (clientEntry.getKeys().containsKey(encType)) { EncryptionKey clientKey = clientEntry.getKeys().get(encType);
protected PrincipalName getclientPrincipal() { if (kdcRequest.isToken()) { return new PrincipalName(kdcRequest.getToken().getSubject()); } else { PrincipalName principalName = getKdcReq().getReqBody().getCname(); if (getKdcRequest().isAnonymous()) { principalName.setNameType(NameType.NT_WELLKNOWN); } return principalName; } }
protected PrincipalName getServerPrincipal() { return getKdcReq().getReqBody().getSname(); }
public Ticket issueTicket() throws KrbException { KdcReq request = kdcRequest.getKdcReq(); Ticket issuedTicket = new Ticket(); PrincipalName serverPrincipal = getServerPrincipal(); issuedTicket.setSname(serverPrincipal); String serverRealm = request.getReqBody().getRealm(); issuedTicket.setRealm(serverRealm); EncTicketPart encTicketPart = makeEncTicketPart(); EncryptionKey encryptionKey = getTicketEncryptionKey(); EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart, encryptionKey, KeyUsage.KDC_REP_TICKET); issuedTicket.setEncryptedEncPart(encryptedData); issuedTicket.setEncPart(encTicketPart); return issuedTicket; }
if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) { if (!config.isForwardableAllowed()) { LOG.warn("Forward is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) { if (!config.isProxiableAllowed()) { LOG.warn("Proxy is not allowed."); if (request.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) { if (!config.isPostdatedAllowed()) { LOG.warn("Post date is not allowed."); encTicketPart.setCrealm(clientPrincipal.getRealm()); } else { encTicketPart.setCrealm(request.getReqBody().getRealm()); KdcOptions kdcOptions = request.getReqBody().getKdcOptions(); KerberosTime krbStartTime = request.getReqBody().getFrom(); if (krbStartTime == null || krbStartTime.lessThan(now) || krbStartTime.isInClockSkew(config.getAllowableClockSkew())) { KerberosTime krbEndTime = request.getReqBody().getTill(); if (krbEndTime == null || krbEndTime.getTime() == 0) { krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime() * 1000); KerberosTime krbRtime = request.getReqBody().getRtime(); if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) { kdcOptions.setFlag(KdcOption.RENEWABLE);
clientPrincipal = new PrincipalName(getToken().getSubject()); } else { clientPrincipal = request.getReqBody().getCname(); throw new KrbException(KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN); String clientRealm = request.getReqBody().getRealm(); if (clientRealm == null || clientRealm.isEmpty()) { clientRealm = getKdcContext().getKdcRealm(); for (EncryptionType encType : request.getReqBody().getEtypes()) { if (clientEntry.getKeys().containsKey(encType)) { EncryptionKey clientKey = clientEntry.getKeys().get(encType);
protected PrincipalName getclientPrincipal() { if (kdcRequest.isToken()) { return new PrincipalName(kdcRequest.getToken().getSubject()); } else { PrincipalName principalName = getKdcReq().getReqBody().getCname(); if (getKdcRequest().isAnonymous()) { principalName.setNameType(NameType.NT_WELLKNOWN); } return principalName; } }
protected PrincipalName getServerPrincipal() { return getKdcReq().getReqBody().getSname(); }
public Ticket issueTicket() throws KrbException { KdcReq request = kdcRequest.getKdcReq(); Ticket issuedTicket = new Ticket(); PrincipalName serverPrincipal = getServerPrincipal(); issuedTicket.setSname(serverPrincipal); String serverRealm = request.getReqBody().getRealm(); issuedTicket.setRealm(serverRealm); EncTicketPart encTicketPart = makeEncTicketPart(); EncryptionKey encryptionKey = getTicketEncryptionKey(); EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart, encryptionKey, KeyUsage.KDC_REP_TICKET); issuedTicket.setEncryptedEncPart(encryptedData); issuedTicket.setEncPart(encTicketPart); return issuedTicket; }
KdcReqBody body = new KdcReqBody(); body.setFrom(new KerberosTime(startTime)); body.setCname(cName); body.setRealm(getKrbContext().getKrbSetting().getKdcRealm()); body.setSname(sName); body.setTill(new KerberosTime(startTime + krbContext.getTicketValidTime())); body.setNonce(nonce); body.setKdcOptions(getKdcOptions()); body.setAddresses(addresses); body.setEtypes(getEncryptionTypes());
String clientRealm = asReq.getReqBody().getRealm(); if (clientRealm == null || clientRealm.isEmpty()) { clientRealm = getKdcContext().getKdcRealm(); krbError.setSname(kdcRequest.getServerPrincipal()); } else { PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname(); serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm()); krbError.setSname(serverPrincipal);
/** * Check server. * * @throws org.apache.kerby.kerberos.kerb.KrbException e */ private void checkServer() throws KrbException { KdcReq request = getKdcReq(); PrincipalName principal = request.getReqBody().getSname(); String serverRealm = request.getReqBody().getRealm(); if (serverRealm == null || serverRealm.isEmpty()) { LOG.info("Can't get the server realm from request, and try to get from kdcContext."); serverRealm = kdcContext.getKdcRealm(); } principal.setRealm(serverRealm); KrbIdentity serverEntry = getEntry(principal.getName()); if (serverEntry == null) { LOG.error("Principal: " + principal.getName() + " is not known"); throw new KrbException(KrbErrorCode.KDC_ERR_S_PRINCIPAL_UNKNOWN); } setServerEntry(serverEntry); for (EncryptionType encType : request.getReqBody().getEtypes()) { if (serverEntry.getKeys().containsKey(encType)) { EncryptionKey serverKey = serverEntry.getKeys().get(encType); setServerKey(serverKey); break; } } }
/** * Get request realm. * @param kdcReq kdc request * @return realm */ private String getRequestRealm(KdcReq kdcReq) { String realm = kdcReq.getReqBody().getRealm(); if (realm == null && kdcReq.getReqBody().getCname() != null) { realm = kdcReq.getReqBody().getCname().getRealm(); } return realm; } }
/** * Process the recoverable exception. * * @param e The exception return by kdc * @param kdcRequest kdc request * @return The KrbError */ private KrbMessage handleRecoverableException(KdcRecoverableException e, KdcRequest kdcRequest) { LOG.info("KRB error occurred while processing request:" + e.getMessage()); KrbError error = e.getKrbError(); error.setStime(KerberosTime.now()); error.setSusec(100); error.setErrorCode(e.getKrbError().getErrorCode()); error.setRealm(kdcContext.getKdcRealm()); if (kdcRequest != null) { error.setSname(kdcRequest.getKdcReq().getReqBody().getCname()); } else { error.setSname(new PrincipalName("NONE")); } error.setEtext(e.getMessage()); return error; }