Changes for HAS.
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index f630b70..b39439e 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -69,12 +69,18 @@
"Token preauth is not allowed.");
}
if (paData.getPaDataType() == PaDataType.TOKEN_REQUEST) {
- EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
- EncryptionKey clientKey = kdcRequest.getArmorKey();
- kdcRequest.setClientKey(clientKey);
+ PaTokenRequest paTokenRequest;
+ if (kdcRequest.isHttps()) {
+ paTokenRequest = KrbCodec.decode(paData.getPaDataValue(),
+ PaTokenRequest.class);
+ } else {
+ EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
+ EncryptionKey clientKey = kdcRequest.getArmorKey();
+ kdcRequest.setClientKey(clientKey);
- PaTokenRequest paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
- KeyUsage.PA_TOKEN, PaTokenRequest.class);
+ paTokenRequest = EncryptionUtil.unseal(encData, clientKey,
+ KeyUsage.PA_TOKEN, PaTokenRequest.class);
+ }
KrbTokenBase token = paTokenRequest.getToken();
List<String> issuers = kdcRequest.getKdcContext().getConfig().getIssuers();
@@ -83,21 +89,21 @@
if (!issuers.contains(issuer)) {
throw new KrbException("Unconfigured issuer: " + issuer);
}
-
+
// Configure keys
TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
configureKeys(tokenDecoder, kdcRequest, issuer);
-
+
AuthToken authToken = null;
try {
authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
- if (!tokenDecoder.isSigned()) {
+ if (!tokenDecoder.isSigned() && !kdcRequest.isHttps()) {
throw new KrbException("Token should be signed.");
}
} catch (IOException e) {
throw new KrbException("Decoding failed", e);
}
-
+
if (authToken == null) {
throw new KrbException("Token Decoding failed");
}
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
index df903a5..66634e6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/AsRequest.java
@@ -133,9 +133,13 @@
reply.setEncPart(encKdcRepPart);
EncryptionKey clientKey = getClientKey();
- EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
- clientKey, KeyUsage.AS_REP_ENCPART);
- reply.setEncryptedEncPart(encryptedData);
+ if (clientKey != null) {
+ EncryptedData encryptedData = EncryptionUtil.seal(encKdcRepPart,
+ clientKey, KeyUsage.AS_REP_ENCPART);
+ reply.setEncryptedEncPart(encryptedData);
+ } else {
+ throw new KrbException("Cant't get the client key to encrypt the kdc rep part.");
+ }
if (isPkinit()) {
reply.setPaData(getPreauthContext().getOutputPaData());
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 7b4c79d..24a5579 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -99,6 +99,7 @@
private boolean isAnonymous = false;
private EncryptionKey sessionKey;
private ByteBuffer reqPackage;
+ private boolean isHttps = false;
/**
* Get session key.
@@ -809,6 +810,14 @@
return isToken;
}
+ public boolean isHttps() {
+ return isHttps;
+ }
+
+ public void setHttps(boolean https) {
+ isHttps = https;
+ }
+
/**
* Set auth token.
* @param authToken The auth token