View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.kerberos.protocol;
21  
22  
23  import java.net.InetAddress;
24  import java.net.InetSocketAddress;
25  
26  import javax.security.auth.kerberos.KerberosPrincipal;
27  
28  import org.apache.directory.server.kerberos.kdc.KdcServer;
29  import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
30  import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService;
31  import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingContext;
32  import org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService;
33  import org.apache.directory.server.kerberos.shared.KerberosMessageType;
34  import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
35  import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
36  import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
37  import org.apache.directory.server.kerberos.shared.messages.ErrorMessageModifier;
38  import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
39  import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
40  import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
41  import org.apache.mina.common.IdleStatus;
42  import org.apache.mina.common.IoHandler;
43  import org.apache.mina.common.IoSession;
44  import org.apache.mina.common.TransportType;
45  import org.apache.mina.filter.codec.ProtocolCodecFilter;
46  import org.slf4j.Logger;
47  import org.slf4j.LoggerFactory;
48  
49  
50  /**
51   * The Kerberos protocol handler for MINA which handles requests for the authentication
52   * service and the ticket granting service of the KDC.
53   *
54   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
55   * @version $Rev: 686874 $, $Date: 2008-08-18 23:49:10 +0200 (Mo, 18 Aug 2008) $
56   */
57  public class KerberosProtocolHandler implements IoHandler
58  {
59      private static final Logger log = LoggerFactory.getLogger( KerberosProtocolHandler.class );
60  
61      private KdcServer config;
62      private PrincipalStore store;
63      private static final String CONTEXT_KEY = "context";
64      
65  
66  
67      /**
68       * Creates a new instance of KerberosProtocolHandler.
69       *
70       * @param config
71       * @param store
72       */
73      public KerberosProtocolHandler( KdcServer config, PrincipalStore store )
74      {
75          this.config = config;
76          this.store = store;
77      }
78  
79  
80      public void sessionCreated( IoSession session ) throws Exception
81      {
82          if ( log.isDebugEnabled() )
83          {
84              log.debug( "{} CREATED:  {}", session.getRemoteAddress(), session.getTransportType() );
85          }
86  
87          if ( session.getTransportType() == TransportType.DATAGRAM )
88          {
89              session.getFilterChain().addFirst( "codec",
90                  new ProtocolCodecFilter( KerberosUdpProtocolCodecFactory.getInstance() ) );
91          }
92          else
93          {
94              session.getFilterChain().addFirst( "codec",
95                  new ProtocolCodecFilter( KerberosTcpProtocolCodecFactory.getInstance() ) );
96          }
97      }
98  
99  
100     public void sessionOpened( IoSession session )
101     {
102         if ( log.isDebugEnabled() )
103         {
104             log.debug( "{} OPENED", session.getRemoteAddress() );
105         }
106     }
107 
108 
109     public void sessionClosed( IoSession session )
110     {
111         if ( log.isDebugEnabled() )
112         {
113             log.debug( "{} CLOSED", session.getRemoteAddress() );
114         }
115     }
116 
117 
118     public void sessionIdle( IoSession session, IdleStatus status )
119     {
120         if ( log.isDebugEnabled() )
121         {
122             log.debug( "{} IDLE ({})", session.getRemoteAddress(), status );
123         }
124     }
125 
126 
127     public void exceptionCaught( IoSession session, Throwable cause )
128     {
129         log.error( session.getRemoteAddress() + " EXCEPTION", cause );
130         session.close();
131     }
132 
133 
134     public void messageReceived( IoSession session, Object message )
135     {
136         if ( log.isDebugEnabled() )
137         {
138             log.debug( "{} RCVD:  {}", session.getRemoteAddress(), message );
139         }
140 
141         InetAddress clientAddress = ( ( InetSocketAddress ) session.getRemoteAddress() ).getAddress();
142         KdcRequest request = ( KdcRequest ) message;
143 
144         KerberosMessageType messageType = request.getMessageType();
145 
146         try
147         {
148             switch ( messageType )
149             {
150                 case AS_REQ :
151                     AuthenticationContext authContext = new AuthenticationContext();
152                     authContext.setConfig( config );
153                     authContext.setStore( store );
154                     authContext.setClientAddress( clientAddress );
155                     authContext.setRequest( request );
156                     session.setAttribute( CONTEXT_KEY, authContext );
157 
158                     AuthenticationService.execute( authContext );
159 
160                     session.write( authContext.getReply() );
161                     break;
162 
163                 case TGS_REQ:
164                     TicketGrantingContext tgsContext = new TicketGrantingContext();
165                     tgsContext.setConfig( config );
166                     tgsContext.setStore( store );
167                     tgsContext.setClientAddress( clientAddress );
168                     tgsContext.setRequest( request );
169                     session.setAttribute( CONTEXT_KEY, tgsContext );
170 
171                     TicketGrantingService.execute( tgsContext );
172 
173                     session.write( tgsContext.getReply() );
174                     break;
175 
176                 case AS_REP:
177                 case TGS_REP:
178                     throw new KerberosException( ErrorType.KRB_AP_ERR_BADDIRECTION );
179 
180                 default:
181                     throw new KerberosException( ErrorType.KRB_AP_ERR_MSG_TYPE );
182             }
183         }
184         catch ( KerberosException ke )
185         {
186             String messageText = ke.getMessage() + " (" + ke.getErrorCode() + ")";
187 
188             if ( log.isDebugEnabled() )
189             {
190                 log.warn( messageText, ke );
191             }
192             else
193             {
194                 log.warn( messageText );
195             }
196 
197             ErrorMessage error = getErrorMessage( config.getServicePrincipal(), ke );
198 
199             if ( log.isDebugEnabled() )
200             {
201                 logErrorMessage( error );
202             }
203 
204             session.write( error );
205         }
206         catch ( Exception e )
207         {
208             log.error( "Unexpected exception:  " + e.getMessage(), e );
209 
210             session.write( getErrorMessage( config.getServicePrincipal(), new KerberosException(
211                 ErrorType.KDC_ERR_SVC_UNAVAILABLE ) ) );
212         }
213     }
214 
215 
216     public void messageSent( IoSession session, Object message )
217     {
218         if ( log.isDebugEnabled() )
219         {
220             log.debug( "{} SENT:  {}", session.getRemoteAddress(), message );
221         }
222     }
223 
224 
225     protected ErrorMessage getErrorMessage( KerberosPrincipal principal, KerberosException exception )
226     {
227         ErrorMessageModifier modifier = new ErrorMessageModifier();
228 
229         KerberosTime now = new KerberosTime();
230 
231         modifier.setErrorCode( exception.getErrorCode() );
232         modifier.setExplanatoryText( exception.getMessage() );
233         modifier.setServerPrincipal( principal );
234         modifier.setServerTime( now );
235         modifier.setServerMicroSecond( 0 );
236         modifier.setExplanatoryData( exception.getExplanatoryData() );
237 
238         return modifier.getErrorMessage();
239     }
240 
241 
242     protected void logErrorMessage( ErrorMessage error )
243     {
244         try
245         {
246             StringBuffer sb = new StringBuffer();
247 
248             sb.append( "Responding to request with error:" );
249             sb.append( "\n\t" + "explanatory text:      " + error.getExplanatoryText() );
250             sb.append( "\n\t" + "error code:            " + error.getErrorCode() );
251             sb.append( "\n\t" + "clientPrincipal:       " + error.getClientPrincipal() );
252             sb.append( "\n\t" + "client time:           " + error.getClientTime() );
253             sb.append( "\n\t" + "serverPrincipal:       " + error.getServerPrincipal() );
254             sb.append( "\n\t" + "server time:           " + error.getServerTime() );
255 
256             log.debug( sb.toString() );
257         }
258         catch ( Exception e )
259         {
260             // This is a monitor.  No exceptions should bubble up.
261             log.error( "Error in reply monitor", e );
262         }
263     }
264 }