1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos.protocol;
21
22
23 import java.net.InetAddress;
24
25 import javax.security.auth.kerberos.KerberosPrincipal;
26
27 import org.apache.directory.server.kerberos.kdc.KdcServer;
28 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
29 import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
30 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
31 import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
32 import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
33 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
34 import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
35 import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
36 import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
37 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
38 import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
39 import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
40 import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
41 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
42
43
44
45
46
47
48
49
50 public class TicketGrantingPolicyTest extends AbstractTicketGrantingServiceTest
51 {
52 private KdcServer config;
53 private PrincipalStore store;
54 private KerberosProtocolHandler handler;
55 private DummySession session;
56
57
58
59
60
61 public TicketGrantingPolicyTest()
62 {
63 config = new KdcServer();
64
65
66
67
68
69 config.setBodyChecksumVerified( false );
70
71 store = new MapPrincipalStoreImpl();
72 handler = new KerberosProtocolHandler( config, store );
73 session = new DummySession();
74 lockBox = new CipherTextHandler();
75 }
76
77
78
79
80
81
82
83
84 public void testForwardableTicket() throws Exception
85 {
86
87 config.setForwardableAllowed( false );
88
89
90 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
91 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
92
93
94 encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
95
96
97 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
98 String passPhrase = "randomKey";
99 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
100 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
101
102 RequestBodyModifier modifier = new RequestBodyModifier();
103 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
104 modifier.setRealm( "EXAMPLE.COM" );
105 modifier.setEType( config.getEncryptionTypes() );
106 modifier.setNonce( random.nextInt() );
107
108 KdcOptions kdcOptions = new KdcOptions();
109 kdcOptions.set( KdcOptions.FORWARDABLE );
110 modifier.setKdcOptions( kdcOptions );
111
112 long now = System.currentTimeMillis();
113
114 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
115 modifier.setTill( requestedEndTime );
116
117 RequestBody requestBody = modifier.getRequestBody();
118 KdcRequest message = getKdcRequest( tgt, requestBody );
119
120 handler.messageReceived( session, message );
121
122 ErrorMessage error = ( ErrorMessage ) session.getMessage();
123 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
124 }
125
126
127
128
129
130
131
132
133 public void testForwardedTicket() throws Exception
134 {
135
136 config.setForwardableAllowed( false );
137
138
139 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
140 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
141
142
143 encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
144
145
146 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
147 String passPhrase = "randomKey";
148 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
149 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
150
151 RequestBodyModifier modifier = new RequestBodyModifier();
152 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
153 modifier.setRealm( "EXAMPLE.COM" );
154 modifier.setEType( config.getEncryptionTypes() );
155 modifier.setNonce( random.nextInt() );
156
157 KdcOptions kdcOptions = new KdcOptions();
158 kdcOptions.set( KdcOptions.FORWARDED );
159 modifier.setKdcOptions( kdcOptions );
160
161 long now = System.currentTimeMillis();
162
163 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
164 modifier.setTill( requestedEndTime );
165
166 RequestBody requestBody = modifier.getRequestBody();
167 KdcRequest message = getKdcRequest( tgt, requestBody );
168
169 handler.messageReceived( session, message );
170
171 ErrorMessage error = ( ErrorMessage ) session.getMessage();
172 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
173 }
174
175
176
177
178
179
180
181
182 public void testForwardedNoAddressesTicket() throws Exception
183 {
184
185 config.setEmptyAddressesAllowed( false );
186
187
188 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
189 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
190
191
192 encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
193
194 HostAddress[] address =
195 {new HostAddress( InetAddress.getByAddress( new byte[4] ) )};
196 HostAddresses addresses = new HostAddresses( address );
197 encTicketPartModifier.setClientAddresses( addresses );
198
199
200 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
201 String passPhrase = "randomKey";
202 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
203 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
204
205 RequestBodyModifier modifier = new RequestBodyModifier();
206 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
207 modifier.setRealm( "EXAMPLE.COM" );
208 modifier.setEType( config.getEncryptionTypes() );
209 modifier.setNonce( random.nextInt() );
210
211 KdcOptions kdcOptions = new KdcOptions();
212 kdcOptions.set( KdcOptions.FORWARDED );
213 modifier.setKdcOptions( kdcOptions );
214
215 long now = System.currentTimeMillis();
216
217 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
218 modifier.setTill( requestedEndTime );
219
220 RequestBody requestBody = modifier.getRequestBody();
221 KdcRequest message = getKdcRequest( tgt, requestBody );
222
223 handler.messageReceived( session, message );
224
225 ErrorMessage error = ( ErrorMessage ) session.getMessage();
226 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
227 }
228
229
230
231
232
233
234
235
236 public void testProxiableTicket() throws Exception
237 {
238
239 config.setProxiableAllowed( false );
240
241
242 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
243 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
244
245
246 encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
247
248
249 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
250 String passPhrase = "randomKey";
251 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
252 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
253
254 RequestBodyModifier modifier = new RequestBodyModifier();
255 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
256 modifier.setRealm( "EXAMPLE.COM" );
257 modifier.setEType( config.getEncryptionTypes() );
258 modifier.setNonce( random.nextInt() );
259
260 KdcOptions kdcOptions = new KdcOptions();
261 kdcOptions.set( KdcOptions.PROXIABLE );
262 modifier.setKdcOptions( kdcOptions );
263
264 long now = System.currentTimeMillis();
265
266 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
267 modifier.setTill( requestedEndTime );
268
269 RequestBody requestBody = modifier.getRequestBody();
270 KdcRequest message = getKdcRequest( tgt, requestBody );
271
272 handler.messageReceived( session, message );
273
274 ErrorMessage error = ( ErrorMessage ) session.getMessage();
275 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
276 }
277
278
279
280
281
282
283
284
285 public void testProxyTicket() throws Exception
286 {
287
288 config.setProxiableAllowed( false );
289
290
291 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
292 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
293
294
295 encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
296
297
298 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
299 String passPhrase = "randomKey";
300 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
301 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
302
303 RequestBodyModifier modifier = new RequestBodyModifier();
304 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
305 modifier.setRealm( "EXAMPLE.COM" );
306 modifier.setEType( config.getEncryptionTypes() );
307 modifier.setNonce( random.nextInt() );
308
309 KdcOptions kdcOptions = new KdcOptions();
310 kdcOptions.set( KdcOptions.PROXY );
311 modifier.setKdcOptions( kdcOptions );
312
313 long now = System.currentTimeMillis();
314
315 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
316 modifier.setTill( requestedEndTime );
317
318 HostAddress[] address =
319 {new HostAddress( InetAddress.getLocalHost() )};
320 HostAddresses addresses = new HostAddresses( address );
321 modifier.setAddresses( addresses );
322
323 RequestBody requestBody = modifier.getRequestBody();
324 KdcRequest message = getKdcRequest( tgt, requestBody );
325
326 handler.messageReceived( session, message );
327
328 ErrorMessage error = ( ErrorMessage ) session.getMessage();
329 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
330 }
331
332
333
334
335
336
337
338
339 public void testProxyNoAddressesTicket() throws Exception
340 {
341
342 config.setEmptyAddressesAllowed( false );
343
344
345 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
346 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
347
348
349 encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
350
351 HostAddress[] address =
352 {new HostAddress( InetAddress.getByAddress( new byte[4] ) )};
353 HostAddresses addresses = new HostAddresses( address );
354 encTicketPartModifier.setClientAddresses( addresses );
355
356
357 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
358 String passPhrase = "randomKey";
359 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
360 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
361
362 RequestBodyModifier modifier = new RequestBodyModifier();
363 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
364 modifier.setRealm( "EXAMPLE.COM" );
365 modifier.setEType( config.getEncryptionTypes() );
366 modifier.setNonce( random.nextInt() );
367
368 KdcOptions kdcOptions = new KdcOptions();
369 kdcOptions.set( KdcOptions.PROXY );
370 modifier.setKdcOptions( kdcOptions );
371
372 long now = System.currentTimeMillis();
373
374 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
375 modifier.setTill( requestedEndTime );
376
377 RequestBody requestBody = modifier.getRequestBody();
378 KdcRequest message = getKdcRequest( tgt, requestBody );
379
380 handler.messageReceived( session, message );
381
382 ErrorMessage error = ( ErrorMessage ) session.getMessage();
383 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
384 }
385
386
387
388
389
390
391
392
393 public void testAllowPostdate() throws Exception
394 {
395
396 config.setPostdatedAllowed( false );
397
398
399 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
400 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
401
402
403 encTicketPartModifier.setFlag( TicketFlag.MAY_POSTDATE );
404
405
406 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
407 String passPhrase = "randomKey";
408 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
409 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
410
411 RequestBodyModifier modifier = new RequestBodyModifier();
412 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
413 modifier.setRealm( "EXAMPLE.COM" );
414 modifier.setEType( config.getEncryptionTypes() );
415 modifier.setNonce( random.nextInt() );
416
417 KdcOptions kdcOptions = new KdcOptions();
418 kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
419 modifier.setKdcOptions( kdcOptions );
420
421 long now = System.currentTimeMillis();
422
423 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
424 modifier.setTill( requestedEndTime );
425
426 RequestBody requestBody = modifier.getRequestBody();
427 KdcRequest message = getKdcRequest( tgt, requestBody );
428
429 handler.messageReceived( session, message );
430
431 ErrorMessage error = ( ErrorMessage ) session.getMessage();
432 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
433 }
434
435
436
437
438
439
440
441
442 public void testPostdated() throws Exception
443 {
444
445 config.setPostdatedAllowed( false );
446
447
448 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
449 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
450
451
452 encTicketPartModifier.setFlag( TicketFlag.MAY_POSTDATE );
453
454
455 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
456 String passPhrase = "randomKey";
457 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
458 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
459
460 RequestBodyModifier modifier = new RequestBodyModifier();
461 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
462 modifier.setRealm( "EXAMPLE.COM" );
463 modifier.setEType( config.getEncryptionTypes() );
464 modifier.setNonce( random.nextInt() );
465
466 KdcOptions kdcOptions = new KdcOptions();
467 kdcOptions.set( KdcOptions.POSTDATED );
468 modifier.setKdcOptions( kdcOptions );
469
470 long now = System.currentTimeMillis();
471
472 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
473 modifier.setTill( requestedEndTime );
474
475 RequestBody requestBody = modifier.getRequestBody();
476 KdcRequest message = getKdcRequest( tgt, requestBody );
477
478 handler.messageReceived( session, message );
479
480 ErrorMessage error = ( ErrorMessage ) session.getMessage();
481 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
482 }
483
484
485
486
487
488
489
490
491 public void testValidateInvalidTicket() throws Exception
492 {
493
494 config.setPostdatedAllowed( false );
495
496
497 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
498 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
499
500
501 encTicketPartModifier.setFlag( TicketFlag.INVALID );
502
503
504 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
505 String passPhrase = "randomKey";
506 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
507 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
508
509 RequestBodyModifier modifier = new RequestBodyModifier();
510 modifier.setServerName( getPrincipalName( "hnelson" ) );
511 modifier.setRealm( "EXAMPLE.COM" );
512 modifier.setEType( config.getEncryptionTypes() );
513 modifier.setNonce( random.nextInt() );
514
515 KdcOptions kdcOptions = new KdcOptions();
516 kdcOptions.set( KdcOptions.VALIDATE );
517 modifier.setKdcOptions( kdcOptions );
518
519 long currentTime = System.currentTimeMillis();
520
521 KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
522 modifier.setTill( requestedEndTime );
523
524 RequestBody requestBody = modifier.getRequestBody();
525
526 KdcRequest message = getKdcRequest( tgt, requestBody );
527
528 handler.messageReceived( session, message );
529
530 ErrorMessage error = ( ErrorMessage ) session.getMessage();
531 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
532 }
533
534
535
536
537
538
539
540
541 public void testRenewTicket() throws Exception
542 {
543
544 config.setRenewableAllowed( false );
545
546 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
547 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
548 String serverPassword = "randomKey";
549
550 Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
551
552 RequestBodyModifier modifier = new RequestBodyModifier();
553 modifier.setServerName( getPrincipalName( "hnelson" ) );
554 modifier.setRealm( "EXAMPLE.COM" );
555 modifier.setEType( config.getEncryptionTypes() );
556 modifier.setNonce( random.nextInt() );
557
558 KdcOptions kdcOptions = new KdcOptions();
559 kdcOptions.set( KdcOptions.RENEW );
560 modifier.setKdcOptions( kdcOptions );
561
562 long currentTime = System.currentTimeMillis();
563
564 KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
565 modifier.setTill( requestedEndTime );
566
567 RequestBody requestBody = modifier.getRequestBody();
568
569 KdcRequest message = getKdcRequest( tgt, requestBody );
570
571 handler.messageReceived( session, message );
572
573 ErrorMessage error = ( ErrorMessage ) session.getMessage();
574 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
575 }
576
577
578
579
580
581
582
583
584 public void testRenewableOk() throws Exception
585 {
586
587 config.setRenewableAllowed( false );
588
589
590 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
591 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
592
593
594 encTicketPartModifier.setFlag( TicketFlag.RENEWABLE );
595
596
597 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
598 String passPhrase = "randomKey";
599 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
600 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
601
602 RequestBodyModifier modifier = new RequestBodyModifier();
603 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
604 modifier.setRealm( "EXAMPLE.COM" );
605 modifier.setEType( config.getEncryptionTypes() );
606 modifier.setNonce( random.nextInt() );
607
608 KdcOptions kdcOptions = new KdcOptions();
609 kdcOptions.set( KdcOptions.RENEWABLE_OK );
610 modifier.setKdcOptions( kdcOptions );
611
612 long now = System.currentTimeMillis();
613
614 KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
615 modifier.setTill( requestedEndTime );
616
617 RequestBody requestBody = modifier.getRequestBody();
618 KdcRequest message = getKdcRequest( tgt, requestBody );
619
620 handler.messageReceived( session, message );
621
622 ErrorMessage error = ( ErrorMessage ) session.getMessage();
623 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
624 }
625
626
627
628
629
630
631
632
633 public void testRenewableTicket() throws Exception
634 {
635
636 config.setRenewableAllowed( false );
637
638
639 KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
640 EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
641
642
643 encTicketPartModifier.setFlag( TicketFlag.RENEWABLE );
644
645
646 KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
647 String passPhrase = "randomKey";
648 EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
649 Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
650
651 RequestBodyModifier modifier = new RequestBodyModifier();
652 modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
653 modifier.setRealm( "EXAMPLE.COM" );
654 modifier.setEType( config.getEncryptionTypes() );
655 modifier.setNonce( random.nextInt() );
656
657 KdcOptions kdcOptions = new KdcOptions();
658 kdcOptions.set( KdcOptions.RENEWABLE );
659 modifier.setKdcOptions( kdcOptions );
660
661 long now = System.currentTimeMillis();
662
663 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
664 modifier.setTill( requestedEndTime );
665
666 KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
667 modifier.setRtime( requestedRenewTillTime );
668
669 RequestBody requestBody = modifier.getRequestBody();
670 KdcRequest message = getKdcRequest( tgt, requestBody );
671
672 handler.messageReceived( session, message );
673
674 ErrorMessage error = ( ErrorMessage ) session.getMessage();
675 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
676 }
677 }