1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos.protocol;
21
22
23 import java.net.InetAddress;
24 import java.net.InetSocketAddress;
25
26 import javax.security.auth.kerberos.KerberosPrincipal;
27
28 import org.apache.directory.api.ldap.model.constants.Loggers;
29 import org.apache.directory.server.i18n.I18n;
30 import org.apache.directory.server.kerberos.kdc.KdcServer;
31 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
32 import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService;
33 import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingContext;
34 import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService;
35 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
36 import org.apache.directory.shared.kerberos.KerberosMessageType;
37 import org.apache.directory.shared.kerberos.KerberosTime;
38 import org.apache.directory.shared.kerberos.components.KdcReq;
39 import org.apache.directory.shared.kerberos.components.PrincipalName;
40 import org.apache.directory.shared.kerberos.exceptions.ErrorType;
41 import org.apache.directory.shared.kerberos.exceptions.KerberosException;
42 import org.apache.directory.shared.kerberos.messages.KrbError;
43 import org.apache.mina.core.service.IoHandlerAdapter;
44 import org.apache.mina.core.session.IdleStatus;
45 import org.apache.mina.core.session.IoSession;
46 import org.slf4j.Logger;
47 import org.slf4j.LoggerFactory;
48
49
50
51
52
53
54
55
56 public class KerberosProtocolHandler extends IoHandlerAdapter
57 {
58
59 private static final Logger LOG = LoggerFactory.getLogger( KerberosProtocolHandler.class );
60 private static final Logger LOG_KRB = LoggerFactory.getLogger( Loggers.KERBEROS_LOG.getName() );
61
62
63 private KdcServer kdcServer;
64
65
66 private PrincipalStore store;
67
68 private static final String CONTEXT_KEY = "context";
69
70
71
72
73
74
75
76
77 public KerberosProtocolHandler( KdcServer kdcServer, PrincipalStore store )
78 {
79 this.kdcServer = kdcServer;
80 this.store = store;
81 }
82
83
84
85
86
87 @Override
88 public void sessionCreated( IoSession session ) throws Exception
89 {
90 if ( LOG.isDebugEnabled() )
91 {
92 LOG.debug( "{} CREATED: {}", session.getRemoteAddress(), session.getTransportMetadata() );
93 }
94
95 if ( LOG_KRB.isDebugEnabled() )
96 {
97 LOG_KRB.debug( "{} CREATED: {}", session.getRemoteAddress(), session.getTransportMetadata() );
98 }
99 }
100
101
102
103
104
105 @Override
106 public void sessionOpened( IoSession session )
107 {
108 if ( LOG.isDebugEnabled() )
109 {
110 LOG.debug( "{} OPENED", session.getRemoteAddress() );
111 }
112
113 if ( LOG_KRB.isDebugEnabled() )
114 {
115 LOG_KRB.debug( "{} OPENED", session.getRemoteAddress() );
116 }
117 }
118
119
120
121
122
123 @Override
124 public void sessionClosed( IoSession session )
125 {
126 if ( LOG.isDebugEnabled() )
127 {
128 LOG.debug( "{} CLOSED", session.getRemoteAddress() );
129 }
130
131 if ( LOG_KRB.isDebugEnabled() )
132 {
133 LOG_KRB.debug( "{} CLOSED", session.getRemoteAddress() );
134 }
135 }
136
137
138
139
140
141 @Override
142 public void sessionIdle( IoSession session, IdleStatus status )
143 {
144 if ( LOG.isDebugEnabled() )
145 {
146 LOG.debug( "{} IDLE ({})", session.getRemoteAddress(), status );
147 }
148
149 if ( LOG_KRB.isDebugEnabled() )
150 {
151 LOG_KRB.debug( "{} IDLE ({})", session.getRemoteAddress(), status );
152 }
153 }
154
155
156
157
158
159 @Override
160 public void exceptionCaught( IoSession session, Throwable cause )
161 {
162 LOG.error( "{} EXCEPTION", session.getRemoteAddress(), cause );
163 LOG_KRB.error( "{} EXCEPTION", session.getRemoteAddress(), cause );
164 session.closeNow();
165 }
166
167
168
169
170
171 @Override
172 public void messageReceived( IoSession session, Object message )
173 {
174 if ( LOG.isDebugEnabled() )
175 {
176 LOG.debug( "{} RCVD: {}", session.getRemoteAddress(), message );
177 }
178
179 if ( LOG_KRB.isDebugEnabled() )
180 {
181 LOG_KRB.debug( "{} RCVD: {}", session.getRemoteAddress(), message );
182 }
183
184 InetAddress clientAddress = ( ( InetSocketAddress ) session.getRemoteAddress() ).getAddress();
185
186 if ( !( message instanceof KdcReq ) )
187 {
188 LOG.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );
189 LOG_KRB.error( I18n.err( I18n.ERR_152, ErrorType.KRB_AP_ERR_BADDIRECTION ) );
190
191 session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
192 ErrorType.KRB_AP_ERR_BADDIRECTION ) ) );
193 return;
194 }
195
196 KdcReq/../../../../../org/apache/directory/shared/kerberos/components/KdcReq.html#KdcReq">KdcReq request = ( KdcReq ) message;
197
198 KerberosMessageType messageType = request.getMessageType();
199
200 try
201 {
202 switch ( messageType )
203 {
204 case AS_REQ:
205 AuthenticationContextuthentication/AuthenticationContext.html#AuthenticationContext">AuthenticationContext authContext = new AuthenticationContext();
206 authContext.setConfig( kdcServer.getConfig() );
207 authContext.setStore( store );
208
209 if ( request.getKdcReqBody().getAddresses() != null )
210 {
211 authContext.setClientAddress( clientAddress );
212 }
213
214 authContext.setRequest( request );
215 session.setAttribute( CONTEXT_KEY, authContext );
216
217 AuthenticationService.execute( authContext );
218
219 LOG_KRB.debug( "AuthenticationContext for AS_REQ : \n{}", authContext );
220
221 session.write( authContext.getReply() );
222 break;
223
224 case TGS_REQ:
225 TicketGrantingContextticketgrant/TicketGrantingContext.html#TicketGrantingContext">TicketGrantingContext tgsContext = new TicketGrantingContext();
226 tgsContext.setConfig( kdcServer.getConfig() );
227 tgsContext.setReplayCache( kdcServer.getReplayCache() );
228 tgsContext.setStore( store );
229 tgsContext.setClientAddress( clientAddress );
230 tgsContext.setRequest( request );
231 session.setAttribute( CONTEXT_KEY, tgsContext );
232
233 TicketGrantingService.execute( tgsContext );
234
235 LOG_KRB.debug( "TGSContext for TGS_REQ : \n {}", tgsContext );
236
237 session.write( tgsContext.getReply() );
238 break;
239
240 case AS_REP:
241 case TGS_REP:
242 throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );
243
244 default:
245 throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
246 }
247 }
248 catch ( KerberosException ke )
249 {
250 String messageText = ke.getLocalizedMessage() + " (" + ke.getErrorCode() + ")";
251
252 LOG.warn( messageText );
253 LOG_KRB.warn( messageText );
254
255 KrbError error = getErrorMessage( kdcServer.getConfig().getServicePrincipal(), ke );
256
257 logErrorMessage( error );
258
259 session.write( error );
260 }
261 catch ( Exception e )
262 {
263 LOG.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );
264 LOG_KRB.error( I18n.err( I18n.ERR_152, e.getLocalizedMessage() ), e );
265
266 session.write( getErrorMessage( kdcServer.getConfig().getServicePrincipal(), new KerberosException(
267 ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
268 }
269 }
270
271
272
273
274
275 @Override
276 public void messageSent( IoSession session, Object message )
277 {
278 if ( LOG.isDebugEnabled() )
279 {
280 LOG.debug( "{} SENT: {}", session.getRemoteAddress(), message );
281 }
282
283 if ( LOG_KRB.isDebugEnabled() )
284 {
285 LOG_KRB.debug( "{} SENT: {}", session.getRemoteAddress(), message );
286 }
287 }
288
289
290
291
292
293
294
295
296
297 protected KrbError getErrorMessage( KerberosPrincipal principal, KerberosException exception )
298 {
299 KrbErrord/kerberos/messages/KrbError.html#KrbError">KrbError krbError = new KrbError();
300
301 KerberosTimeed/kerberos/KerberosTime.html#KerberosTime">KerberosTime now = new KerberosTime();
302
303 krbError.setErrorCode( ErrorType.getTypeByValue( exception.getErrorCode() ) );
304 krbError.setEText( exception.getLocalizedMessage() );
305 krbError.setSName( new PrincipalName( principal ) );
306 krbError.setRealm( principal.getRealm() );
307 krbError.setSTime( now );
308 krbError.setSusec( 0 );
309 krbError.setEData( exception.getExplanatoryData() );
310
311 return krbError;
312 }
313
314
315
316
317
318
319
320
321 protected void logErrorMessage( KrbError error )
322 {
323 try
324 {
325 StringBuilder sb = new StringBuilder();
326
327 sb.append( "Responding to request with error:" );
328 sb.append( "\n\t" + "explanatory text: " + error.getEText() );
329 sb.append( "\n\t" + "error code: " + error.getErrorCode() );
330 sb.append( "\n\t" + "clientPrincipal: " + error.getCName() ).append( "@" ).append( error.getCRealm() );
331 sb.append( "\n\t" + "client time: " + error.getCTime() );
332 sb.append( "\n\t" + "serverPrincipal: " + error.getSName() ).append( "@" ).append( error.getRealm() );
333 sb.append( "\n\t" + "server time: " + error.getSTime() );
334
335 String message = sb.toString();
336
337 LOG.debug( message );
338 LOG_KRB.debug( message );
339 }
340 catch ( Exception e )
341 {
342
343 LOG.error( I18n.err( I18n.ERR_155 ), e );
344 LOG_KRB.error( I18n.err( I18n.ERR_155 ), e );
345 }
346 }
347
348
349 @Override
350 public void inputClosed( IoSession session )
351 {
352 session.closeNow();
353 }
354 }