83 byte[] krbCredMessage = null; |
83 byte[] krbCredMessage = null; |
84 int pos = 0; |
84 int pos = 0; |
85 int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE + |
85 int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE + |
86 CHECKSUM_FLAGS_SIZE; |
86 CHECKSUM_FLAGS_SIZE; |
87 |
87 |
|
88 if (!tgt.isForwardable()) { |
|
89 context.setCredDelegState(false); |
|
90 context.setDelegPolicyState(false); |
|
91 } else if (context.getCredDelegState()) { |
|
92 if (context.getDelegPolicyState()) { |
|
93 if (!serviceTicket.checkDelegate()) { |
|
94 // delegation not permitted by server policy, mark it |
|
95 context.setDelegPolicyState(false); |
|
96 } |
|
97 } |
|
98 } else if (context.getDelegPolicyState()) { |
|
99 if (serviceTicket.checkDelegate()) { |
|
100 context.setCredDelegState(true); |
|
101 } else { |
|
102 context.setDelegPolicyState(false); |
|
103 } |
|
104 } |
|
105 |
88 if (context.getCredDelegState()) { |
106 if (context.getCredDelegState()) { |
89 if (context.getCaller() instanceof HttpCaller && |
107 KrbCred krbCred = null; |
90 !serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) { |
108 CipherHelper cipherHelper = |
91 // When the caller is HTTP/SPNEGO and OK-AS-DELEGATE |
109 context.getCipherHelper(serviceTicket.getSessionKey()); |
92 // is not present in the service ticket, delegation |
110 if (useNullKey(cipherHelper)) { |
93 // is disabled. |
111 krbCred = new KrbCred(tgt, serviceTicket, |
94 context.setCredDelegState(false); |
112 EncryptionKey.NULL_KEY); |
95 } else if (!tgt.isForwardable()) { |
|
96 // XXX log this resetting of delegation state |
|
97 context.setCredDelegState(false); |
|
98 } else { |
113 } else { |
99 KrbCred krbCred = null; |
114 krbCred = new KrbCred(tgt, serviceTicket, |
100 CipherHelper cipherHelper = |
115 serviceTicket.getSessionKey()); |
101 context.getCipherHelper(serviceTicket.getSessionKey()); |
116 } |
102 if (useNullKey(cipherHelper)) { |
117 krbCredMessage = krbCred.getMessage(); |
103 krbCred = new KrbCred(tgt, serviceTicket, |
118 size += CHECKSUM_DELEG_OPT_SIZE + |
104 EncryptionKey.NULL_KEY); |
119 CHECKSUM_DELEG_LGTH_SIZE + |
105 } else { |
120 krbCredMessage.length; |
106 krbCred = new KrbCred(tgt, serviceTicket, |
|
107 serviceTicket.getSessionKey()); |
|
108 } |
|
109 krbCredMessage = krbCred.getMessage(); |
|
110 size += CHECKSUM_DELEG_OPT_SIZE + |
|
111 CHECKSUM_DELEG_LGTH_SIZE + |
|
112 krbCredMessage.length; |
|
113 } |
|
114 } |
121 } |
115 |
122 |
116 checksumBytes = new byte[size]; |
123 checksumBytes = new byte[size]; |
117 |
124 |
118 checksumBytes[pos++] = CHECKSUM_FIRST_BYTES[0]; |
125 checksumBytes[pos++] = CHECKSUM_FIRST_BYTES[0]; |
294 |
301 |
295 public Credentials getDelegatedCreds() { |
302 public Credentials getDelegatedCreds() { |
296 return delegCreds; |
303 return delegCreds; |
297 } |
304 } |
298 |
305 |
|
306 // Only called by acceptor |
299 public void setContextFlags(Krb5Context context) { |
307 public void setContextFlags(Krb5Context context) { |
300 // default for cred delegation is false |
308 // default for cred delegation is false |
301 if ((flags & CHECKSUM_DELEG_FLAG) > 0) |
309 if ((flags & CHECKSUM_DELEG_FLAG) > 0) |
302 context.setCredDelegState(true); |
310 context.setCredDelegState(true); |
303 // default for the following are true |
311 // default for the following are true |