73 null, // AuthorizationData authorizationData |
73 null, // AuthorizationData authorizationData |
74 null, // Ticket[] additionalTickets |
74 null, // Ticket[] additionalTickets |
75 null); // EncryptionKey subSessionKey |
75 null); // EncryptionKey subSessionKey |
76 } |
76 } |
77 |
77 |
78 // Called by Credentials, KrbCred |
78 // Called by Credentials, KrbCred |
79 KrbTgsReq( |
79 KrbTgsReq( |
80 KDCOptions options, |
80 KDCOptions options, |
81 Credentials asCreds, |
81 Credentials asCreds, |
82 PrincipalName sname, |
82 PrincipalName sname, |
83 KerberosTime from, |
83 KerberosTime from, |
84 KerberosTime till, |
84 KerberosTime till, |
85 KerberosTime rtime, |
85 KerberosTime rtime, |
86 int[] eTypes, |
86 int[] eTypes, |
87 HostAddresses addresses, |
87 HostAddresses addresses, |
88 AuthorizationData authorizationData, |
88 AuthorizationData authorizationData, |
89 Ticket[] additionalTickets, |
89 Ticket[] additionalTickets, |
90 EncryptionKey subKey) throws KrbException, IOException { |
90 EncryptionKey subKey) throws KrbException, IOException { |
91 |
91 |
92 princName = asCreds.client; |
92 princName = asCreds.client; |
93 servName = sname; |
93 servName = sname; |
94 ctime = new KerberosTime(KerberosTime.NOW); |
94 ctime = new KerberosTime(KerberosTime.NOW); |
95 |
95 |
96 |
96 |
97 // check if they are valid arguments. The optional fields |
97 // check if they are valid arguments. The optional fields |
98 // should be consistent with settings in KDCOptions. |
98 // should be consistent with settings in KDCOptions. |
99 if (options.get(KDCOptions.FORWARDABLE) && |
99 if (options.get(KDCOptions.FORWARDABLE) && |
100 (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) { |
100 (!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) { |
101 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
101 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
102 } |
102 } |
103 if (options.get(KDCOptions.FORWARDED)) { |
103 if (options.get(KDCOptions.FORWARDED)) { |
104 if (!(asCreds.flags.get(KDCOptions.FORWARDABLE))) |
104 if (!(asCreds.flags.get(KDCOptions.FORWARDABLE))) |
105 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
105 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
106 } |
106 } |
107 if (options.get(KDCOptions.PROXIABLE) && |
107 if (options.get(KDCOptions.PROXIABLE) && |
108 (!(asCreds.flags.get(Krb5.TKT_OPTS_PROXIABLE)))) { |
108 (!(asCreds.flags.get(Krb5.TKT_OPTS_PROXIABLE)))) { |
109 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
109 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
110 } |
110 } |
111 if (options.get(KDCOptions.PROXY)) { |
111 if (options.get(KDCOptions.PROXY)) { |
112 if (!(asCreds.flags.get(KDCOptions.PROXIABLE))) |
112 if (!(asCreds.flags.get(KDCOptions.PROXIABLE))) |
113 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
113 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
114 } |
114 } |
115 if (options.get(KDCOptions.ALLOW_POSTDATE) && |
115 if (options.get(KDCOptions.ALLOW_POSTDATE) && |
116 (!(asCreds.flags.get(Krb5.TKT_OPTS_MAY_POSTDATE)))) { |
116 (!(asCreds.flags.get(Krb5.TKT_OPTS_MAY_POSTDATE)))) { |
117 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
117 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
118 } |
118 } |
119 if (options.get(KDCOptions.RENEWABLE) && |
119 if (options.get(KDCOptions.RENEWABLE) && |
120 (!(asCreds.flags.get(Krb5.TKT_OPTS_RENEWABLE)))) { |
120 (!(asCreds.flags.get(Krb5.TKT_OPTS_RENEWABLE)))) { |
121 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
121 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
122 } |
122 } |
123 |
123 |
124 if (options.get(KDCOptions.POSTDATED)) { |
124 if (options.get(KDCOptions.POSTDATED)) { |
125 if (!(asCreds.flags.get(KDCOptions.POSTDATED))) |
125 if (!(asCreds.flags.get(KDCOptions.POSTDATED))) |
126 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
126 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
127 } else { |
127 } else { |
128 if (from != null) from = null; |
128 if (from != null) from = null; |
129 } |
129 } |
130 if (options.get(KDCOptions.RENEWABLE)) { |
130 if (options.get(KDCOptions.RENEWABLE)) { |
131 if (!(asCreds.flags.get(KDCOptions.RENEWABLE))) |
131 if (!(asCreds.flags.get(KDCOptions.RENEWABLE))) |
132 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
132 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
133 } else { |
133 } else { |
134 if (rtime != null) rtime = null; |
134 if (rtime != null) rtime = null; |
135 } |
135 } |
136 if (options.get(KDCOptions.ENC_TKT_IN_SKEY)) { |
136 if (options.get(KDCOptions.ENC_TKT_IN_SKEY)) { |
137 if (additionalTickets == null) |
137 if (additionalTickets == null) |
138 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
138 throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS); |
139 // in TGS_REQ there could be more than one additional |
139 // in TGS_REQ there could be more than one additional |
140 // tickets, but in file-based credential cache, |
140 // tickets, but in file-based credential cache, |
141 // there is only one additional ticket field. |
141 // there is only one additional ticket field. |
142 secondTicket = additionalTickets[0]; |
142 secondTicket = additionalTickets[0]; |
143 } else { |
143 } else { |
144 if (additionalTickets != null) |
144 if (additionalTickets != null) |
145 additionalTickets = null; |
145 additionalTickets = null; |
146 } |
146 } |
147 |
147 |
148 tgsReqMessg = createRequest( |
148 tgsReqMessg = createRequest( |
149 options, |
149 options, |
150 asCreds.ticket, |
150 asCreds.ticket, |
151 asCreds.key, |
151 asCreds.key, |
152 ctime, |
152 ctime, |
153 princName, |
153 princName, |
154 princName.getRealm(), |
154 princName.getRealm(), |
155 servName, |
155 servName, |
156 from, |
156 from, |
157 till, |
157 till, |
158 rtime, |
158 rtime, |
159 eTypes, |
159 eTypes, |
160 addresses, |
160 addresses, |
161 authorizationData, |
161 authorizationData, |
162 additionalTickets, |
162 additionalTickets, |
163 subKey); |
163 subKey); |
164 obuf = tgsReqMessg.asn1Encode(); |
164 obuf = tgsReqMessg.asn1Encode(); |
165 |
165 |
166 // XXX We need to revisit this to see if can't move it |
166 // XXX We need to revisit this to see if can't move it |
167 // up such that FORWARDED flag set in the options |
167 // up such that FORWARDED flag set in the options |
168 // is included in the marshaled request. |
168 // is included in the marshaled request. |
169 /* |
169 /* |
170 * If this is based on a forwarded ticket, record that in the |
170 * If this is based on a forwarded ticket, record that in the |
171 * options, because the returned TgsRep will contain the |
171 * options, because the returned TgsRep will contain the |
172 * FORWARDED flag set. |
172 * FORWARDED flag set. |
173 */ |
173 */ |
174 if (asCreds.flags.get(KDCOptions.FORWARDED)) |
174 if (asCreds.flags.get(KDCOptions.FORWARDED)) |
175 options.set(KDCOptions.FORWARDED, true); |
175 options.set(KDCOptions.FORWARDED, true); |
176 |
176 |
177 |
177 |
178 } |
178 } |
179 |
179 |
180 /** |
180 /** |
181 * Sends a TGS request to the realm of the target. |
181 * Sends a TGS request to the realm of the target. |
182 * @throws KrbException |
182 * @throws KrbException |
183 * @throws IOException |
183 * @throws IOException |