Package org.apache.directory.shared.kerberos.exceptions

Examples of org.apache.directory.shared.kerberos.exceptions.KerberosException

644
645
646
647
648
649
650
651
652
653
654
        {
            kerberosDecoder.decode( stream, encAsRepPartContainer );
        }
        catch ( DecoderException de )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY, de );
        }

        // get the decoded EncAsRepPart
        EncAsRepPart encAsRepPart = ( ( EncAsRepPartContainer ) encAsRepPartContainer ).getEncAsRepPart();
View Full Code Here
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
        if ( !( message instanceof KdcReq ) )
        {
            LOG.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );
            LOG_KRB.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );

            session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
                ErrorType.KRB_AP_ERR_BADDIRECTION ) ) );
            return;
        }

        KdcReq request = ( KdcReq ) message;

        KerberosMessageType messageType = request.getMessageType();

        try
        {
            switch ( messageType )
            {
                case AS_REQ:
                    AuthenticationContext authContext = new AuthenticationContext();
                    authContext.setConfig( kdcServer.getConfig() );
                    authContext.setStore( store );
                    authContext.setClientAddress( clientAddress );
                    authContext.setRequest( request );
                    session.setAttribute( CONTEXT_KEY, authContext );

                    AuthenticationService.execute( authContext );

                    LOG_KRB.debug( "AuthenticationContext for AS_REQ : \n{}", authContext );

                    session.write( authContext.getReply() );
                    break;

                case TGS_REQ:
                    TicketGrantingContext tgsContext = new TicketGrantingContext();
                    tgsContext.setConfig( kdcServer.getConfig() );
                    tgsContext.setReplayCache( kdcServer.getReplayCache() );
                    tgsContext.setStore( store );
                    tgsContext.setClientAddress( clientAddress );
                    tgsContext.setRequest( request );
                    session.setAttribute( CONTEXT_KEY, tgsContext );

                    TicketGrantingService.execute( tgsContext );

                    LOG_KRB.debug( "TGSContext for TGS_REQ : \n {}", tgsContext );

                    session.write( tgsContext.getReply() );
                    break;

                case AS_REP:
                case TGS_REP:
                    throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );

                default:
                    throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
            }
        }
        catch ( KerberosException ke )
        {
            String messageText = ke.getLocalizedMessage() + " (" + ke.getErrorCode() + ")";

            LOG.warn( messageText );
            LOG_KRB.warn( messageText );

            KrbError error = getErrorMessage( kdcServer.getConfig().getServicePrincipal(), ke );

            logErrorMessage( error );

            session.write( error );
        }
        catch ( Exception e )
        {
            LOG.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );
            LOG_KRB.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );

            session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
                ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
        }
    }
View Full Code Here
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
    public TgTicket getTgt( TgtRequest clientTgtReq ) throws KerberosException
    {
        TgTicket tgt = null;
       
        KerberosException ke = null;
       
        for( int i=0; i < 2; i++ )
        {
            ke = null;
           
            try
            {
                tgt = _getTgt( clientTgtReq );
            }
            catch( KerberosException e )
            {
                // using exception for control flow, b.a.d, but here it is better than
                // defining a new Result class to hold ticket and exception and validating
                // the Result instance from _getTgt()
                ke = e;
            }
           
            if( ke != null )
            {
                if ( ke.getErrorCode() == ErrorType.KDC_ERR_PREAUTH_REQUIRED.getValue() )
                {
                    clientTgtReq.setETypes( KdcClientUtil.getEtypesFromError( ke.getError() ) );
                    clientTgtReq.setPreAuthEnabled( true );
                }
            }
        }
       
View Full Code Here
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
            if ( kdcRep == null )
            {
                // We didn't received anything : this is an error
                LOG.error( "Authentication failed : timeout occured" );
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR );
            }

            if ( kdcRep instanceof KrbError )
            {
                // We have an error
                LOG.debug( "Authentication failed : {}", kdcRep );
                throw new KerberosException( ( KrbError ) kdcRep );
            }

            AsRep rep = ( AsRep ) kdcRep;
           
            if ( !cName.getNameString().equals( rep.getCName().getNameString() ) )
            {
                throw new KerberosException( ErrorType.KDC_ERR_CLIENT_NAME_MISMATCH );
            }
           
            if ( !realm.equals( rep.getCRealm() ) )
            {
                throw new KerberosException( ErrorType.KRB_ERR_WRONG_REALM );
            }
           
            if ( encryptionType != rep.getEncPart().getEType() )
            {
                encryptionType = rep.getEncPart().getEType();
                clientKey = KerberosKeyFactory.string2Key( clientTgtReq.getClientPrincipal(), clientTgtReq.getPassword(), encryptionType );
            }
           
            byte[] decryptedEncAsRepPart = cipherTextHandler.decrypt( clientKey, rep.getEncPart(), KeyUsage.AS_REP_ENC_PART_WITH_CKEY );
           
            EncKdcRepPart encKdcRepPart = null;
            try
            {
                EncAsRepPart encAsRepPart = KerberosDecoder.decodeEncAsRepPart( decryptedEncAsRepPart );
                encKdcRepPart = encAsRepPart.getEncKdcRepPart();
            }
            catch( KerberosException e )
            {
                LOG.info("Trying an encTgsRepPart instead");
                EncTgsRepPart encTgsRepPart = KerberosDecoder.decodeEncTgsRepPart( decryptedEncAsRepPart );
                encKdcRepPart = encTgsRepPart.getEncKdcRepPart();
            }
           
            if ( currentNonce != encKdcRepPart.getNonce() )
            {
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, "received nonce didn't match with the nonce sent in the request" );
            }
                      
            if ( !encKdcRepPart.getSName().getNameString().equals( clientTgtReq.getSName() ) )
            {
                throw new KerberosException( ErrorType.KDC_ERR_SERVER_NOMATCH );
            }
           
            if ( !encKdcRepPart.getSRealm().equals( clientTgtReq.getRealm() ) )
            {
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, "received server realm does not match with requested server realm" );
            }
           
            List<HostAddress> hosts = clientTgtReq.getHostAddresses();
           
            if( !hosts.isEmpty() )
            {
                HostAddresses addresses = encKdcRepPart.getClientAddresses();
                for( HostAddress h : hosts )
                {
                    if ( !addresses.contains( h ) )
                    {
                        throw new KerberosException( ErrorType.KRB_ERR_GENERIC, "requested client address" + h + " is not found in the ticket" );
                    }
                }
            }
           
            // Everything is fine, return the response
            LOG.debug( "Authentication successful : {}", kdcRep );
           
            TgTicket tgTicket = new TgTicket( rep.getTicket(), encKdcRepPart, rep.getCName().getNameString() );
           
            return tgTicket;
        }
        catch( KerberosException ke )
        {
            throw ke;
        }
        catch ( Exception e )
        {
            // We didn't received anything : this is an error
            LOG.error( "Authentication failed" );
            throw new KerberosException( ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR );
        }
        finally
        {
            if ( channel != null )
            {
View Full Code Here
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
            if ( kdcRep == null )
            {
                // We didn't received anything : this is an error
                LOG.error( "TGT request failed : timeout occured" );
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR );
            }

            if ( kdcRep instanceof KrbError )
            {
                // We have an error
                LOG.debug( "TGT request failed : {}", kdcRep );
                throw new KerberosException( ( KrbError ) kdcRep );
            }

            TgsRep rep = ( TgsRep ) kdcRep;
            byte[] decryptedData = cipherTextHandler.decrypt( sessionKey, rep.getEncPart(), KeyUsage.TGS_REP_ENC_PART_TGS_SESS_KEY );
            EncTgsRepPart encTgsRepPart = KerberosDecoder.decodeEncTgsRepPart( decryptedData );
           
            if ( currentNonce != encTgsRepPart.getEncKdcRepPart().getNonce() )
            {
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, "received nonce didn't match with the nonce sent in the request" );
            }
           
           
            // Everything is fine, return the response
            LOG.debug( "TGT request successful : {}", rep );

            ServiceTicket srvTkt = new ServiceTicket( rep.getTicket(), encTgsRepPart.getEncKdcRepPart() );
           
            return srvTkt;
        }
        catch( KerberosException e )
        {
            throw e;
        }
        catch ( Exception te )
        {
            // We didn't receive anything : this is an error
            LOG.error( "TGT request failed : timeout occured" );
            throw new KerberosException( ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR );
        }
        finally
        {
            if ( channel != null )
            {
View Full Code Here
113
114
115
116
117
118
119
120
121
122
123
        int kerberosVersion = authContext.getRequest().getProtocolVersionNumber();

        if ( kerberosVersion != KerberosConstants.KERBEROS_V5 )
        {
            LOG_KRB.error( "Kerberos V{} is not supported", kerberosVersion );
            throw new KerberosException( ErrorType.KDC_ERR_BAD_PVNO );
        }

        selectEncryptionType( authContext );
        getClientEntry( authContext );
        verifyPolicy( authContext );
View Full Code Here
152
153
154
155
156
157
158
159
160
161
        LOG_KRB.debug( "Session will use encryption type {}.", bestType );

        if ( bestType == null )
        {
            LOG_KRB.error( "No encryptionType selected !" );
            throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
        }

        kdcContext.setEncryptionType( bestType );
    }
View Full Code Here
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
        PrincipalStoreEntry entry = authContext.getClientEntry();

        if ( entry.isDisabled() )
        {
            LOG_KRB.error( "The entry {} is disabled", entry.getDistinguishedName() );
            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
        }

        if ( entry.isLockedOut() )
        {
            LOG_KRB.error( "The entry {} is locked out", entry.getDistinguishedName() );
            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
        }

        if ( entry.getExpiration().getTime() < new Date().getTime() )
        {
            LOG_KRB.error( "The entry {} has been revoked", entry.getDistinguishedName() );
            throw new KerberosException( ErrorType.KDC_ERR_CLIENT_REVOKED );
        }
    }
View Full Code Here
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
            List<PaData> preAuthData = request.getPaData();

            if ( ( preAuthData == null ) || ( preAuthData.size() == 0 ) )
            {
                LOG_KRB.debug( "No PreAuth Data" );
                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
                    authContext.getEncryptionType(), config
                        .getEncryptionTypes() ) );
            }

            try
            {
                for ( PaData paData : preAuthData )
                {
                    if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                    {
                        KerberosKey samKey = SamSubsystem.getInstance().verify( clientEntry,
                            paData.getPaDataValue() );
                        clientKey = new EncryptionKey( EncryptionType.getTypeByValue( samKey.getKeyType() ), samKey
                            .getEncoded() );
                    }
                }
            }
            catch ( SamException se )
            {
                LOG_KRB.error( "Error : {}", se.getMessage() );
                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, se );
            }

            authContext.setClientKey( clientKey );
            authContext.setPreAuthenticated( true );
View Full Code Here
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
            clientKey = clientEntry.getKeyMap().get( encryptionType );

            if ( clientKey == null )
            {
                LOG_KRB.error( "No key for client {}", clientEntry.getDistinguishedName() );
                throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
            }

            if ( config.isPaEncTimestampRequired() )
            {
                List<PaData> preAuthData = request.getPaData();

                if ( preAuthData == null )
                {
                    LOG_KRB.debug( "PRE_AUTH required..." );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }

                PaEncTsEnc timestamp = null;

                for ( PaData paData : preAuthData )
                {
                    if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                    {
                        EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
                        byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
                            KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                        timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
                    }
                }

                if ( timestamp == null )
                {
                    LOG_KRB.error( "No timestamp found" );
                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
                        preparePreAuthenticationError( authContext.getEncryptionType(), config.getEncryptionTypes() ) );
                }

                if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
                {
                    LOG_KRB.error( "Timestamp not in delay" );

                    throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_FAILED );
                }

                /*
                 * if(decrypted_enc_timestamp and usec is replay)
                 *         error_out(KDC_ERR_PREAUTH_FAILED);
View Full Code Here
TOP

Related Classes of org.apache.directory.shared.kerberos.exceptions.KerberosException

  • org.apache.directory.kerberos.client.KdcConnection
  • org.apache.directory.kerberos.client.KerberosConnection
  • org.apache.directory.server.changepw.service.ChangePasswordService
  • org.apache.directory.server.kerberos.changepwd.service.ChangePasswordService
  • org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService
  • org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService
  • org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder
  • org.apache.directory.server.kerberos.protocol.KerberosDecoder
  • org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler
  • org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.