Examples of org.apache.directory.shared.kerberos.exceptions.KerberosException

Package org.apache.directory.shared.kerberos.exceptions

Examples of org.apache.directory.shared.kerberos.exceptions.KerberosException

org.apache.directory.shared.kerberos.exceptions.KerberosException
The root of the Kerberos exception hierarchy. @author Apache Directory Project

            if ( !writeFuture.awaitUninterruptibly( timeout ) )
            {
                // We didn't received anything : this is an error
                LOG.error( "Search failed : timeout occured" );


                throw new KerberosException( ErrorType.KRB_ERR_GENERIC, "operation timed out" );
            }


            return repFuture;
        }
        catch ( Exception e )
        {
            e.printStackTrace();
            throw new KerberosException( ErrorType.KRB_ERR_GENERIC, e );
        }
    }

View Full Code Here

    {
        tgsContext.setCipherTextHandler( cipherTextHandler );


        if ( tgsContext.getRequest().getProtocolVersionNumber() != KerberosConstants.KERBEROS_V5 )
        {
            throw new KerberosException( ErrorType.KDC_ERR_BAD_PVNO );
        }
    }

View Full Code Here


        LOG.debug( "Session will use encryption type {}.", bestType );


        if ( bestType == null )
        {
            throw new KerberosException( ErrorType.KDC_ERR_ETYPE_NOSUPP );
        }


        kdcContext.setEncryptionType( bestType );
    }

View Full Code Here

    {
        KdcReq request = tgsContext.getRequest();


        if ( ( request.getPaData() == null ) || ( request.getPaData().size() < 1 ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
        }


        byte[] undecodedAuthHeader = null;


        for ( PaData paData : request.getPaData() )
        {
            if ( paData.getPaDataType() == PaDataType.PA_TGS_REQ )
            {
                undecodedAuthHeader = paData.getPaDataValue();
            }
        }


        if ( undecodedAuthHeader == null )
        {
            throw new KerberosException( ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP );
        }


        ApReq authHeader = KerberosDecoder.decodeApReq( undecodedAuthHeader );


        Ticket tgt = authHeader.getTicket();

View Full Code Here

        Ticket tgt = tgsContext.getTgt();


        // Check primary realm.
        if ( !tgt.getRealm().equals( config.getPrimaryRealm() ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }


        String tgtServerName = KerberosUtils.getKerberosPrincipal( tgt.getSName(), tgt.getRealm() ).getName();
        String requestServerName = KerberosUtils.getKerberosPrincipal(
            tgsContext.getRequest().getKdcReqBody().getSName(), tgsContext.getRequest().getKdcReqBody().getRealm() )
            .getName();


        /*
         * if (tgt.sname is not a TGT for local realm and is not req.sname)
         *     then error_out(KRB_AP_ERR_NOT_US);
         */
        if ( !tgtServerName.equals( config.getServicePrincipal().getName() )
            && !tgtServerName.equals( requestServerName ) )
        {
            throw new KerberosException( ErrorType.KRB_AP_ERR_NOT_US );
        }
    }

View Full Code Here

            {
                body.encode( buf );
            }
            catch ( EncoderException e )
            {
                throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
            }


            byte[] bodyBytes = buf.array();
            Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum();


            if ( authenticatorChecksum != null )
            {
                // we need the session key
                Ticket tgt = tgsContext.getTgt();
                EncTicketPart encTicketPart = tgt.getEncTicketPart();
                EncryptionKey sessionKey = encTicketPart.getKey();
                
                if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null
                    || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null )
                {
                    throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
                }
                
                LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() );
                
                checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),

View Full Code Here

        {
            Ticket[] additionalTkts = tgsContext.getRequest().getKdcReqBody().getAdditionalTickets();


            if( additionalTkts == null || additionalTkts.length == 0 )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }
            
            Ticket additionalTgt = additionalTkts[0];
            // reject if it is not a TGT
            if( !additionalTgt.getEncTicketPart().getFlags().isInitial() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }
            
            serverKey = additionalTgt.getEncTicketPart().getKey();
            /*
             * if (server not specified) then

View Full Code Here


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDABLE ) )
        {
            if ( !config.isForwardableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isForwardable() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            newTicketPart.setFlag( TicketFlag.FORWARDABLE );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.FORWARDED ) )
        {
            if ( !config.isForwardableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isForwardable() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            if ( request.getKdcReqBody().getAddresses() != null
                && request.getKdcReqBody().getAddresses().getAddresses() != null
                && request.getKdcReqBody().getAddresses().getAddresses().length > 0 )
            {
                newTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses() );
            }
            else
            {
                if ( !config.isEmptyAddressesAllowed() )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
                }
            }


            newTicketPart.setFlag( TicketFlag.FORWARDED );
        }


        if ( tgt.getEncTicketPart().getFlags().isForwarded() )
        {
            newTicketPart.setFlag( TicketFlag.FORWARDED );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXIABLE ) )
        {
            if ( !config.isProxiableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isProxiable() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            newTicketPart.setFlag( TicketFlag.PROXIABLE );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.PROXY ) )
        {
            if ( !config.isProxiableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isProxiable() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            if ( request.getKdcReqBody().getAddresses() != null
                && request.getKdcReqBody().getAddresses().getAddresses() != null
                && request.getKdcReqBody().getAddresses().getAddresses().length > 0 )
            {
                newTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses() );
            }
            else
            {
                if ( !config.isEmptyAddressesAllowed() )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
                }
            }


            newTicketPart.setFlag( TicketFlag.PROXY );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.ALLOW_POSTDATE ) )
        {
            if ( !config.isPostdatedAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isMayPosdate() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            newTicketPart.setFlag( TicketFlag.MAY_POSTDATE );
        }


        /*
         * "Otherwise, if the TGT has the MAY-POSTDATE flag set, then the resulting
         * ticket will be postdated, and the requested starttime is checked against
         * the policy of the local realm.  If acceptable, the ticket's starttime is
         * set as requested, and the INVALID flag is set.  The postdated ticket MUST
         * be validated before use by presenting it to the KDC after the starttime
         * has been reached.  However, in no case may the starttime, endtime, or
         * renew-till time of a newly-issued postdated ticket extend beyond the
         * renew-till time of the TGT."
         */
        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) )
        {
            if ( !config.isPostdatedAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isMayPosdate() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            newTicketPart.setFlag( TicketFlag.POSTDATED );
            newTicketPart.setFlag( TicketFlag.INVALID );


            newTicketPart.setStartTime( request.getKdcReqBody().getFrom() );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.VALIDATE ) )
        {
            if ( !config.isPostdatedAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isInvalid() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            KerberosTime startTime = ( tgt.getEncTicketPart().getStartTime() != null ) ?
                tgt.getEncTicketPart().getStartTime() :
                tgt.getEncTicketPart().getAuthTime();


            if ( startTime.greaterThan( new KerberosTime() ) )
            {
                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_NYV );
            }


            echoTicket( newTicketPart, tgt );
            newTicketPart.getFlags().clearFlag( TicketFlag.INVALID );
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_0 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_7 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_9 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_10 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_11 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_12 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_13 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_14 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_15 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_16 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_17 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_18 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_19 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_20 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_21 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_22 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_23 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_24 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_25 ) ||
            request.getKdcReqBody().getKdcOptions().get( KdcOptions.RESERVED_29 ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
        }
    }

View Full Code Here

            && startTime.greaterThan( now )
            && !startTime.isInClockSkew( config.getAllowableClockSkew() )
            && ( !request.getKdcReqBody().getKdcOptions().get( KdcOptions.POSTDATED ) || !tgt.getEncTicketPart()
                .getFlags().isMayPosdate() ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_CANNOT_POSTDATE );
        }


        KerberosTime renewalTime = null;
        KerberosTime kerberosEndTime = null;


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEW ) )
        {
            if ( !config.isRenewableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            if ( !tgt.getEncTicketPart().getFlags().isRenewable() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_BADOPTION );
            }


            if ( tgt.getEncTicketPart().getRenewTill().lessThan( now ) )
            {
                throw new KerberosException( ErrorType.KRB_AP_ERR_TKT_EXPIRED );
            }


            echoTicket( newTicketPart, tgt );


            newTicketPart.setStartTime( now );


            KerberosTime tgtStartTime = ( tgt.getEncTicketPart().getStartTime() != null ) ?
                tgt.getEncTicketPart().getStartTime() :
                tgt.getEncTicketPart().getAuthTime();


            long oldLife = tgt.getEncTicketPart().getEndTime().getTime() - tgtStartTime.getTime();


            kerberosEndTime = new KerberosTime( Math.min( tgt.getEncTicketPart().getRenewTill().getTime(),
                now.getTime() + oldLife ) );
            newTicketPart.setEndTime( kerberosEndTime );
        }
        else
        {
            if ( newTicketPart.getStartTime() == null )
            {
                newTicketPart.setStartTime( now );
            }


            KerberosTime till;
            if ( request.getKdcReqBody().getTill().isZero() )
            {
                till = KerberosTime.INFINITY;
            }
            else
            {
                till = request.getKdcReqBody().getTill();
            }


            /*
             * The end time is the minimum of (a) the requested till time or (b)
             * the start time plus maximum lifetime as configured in policy or (c)
             * the end time of the TGT.
             */
            List<KerberosTime> minimizer = new ArrayList<KerberosTime>();
            minimizer.add( till );
            minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumTicketLifetime() ) );
            minimizer.add( tgt.getEncTicketPart().getEndTime() );
            kerberosEndTime = Collections.min( minimizer );


            newTicketPart.setEndTime( kerberosEndTime );


            if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEWABLE_OK )
                && kerberosEndTime.lessThan( request.getKdcReqBody().getTill() )
                && tgt.getEncTicketPart().getFlags().isRenewable() )
            {
                if ( !config.isRenewableAllowed() )
                {
                    throw new KerberosException( ErrorType.KDC_ERR_POLICY );
                }


                // We set the RENEWABLE option for later processing.
                request.getKdcReqBody().getKdcOptions().set( KdcOptions.RENEWABLE );
                long rtime = Math.min( request.getKdcReqBody().getTill().getTime(), tgt.getEncTicketPart()
                    .getRenewTill().getTime() );
                renewalTime = new KerberosTime( rtime );
            }
        }


        if ( renewalTime == null )
        {
            renewalTime = request.getKdcReqBody().getRTime();
        }


        KerberosTime rtime;
        if ( renewalTime != null && renewalTime.isZero() )
        {
            rtime = KerberosTime.INFINITY;
        }
        else
        {
            rtime = renewalTime;
        }


        if ( request.getKdcReqBody().getKdcOptions().get( KdcOptions.RENEWABLE )
            && tgt.getEncTicketPart().getFlags().isRenewable() )
        {
            if ( !config.isRenewableAllowed() )
            {
                throw new KerberosException( ErrorType.KDC_ERR_POLICY );
            }


            newTicketPart.setFlag( TicketFlag.RENEWABLE );


            /*
             * The renew-till time is the minimum of (a) the requested renew-till
             * time or (b) the start time plus maximum renewable lifetime as
             * configured in policy or (c) the renew-till time of the TGT.
             */
            List<KerberosTime> minimizer = new ArrayList<KerberosTime>();


            /*
             * 'rtime' KerberosTime is OPTIONAL
             */
            if ( rtime != null )
            {
                minimizer.add( rtime );
            }


            minimizer.add( new KerberosTime( startTime.getTime() + config.getMaximumRenewableLifetime() ) );
            minimizer.add( tgt.getEncTicketPart().getRenewTill() );
            newTicketPart.setRenewTill( Collections.min( minimizer ) );
        }


        /*
         * "If the requested expiration time minus the starttime (as determined
         * above) is less than a site-determined minimum lifetime, an error
         * message with code KDC_ERR_NEVER_VALID is returned."
         */
        if ( kerberosEndTime.lessThan( startTime ) )
        {
            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
        }


        long ticketLifeTime = Math.abs( startTime.getTime() - kerberosEndTime.getTime() );
        if ( ticketLifeTime < config.getAllowableClockSkew() )
        {
            throw new KerberosException( ErrorType.KDC_ERR_NEVER_VALID );
        }
    }

View Full Code Here

        {
            entry = store.getPrincipal( principal );
        }
        catch ( Exception e )
        {
            throw new KerberosException( errorType, e );
        }


        if ( entry == null )
        {
            throw new KerberosException( errorType );
        }


        if ( entry.getKeyMap() == null || entry.getKeyMap().isEmpty() )
        {
            throw new KerberosException( ErrorType.KDC_ERR_NULL_KEY );
        }


        return entry;
    }

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of org.apache.directory.shared.kerberos.exceptions.KerberosException

org.apache.directory.kerberos.client.KdcConnection

org.apache.directory.kerberos.client.KerberosConnection

org.apache.directory.server.changepw.service.ChangePasswordService

org.apache.directory.server.kerberos.changepwd.service.ChangePasswordService

org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService

org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService

org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder

org.apache.directory.server.kerberos.protocol.KerberosDecoder

org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler

org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.