}
private static void generateTicket( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
{
KdcRequest request = authContext.getRequest();
CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
KerberosPrincipal serverPrincipal = request.getServerPrincipal();
EncryptionType encryptionType = authContext.getEncryptionType();
EncryptionKey serverKey = authContext.getServerEntry().getKeyMap().get( encryptionType );
KerberosPrincipal ticketPrincipal = request.getServerPrincipal();
EncTicketPartModifier newTicketBody = new EncTicketPartModifier();
KdcServer config = authContext.getConfig();
// The INITIAL flag indicates that a ticket was issued using the AS protocol.
newTicketBody.setFlag( TicketFlag.INITIAL );
// The PRE-AUTHENT flag indicates that the client used pre-authentication.
if ( authContext.isPreAuthenticated() )
{
newTicketBody.setFlag( TicketFlag.PRE_AUTHENT );
}
if ( request.getOption( KdcOptions.FORWARDABLE ) )
{
if ( !config.isForwardableAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
newTicketBody.setFlag( TicketFlag.FORWARDABLE );
}
if ( request.getOption( KdcOptions.PROXIABLE ) )
{
if ( !config.isProxiableAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
newTicketBody.setFlag( TicketFlag.PROXIABLE );
}
if ( request.getOption( KdcOptions.ALLOW_POSTDATE ) )
{
if ( !config.isPostdatedAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
newTicketBody.setFlag( TicketFlag.MAY_POSTDATE );
}
if ( request.getOption( KdcOptions.RENEW ) || request.getOption( KdcOptions.VALIDATE )
|| request.getOption( KdcOptions.PROXY ) || request.getOption( KdcOptions.FORWARDED )
|| request.getOption( KdcOptions.ENC_TKT_IN_SKEY ) )
{
throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
}
EncryptionKey sessionKey = RandomKeyFactory.getRandomKey( authContext.getEncryptionType() );
newTicketBody.setSessionKey( sessionKey );
newTicketBody.setClientPrincipal( request.getClientPrincipal() );
newTicketBody.setTransitedEncoding( new TransitedEncoding() );
KerberosTime now = new KerberosTime();
newTicketBody.setAuthTime( now );
KerberosTime startTime = request.getFrom();
/*
* "If the requested starttime is absent, indicates a time in the past,
* or is within the window of acceptable clock skew for the KDC and the
* POSTDATE option has not been specified, then the starttime of the
* ticket is set to the authentication server's current time."
*/
if ( startTime == null || startTime.lessThan( now ) || startTime.isInClockSkew( config.getAllowableClockSkew() )
&& !request.getOption( KdcOptions.POSTDATED ) )
{
startTime = now;
}
/*
* "If it indicates a time in the future beyond the acceptable clock skew,
* but the POSTDATED option has not been specified, then the error
* KDC_ERR_CANNOT_POSTDATE is returned."
*/
if ( startTime != null && startTime.greaterThan( now )
&& !startTime.isInClockSkew( config.getAllowableClockSkew() ) && !request.getOption( KdcOptions.POSTDATED ) )
{
throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
}
/*
* "Otherwise the requested starttime is checked against the policy of the
* local realm and if the ticket's starttime is acceptable, it is set as
* requested, and the INVALID flag is set in the new ticket."
*/
if ( request.getOption( KdcOptions.POSTDATED ) )
{
if ( !config.isPostdatedAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
newTicketBody.setFlag( TicketFlag.POSTDATED );
newTicketBody.setFlag( TicketFlag.INVALID );
newTicketBody.setStartTime( startTime );
}
long till = 0;
if ( request.getTill().getTime() == 0 )
{
till = Long.MAX_VALUE;
}
else
{
till = request.getTill().getTime();
}
/*
* The end time is the minimum of (a) the requested till time or (b)
* the start time plus maximum lifetime as configured in policy.
*/
long endTime = Math.min( till, startTime.getTime() + config.getMaximumTicketLifetime() );
KerberosTime kerberosEndTime = new KerberosTime( endTime );
newTicketBody.setEndTime( kerberosEndTime );
/*
* "If the requested expiration time minus the starttime (as determined
* above) is less than a site-determined minimum lifetime, an error
* message with code KDC_ERR_NEVER_VALID is returned."
*/
if ( kerberosEndTime.lessThan( startTime ) )
{
throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
}
long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
if ( ticketLifeTime < config.getAllowableClockSkew() )
{
throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
}
/*
* "If the requested expiration time for the ticket exceeds what was determined
* as above, and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
* flag is set in the new ticket, and the renew-till value is set as if the
* 'RENEWABLE' option were requested."
*/
KerberosTime tempRtime = request.getRtime();
if ( request.getOption( KdcOptions.RENEWABLE_OK ) && request.getTill().greaterThan( kerberosEndTime ) )
{
if ( !config.isRenewableAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
request.setOption( KdcOptions.RENEWABLE );
tempRtime = request.getTill();
}
if ( request.getOption( KdcOptions.RENEWABLE ) )
{
if ( !config.isRenewableAllowed() )
{
throw new KerberosException( ErrorType.KDC_ERR_POLICY );
}
newTicketBody.setFlag( TicketFlag.RENEWABLE );
if ( tempRtime == null || tempRtime.isZero() )
{
tempRtime = KerberosTime.INFINITY;
}
/*
* The renew-till time is the minimum of (a) the requested renew-till
* time or (b) the start time plus maximum renewable lifetime as
* configured in policy.
*/
long renewTill = Math.min( tempRtime.getTime(), startTime.getTime() + config.getMaximumRenewableLifetime() );
newTicketBody.setRenewTill( new KerberosTime( renewTill ) );
}
if ( request.getAddresses() != null && request.getAddresses().getAddresses() != null
&& request.getAddresses().getAddresses().length > 0 )
{
newTicketBody.setClientAddresses( request.getAddresses() );
}
else
{
if ( !config.isEmptyAddressesAllowed() )
{