Package org.apache.directory.server.kerberos

Examples of org.apache.directory.server.kerberos.KerberosConfig

162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

    private static void selectEncryptionType( TicketGrantingContext tgsContext ) throws Exception
    {
        KdcContext kdcContext = tgsContext;
        KerberosConfig config = kdcContext.getConfig();

        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();

        EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );

        LOG_KRB.debug( "Session will use encryption type {}.", bestType );

        if ( bestType == null )
        {
View Full Code Here
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
    }


    public static void verifyTgt( TicketGrantingContext tgsContext ) throws KerberosException
    {
        KerberosConfig config = tgsContext.getConfig();
        Ticket tgt = tgsContext.getTgt();

        // Check primary realm.
        if ( !tgt.getRealm().equals( config.getPrimaryRealm() ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }

        String tgtServerName = KerberosUtils.getKerberosPrincipal( tgt.getSName(), tgt.getRealm() ).getName();
        String requestServerName = KerberosUtils.getKerberosPrincipal(
            tgsContext.getRequest().getKdcReqBody().getSName(), tgsContext.getRequest().getKdcReqBody().getRealm() )
            .getName();

        /*
         * if (tgt.sname is not a TGT for local realm and is not req.sname)
         *     then error_out(KRB_AP_ERR_NOT_US);
         */
        if ( !tgtServerName.equals( config.getServicePrincipal().getName() )
            && !tgtServerName.equals( requestServerName ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }
    }
View Full Code Here
285
286
287
288
289
290
291
292
293
294
295
296
297
     * <li>Section 3.3.2. Receipt of KRB_TGS_REQ Message -> 2nd paragraph
     * <li>Section 5.5.1. KRB_AP_REQ Definition -> Authenticator -> cksum
     */
    private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException
    {
        KerberosConfig config = tgsContext.getConfig();

        if ( config.isBodyChecksumVerified() )
        {
            KdcReqBody body = tgsContext.getRequest().getKdcReqBody();
            // FIXME how this byte[] is computed??
            // is it full ASN.1 encoded bytes OR just the bytes of all the values alone?
            // for now am using the ASN.1 encoded value
View Full Code Here
352
353
354
355
356
357
358
359
360
361
362
            request.getKdcReqBody().getSName(), request.getKdcReqBody().getRealm() );

        EncryptionType encryptionType = tgsContext.getEncryptionType();
        EncryptionKey serverKey = tgsContext.getRequestPrincipalEntry().getKeyMap().get( encryptionType );

        KerberosConfig config = tgsContext.getConfig();

        tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();

        EncTicketPart newTicketPart = new EncTicketPart();
View Full Code Here
71
72
73
74
75
76
77
    /**
     * Creates a new instance of KdcServer with the default configuration.
     */
    public KdcServer()
    {
        this( new KerberosConfig() );
    }
View Full Code Here
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
       
        KdcServer server = ServerAnnotationProcessor.getKdcServer( directoryService, AvailablePortFinder.getNextAvailable( 1024 ) );

        assertEquals( 2, server.getTransports().length );
       
        KerberosConfig config = server.getConfig();
        assertEquals( directoryService, server.getDirectoryService() );
        assertEquals( "apache.org", config.getPrimaryRealm() );
        assertEquals( "krbtgt/apache.org@apache.org", config.getServicePrincipal().getName() );
        assertEquals( 1000, config.getMaximumTicketLifetime() );
        assertEquals( 2000, config.getMaximumRenewableLifetime() );
       
        server.stop();
        directoryService.shutdown();

        FileUtils.deleteDirectory( directoryService.getInstanceLayout().getInstanceDirectory() );
View Full Code Here
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
        if ( createKdcServer == null )
        {
            return null;
        }

        KerberosConfig kdcConfig = new KerberosConfig();
        kdcConfig.setServicePrincipal( createKdcServer.kdcPrincipal() );
        kdcConfig.setPrimaryRealm( createKdcServer.primaryRealm() );
        kdcConfig.setMaximumTicketLifetime( createKdcServer.maxTicketLifetime() );
        kdcConfig.setMaximumRenewableLifetime( createKdcServer.maxRenewableLifetime() );

        KdcServer kdcServer = new KdcServer( kdcConfig );

        kdcServer.setSearchBaseDn( createKdcServer.searchBaseDn() );
View Full Code Here
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
        InvalidTicketException
    {

        LOG_KRB.debug( "--> Selecting the EncryptionType" );
        KdcContext kdcContext = authContext;
        KerberosConfig config = kdcContext.getConfig();

        Set<EncryptionType> requestedTypes = kdcContext.getRequest().getKdcReqBody().getEType();
        LOG_KRB.debug( "Encryption types requested by client {}.", requestedTypes );

        EncryptionType bestType = KerberosUtils.getBestEncryptionType( requestedTypes, config.getEncryptionTypes() );

        LOG_KRB.debug( "Session will use encryption type {}.", bestType );

        if ( bestType == null )
        {
View Full Code Here
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
    private static void verifySam( AuthenticationContext authContext ) throws KerberosException, InvalidTicketException
    {
        LOG_KRB.debug( "--> Verifying using SAM subsystem." );
        KdcReq request = authContext.getRequest();
        KerberosConfig config = authContext.getConfig();

        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();

        EncryptionKey clientKey = null;

        if ( clientEntry.getSamType() != null )
        {
            if ( LOG_KRB.isDebugEnabled() )
            {
                LOG_KRB
                    .debug(
                        "Entry for client principal {} has a valid SAM type.  Invoking SAM subsystem for pre-authentication.",
                        clientName );
            }

            List<PaData> preAuthData = request.getPaData();

            if ( ( preAuthData == null ) || ( preAuthData.size() == 0 ) )
            {
                LOG_KRB.debug( "No PreAuth Data" );
                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
                    authContext.getEncryptionType(), config
                        .getEncryptionTypes() ) );
            }

            try
            {
View Full Code Here
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
    private static void verifyEncryptedTimestamp( AuthenticationContext authContext ) throws KerberosException,
        InvalidTicketException
    {
        LOG_KRB.debug( "--> Verifying using encrypted timestamp." );

        KerberosConfig config = authContext.getConfig();
        KdcReq request = authContext.getRequest();
        CipherTextHandler cipherTextHandler = authContext.getCipherTextHandler();
        PrincipalStoreEntry clientEntry = authContext.getClientEntry();
        String clientName = clientEntry.getPrincipal().getName();

        EncryptionKey clientKey = null;

        if ( clientEntry.getSamType() == null )
        {
            LOG_KRB.debug(
                "Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.",
                clientName );

            EncryptionType encryptionType = authContext.getEncryptionType();
            clientKey = clientEntry.getKeyMap().get( encryptionType );

            if ( clientKey == null )
            {
                LOG_KRB.error( "No key for client {}", clientEntry.getDistinguishedName() );
                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
            }

            if ( config.isPaEncTimestampRequired() )
            {
                List<PaData> preAuthData = request.getPaData();

                if ( preAuthData == null )
                {
                    LOG_KRB.debug( "PRE_AUTH required..." );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }

                PaEncTsEnc timestamp = null;

                for ( PaData paData : preAuthData )
                {
                    if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                    {
                        EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
                            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                        timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
                    }
                }

                if ( timestamp == null )
                {
                    LOG_KRB.error( "No timestamp found" );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }

                if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
                {
                    LOG_KRB.error( "Timestamp not in delay" );

                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
                }
View Full Code Here
TOP

Related Classes of org.apache.directory.server.kerberos.KerberosConfig

  • io.undertow.server.security.KerberosKDCUtil
  • org.apache.directory.server.config.builder.ServiceBuilder
  • org.apache.directory.server.factory.CreateKdcServerAnnotationTest
  • org.apache.directory.server.factory.ServerAnnotationProcessor
  • org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService
  • org.apache.directory.server.kerberos.kdc.KdcServer
  • org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService
  • org.jboss.as.test.integration.security.common.KDCServerAnnotationProcessor
  • javax.security.auth.kerberos.KerberosPrincipal
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.