Author: erodriguez
Date: Mon Nov 1 23:01:53 2004
New Revision: 56360
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Minor refactoring, hoping for better code reuse in AP scenarios.
Modified:
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
---
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++
incubator/directory/kerberos/trunk/source/main/org/apache/kerberos/kdc/TicketGrantingService.java
Mon Nov 1 23:01:53 2004
@@ -59,9 +59,9 @@
Ticket tgt = authHeader.getTicket();
- Authenticator authenticator = verifyApReq(authHeader, tgt);
+ Authenticator authenticator = verifyAuthHeader(authHeader, tgt);
- verifyTicket(authHeader, request);
+ verifyTicket(tgt, request.getServerPrincipal());
verifyBodyChecksum(authenticator.getChecksum(), request);
@@ -96,7 +96,7 @@
}
// RFC 1510 A.10. KRB_AP_REQ verification
- private Authenticator verifyApReq(ApplicationRequest authHeader, Ticket
tgt)
+ private Authenticator verifyAuthHeader(ApplicationRequest authHeader,
Ticket ticket)
throws KerberosException, IOException {
if (authHeader.getProtocolVersionNumber() != 5)
@@ -111,7 +111,7 @@
if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
serverKey = authHeader.getTicket().getSessionKey();
} else {
- KerberosPrincipal serverPrincipal =
tgt.getServerPrincipal();
+ KerberosPrincipal serverPrincipal =
ticket.getServerPrincipal();
PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
@@ -128,11 +128,11 @@
}
try {
- byte[] decTicketPart =
_cryptoService.decrypt(serverKey, tgt.getEncPart());
+ byte[] decTicketPart =
_cryptoService.decrypt(serverKey, ticket.getEncPart());
EncTicketPartDecoder ticketPartDecoder = new
EncTicketPartDecoder();
EncTicketPart encPart =
ticketPartDecoder.decode(decTicketPart);
- tgt.setEncTicketPart(encPart);
+ ticket.setEncTicketPart(encPart);
} catch (KerberosException ke) {
throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
}
@@ -140,19 +140,19 @@
Authenticator authenticator;
try {
- byte[] decAuthenticator =
_cryptoService.decrypt(tgt.getSessionKey(), authHeader.getEncPart());
+ byte[] decAuthenticator =
_cryptoService.decrypt(ticket.getSessionKey(), authHeader.getEncPart());
AuthenticatorDecoder authDecoder = new
AuthenticatorDecoder();
authenticator = authDecoder.decode(decAuthenticator);
} catch (KerberosException ke) {
throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
}
- if
(!authenticator.getClientPrincipal().getName().equals(tgt.getClientPrincipal().getName()))
{
+ if
(!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
throw KerberosException.KRB_AP_ERR_BADMATCH;
}
// TODO - need to get at IP Address for sender
- if (tgt.getClientAddresses() != null) {
+ if (ticket.getClientAddresses() != null) {
// if (sender_address(packet) is not in
decr_ticket.caddr)
// then error_out(KRB_AP_ERR_BADADDR);
}
@@ -170,13 +170,13 @@
if
(!authenticator.getClientTime().isInClockSkew(_config.getClockSkew()))
throw KerberosException.KRB_AP_ERR_SKEW;
- if (tgt.getStartTime() != null &&
!tgt.getStartTime().isInClockSkew(_config.getClockSkew()) ||
- tgt.getFlag(TicketFlags.INVALID))
+ if (ticket.getStartTime() != null &&
!ticket.getStartTime().isInClockSkew(_config.getClockSkew()) ||
+ ticket.getFlag(TicketFlags.INVALID))
// it hasn't yet become valid
throw KerberosException.KRB_AP_ERR_TKT_NYV;
// TODO - doesn't take into account skew
- if (!tgt.getEndTime().greaterThan(new KerberosTime()))
+ if (!ticket.getEndTime().greaterThan(new KerberosTime()))
throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
@@ -184,12 +184,11 @@
return authenticator;
}
- private void verifyTicket(ApplicationRequest authHeader, KdcRequest
request)
+ private void verifyTicket(Ticket ticket, KerberosPrincipal
serverPrincipal)
throws KerberosException {
- Ticket tgt = authHeader.getTicket();
- if (!tgt.getRealm().equals(_config.getPrimaryRealm()) &&
-
!tgt.getServerPrincipal().equals(request.getServerPrincipal()))
+ if (!ticket.getRealm().equals(_config.getPrimaryRealm()) &&
+
!ticket.getServerPrincipal().equals(serverPrincipal))
throw KerberosException.KRB_AP_ERR_NOT_US;
}
@@ -229,12 +228,11 @@
throw KerberosException.KRB_AP_ERR_MODIFIED;
}
- private EncryptionKey getServerKey(KdcRequest request) throws
KerberosException {
+ private EncryptionKey getServerKey(KerberosPrincipal serverPrincipal)
throws KerberosException {
EncryptionKey serverKey = null;
// TODO - allow lookup with realm
try {
- KerberosPrincipal serverPrincipal =
request.getServerPrincipal();
PrincipalStoreEntry serverEntry =
_bootstrap.getEntry(serverPrincipal);
if (serverEntry != null) {
serverKey = serverEntry.getEncryptionKey();
@@ -279,7 +277,7 @@
processTimes(request, newTicketBody, tgt);
- EncryptionKey serverKey = getServerKey(request);
+ EncryptionKey serverKey =
getServerKey(request.getServerPrincipal());
EncTicketPart ticketPart = newTicketBody.getEncTicketPart();
