Author: erodriguez
Date: Mon Nov 1 19:04:33 2004
New Revision: 56334
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Updated dispatcher, AS, and TGS services to properly return error messages to
clients.
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/AuthenticationService.java
Mon Nov 1 19:04:33 2004
@@ -44,27 +44,29 @@
public AuthenticationReply getReplyFor(KdcRequest request) throws
KerberosException {
KerberosPrincipal clientPrincipal =
request.getClientPrincipal();
-
- System.out.println("Client: " + clientPrincipal.toString());
- PrincipalStoreEntry clientEntry =
_bootstrap.getEntry(clientPrincipal);
EncryptionKey clientKey;
- if (clientEntry != null) {
- clientKey = clientEntry.getEncryptionKey();
- } else {
- System.out.println("Going to look up client");
- clientKey =
_store.getEntry(clientPrincipal).getEncryptionKey();
+ try {
+ PrincipalStoreEntry clientEntry =
_bootstrap.getEntry(clientPrincipal);
+ if (clientEntry != null) {
+ clientKey = clientEntry.getEncryptionKey();
+ } else {
+ clientKey =
_store.getEntry(clientPrincipal).getEncryptionKey();
+ }
+ } catch (Exception e) {
+ throw KerberosException.KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
-
- System.out.println("Server: " + serverPrincipal.toString());
- PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
EncryptionKey serverKey;
- if (serverEntry != null) {
- serverKey = serverEntry.getEncryptionKey();
- } else {
- System.out.println("Going to look up client");
- serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
+ try {
+ PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
+ if (serverEntry != null) {
+ serverKey = serverEntry.getEncryptionKey();
+ } else {
+ serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
+ }
+ } catch (Exception e) {
+ throw KerberosException.KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
verifyPreAuthentication(request, clientPrincipal);
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/KdcDispatcher.java
Mon Nov 1 19:04:33 2004
@@ -34,8 +34,9 @@
private ReplayCache _replay = new InMemoryReplayCache();
- private KdcRequestDecoder _decoder = new KdcRequestDecoder();
- private KdcReplyEncoder _encoder = new KdcReplyEncoder();
+ private KdcRequestDecoder _decoder = new KdcRequestDecoder();
+ private KdcReplyEncoder _encoder = new KdcReplyEncoder();
+ private ErrorMessageEncoder _errorEncoder = new ErrorMessageEncoder();
private PrincipalStore _bootstrap;
private CryptoService _cryptoService;
@@ -44,6 +45,7 @@
private AuthenticationService _authService;
private TicketGrantingService _tgsService;
+ private ErrorService _errorService;
public KdcDispatcher(KdcConfiguration config, BootstrapStore bootstrap,
PrincipalStore store) {
_config = config;
@@ -51,48 +53,51 @@
_store = store;
_cryptoService = new CryptoService(_config);
+ _errorService = new ErrorService(_config);
_authService = new AuthenticationService(_store, _bootstrap,
_cryptoService, _config);
_tgsService = new TicketGrantingService(_store, _bootstrap,
_cryptoService, _config, _replay);
}
- public byte[] dispatch(byte[] requestBytes) throws IOException,
KerberosException {
+ public byte[] dispatch(byte[] requestBytes) throws IOException {
ByteArrayInputStream input = new
ByteArrayInputStream(requestBytes);
ByteArrayOutputStream output = new ByteArrayOutputStream();
- KdcRequest request = _decoder.decode(input);
-
- byte messageType = requestBytes[0];
-
- switch (messageType) {
-
- case AS_REQ:
- // generate the reply
- AuthenticationReply authReply =
_authService.getReplyFor(request);
- // ASN1 encode the reply
- _encoder.encode(authReply, output);
-
- break;
+ try {
+ KdcRequest request = _decoder.decode(input);
+
+ byte messageType = requestBytes[0];
- case TGS_REQ:
- // generate the reply
- TicketGrantReply ticketReply =
_tgsService.getReplyFor(request);
- // ASN1 encode the reply
- _encoder.encode(ticketReply, output);
+ switch (messageType) {
- break;
-
- case AS_REP:
- case TGS_REP:
- throw new IOException("We should not be receiving reply
messages");
-
- default:
- System.out.println("Message received with tag "
+ messageType);
+ case AS_REQ:
+ // generate the reply
+ AuthenticationReply authReply =
_authService.getReplyFor(request);
+ // ASN1 encode the reply
+ _encoder.encode(authReply, output);
+ break;
+
+ case TGS_REQ:
+ // generate the reply
+ TicketGrantReply ticketReply =
_tgsService.getReplyFor(request);
+ // ASN1 encode the reply
+ _encoder.encode(ticketReply, output);
+ break;
+
+ case AS_REP:
+ case TGS_REP:
+ throw KerberosException.KRB_AP_ERR_BADDIRECTION;
+
+ default:
+ throw
KerberosException.KRB_AP_ERR_MSG_TYPE;
+ }
+ } catch (KerberosException ke) {
+ System.out.println("Returning error message: " +
ke.getMessage());
+ ErrorMessage errorMessage =
_errorService.getReplyFor(ke);
+ _errorEncoder.encode(errorMessage, output);
}
- byte[] replyBytes = output.toByteArray();
-
- return replyBytes;
+ return output.toByteArray();
}
}
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Mon Nov 1 19:04:33 2004
@@ -55,8 +55,6 @@
public TicketGrantReply getReplyFor(KdcRequest request) throws
KerberosException, IOException {
- System.out.println("Got request for " +
request.getServerPrincipal());
-
ApplicationRequest authHeader = getAuthHeader(request);
Ticket tgt = authHeader.getTicket();
@@ -76,22 +74,15 @@
TicketGrantReply reply = getReply(tgt, newTicket, sessionKey,
request);
if (authenticator.getSubSessionKey() != null) {
- System.out.println("Using authenticator sub session
key.");
EncryptionKey subKey = authenticator.getSubSessionKey();
encryptReplyPart(reply, subKey);
} else {
- System.out.println("Using session key.");
encryptReplyPart(reply, tgt.getSessionKey());
}
return reply;
}
- /*
- * Reading the application request requires first determining the server
- * for which a ticket was issued, and choosing the correct key for
decryption.
- * The name of the server appears in the plaintext part of the ticket.
- */
private ApplicationRequest getAuthHeader(KdcRequest request) throws
KerberosException, IOException {
if (request.getPaData()[0].getDataType() !=
PreAuthenticationDataType.PA_TGS_REQ)
@@ -125,7 +116,6 @@
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
- System.out.println("Going to look up client");
serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
}
}
@@ -194,17 +184,11 @@
return authenticator;
}
- /*
- * Note that the realm in which the Kerberos server is operating is
determined by
- * the instance from the ticket-granting ticket. The realm in the
ticket-granting
- * ticket is the realm under which the ticket granting ticket was
issued. It is
- * possible for a single Kerberos server to support more than one realm.
- */
private void verifyTicket(ApplicationRequest authHeader, KdcRequest
request)
throws KerberosException {
Ticket tgt = authHeader.getTicket();
- if
(!tgt.getRealm().toString().equals(_config.getPrimaryRealm()) &&
+ if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
throw KerberosException.KRB_AP_ERR_NOT_US;
}
@@ -251,16 +235,14 @@
// TODO - allow lookup with realm
try {
KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
- System.out.println(serverPrincipal.getName());
PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
} else {
- System.out.println("Going to look up client");
serverKey =
_store.getEntry(serverPrincipal).getEncryptionKey();
}
- } catch (KerberosException ke) {
+ } catch (Exception e) {
/*
if (!server) then
if (is_foreign_tgt_name(server)) then
