DIRKRB-662 Cross realm tgs request should skip checking client entry.
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
index 41fb0c1..52c7d03 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
@@ -50,6 +50,9 @@
setAllowedPreauth(PaDataType.TGS_REQ);
ticket = tgt;
clientPrincipal = tgt.getClientPrincipal();
+ if (clientPrincipal.getRealm() == null) {
+ clientPrincipal.setRealm(tgt.getRealm());
+ }
}
public TgsRequestWithTgt(KrbContext context, SgtTicket sgt) {
@@ -57,6 +60,9 @@
setAllowedPreauth(PaDataType.TGS_REQ);
ticket = sgt;
clientPrincipal = sgt.getClientPrincipal();
+ if (clientPrincipal.getRealm() == null) {
+ clientPrincipal.setRealm(sgt.getRealm());
+ }
}
public PrincipalName getClientPrincipal() {
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 168862f..56e8c62 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -588,10 +588,14 @@
return tgsEntry;
}
- public boolean checkCrossRealm(String remoteRealm) {
- isCrossRealm = !(kdcContext.getKdcRealm().equals(remoteRealm));
- this.remoteRealm = remoteRealm;
- return isCrossRealm;
+ public boolean checkCrossRealm(String remoteRealm) throws KrbException {
+ if (remoteRealm != null && kdcContext.getKdcRealm() != null) {
+ isCrossRealm = !(kdcContext.getKdcRealm().equals(remoteRealm));
+ this.remoteRealm = remoteRealm;
+ return isCrossRealm;
+ } else {
+ throw new KrbException("Missing the realm.");
+ }
}
public boolean isCrossRealm() {
@@ -647,7 +651,7 @@
throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
}
} else {
- LOG.info("Client entry is empty.");
+ LOG.info("Client entry is empty, token preauth or cross realm.");
}
}
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 98e1176..e1e3dd2 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -186,10 +186,15 @@
PrincipalName serverPrincipal = tgtTicket.getSname();
serverPrincipal.setRealm(tgtTicket.getRealm());
- PrincipalName clientPrincipal = authenticator.getCname();
- clientPrincipal.setRealm(authenticator.getCrealm());
- KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
- setClientEntry(clientEntry);
+
+ /* The client principal does not exist in backend when it's a cross realm request */
+ if (authenticator.getCrealm() != null
+ && authenticator.getCrealm().equals(getKdcContext().getKdcRealm())) {
+ PrincipalName clientPrincipal = authenticator.getCname();
+ clientPrincipal.setRealm(authenticator.getCrealm());
+ KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
+ setClientEntry(clientEntry);
+ }
if (!authenticator.getCtime().isInClockSkew(
getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {