View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.kerberos.kdc;
21  
22  
23  import java.io.IOException;
24  import java.net.InetSocketAddress;
25  import java.util.HashSet;
26  import java.util.Set;
27  
28  import javax.security.auth.kerberos.KerberosPrincipal;
29  
30  import org.apache.directory.server.constants.ServerDNConstants;
31  import org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler;
32  import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
33  import org.apache.directory.server.kerberos.shared.store.DirectoryPrincipalStore;
34  import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
35  import org.apache.directory.server.protocol.shared.DirectoryBackedService;
36  import org.apache.mina.transport.socket.nio.DatagramAcceptorConfig;
37  import org.apache.mina.transport.socket.nio.SocketAcceptorConfig;
38  
39  
40  /**
41   * Contains the configuration parameters for the Kerberos protocol provider.
42   *
43   * @org.apache.xbean.XBean
44   *
45   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
46   * @version $Rev: 682235 $, $Date: 2008-08-04 02:43:52 +0200 (Mo, 04 Aug 2008) $
47   */
48  public class KdcServer extends DirectoryBackedService
49  {
50      private static final long serialVersionUID = 522567370475574165L;
51  
52      /** The default kdc port */
53      private static final int DEFAULT_IP_PORT = 88;
54  
55      /** The default kdc service pid */
56      private static final String DEFAULT_PID = "org.apache.directory.server.kerberos";
57  
58      /** The default kdc service name */
59      private static final String DEFAULT_NAME = "ApacheDS Kerberos Service";
60  
61      /** The default kdc service principal */
62      private static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
63  
64      /** The default kdc realm */
65      private static final String DEFAULT_REALM = "EXAMPLE.COM";
66  
67      /** The default allowable clockskew */
68      private static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5 * 60000;
69  
70      /** The default encryption types */
71      private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
72          { "des-cbc-md5" };
73  
74      /** The default for allowing empty addresses */
75      private static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
76  
77      /** The default for requiring encrypted timestamps */
78      private static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
79  
80      /** The default for the maximum ticket lifetime */
81      private static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
82  
83      /** The default for the maximum renewable lifetime */
84      private static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
85  
86      /** The default for allowing forwardable tickets */
87      private static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
88  
89      /** The default for allowing proxiable tickets */
90      private static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
91  
92      /** The default for allowing postdated tickets */
93      private static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
94  
95      /** The default for allowing renewable tickets */
96      private static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
97  
98      /** The default for verifying the body checksum */
99      private static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
100 
101     /** The encryption types. */
102     private Set<EncryptionType> encryptionTypes;
103 
104     /** The primary realm */
105     private String primaryRealm = DEFAULT_REALM;
106 
107     /** The service principal name. */
108     private String servicePrincipal = DEFAULT_PRINCIPAL;
109 
110     /** The allowable clock skew. */
111     private long allowableClockSkew = DEFAULT_ALLOWABLE_CLOCKSKEW;
112 
113     /** Whether pre-authentication by encrypted timestamp is required. */
114     private boolean isPaEncTimestampRequired = DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
115 
116     /** The maximum ticket lifetime. */
117     private long maximumTicketLifetime = DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
118 
119     /** The maximum renewable lifetime. */
120     private long maximumRenewableLifetime = DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
121 
122     /** Whether empty addresses are allowed. */
123     private boolean isEmptyAddressesAllowed = DEFAULT_EMPTY_ADDRESSES_ALLOWED;
124 
125     /** Whether forwardable addresses are allowed. */
126     private boolean isForwardableAllowed = DEFAULT_TGS_FORWARDABLE_ALLOWED;
127 
128     /** Whether proxiable addresses are allowed. */
129     private boolean isProxiableAllowed = DEFAULT_TGS_PROXIABLE_ALLOWED;
130 
131     /** Whether postdated tickets are allowed. */
132     private boolean isPostdatedAllowed = DEFAULT_TGS_POSTDATED_ALLOWED;
133 
134     /** Whether renewable tickets are allowed. */
135     private boolean isRenewableAllowed = DEFAULT_TGS_RENEWABLE_ALLOWED;
136 
137     /** Whether to verify the body checksum. */
138     private boolean isBodyChecksumVerified = DEFAULT_VERIFY_BODY_CHECKSUM;
139 
140 
141     /**
142      * Creates a new instance of KdcConfiguration.
143      */
144     public KdcServer()
145     {
146         super.setServiceName( DEFAULT_NAME );
147         super.setIpPort( DEFAULT_IP_PORT );
148         super.setServiceId( DEFAULT_PID );
149         super.setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
150 
151         prepareEncryptionTypes();
152     }
153 
154 
155     /**
156      * Returns the allowable clock skew.
157      *
158      * @return The allowable clock skew.
159      */
160     public long getAllowableClockSkew()
161     {
162         return allowableClockSkew;
163     }
164 
165 
166     /**
167      * @return the isEmptyAddressesAllowed
168      */
169     public boolean isEmptyAddressesAllowed()
170     {
171         return isEmptyAddressesAllowed;
172     }
173 
174 
175     /**
176      * @return the isForwardableAllowed
177      */
178     public boolean isForwardableAllowed()
179     {
180         return isForwardableAllowed;
181     }
182 
183 
184     /**
185      * @return the isPostdatedAllowed
186      */
187     public boolean isPostdatedAllowed()
188     {
189         return isPostdatedAllowed;
190     }
191 
192 
193     /**
194      * @return the isProxiableAllowed
195      */
196     public boolean isProxiableAllowed()
197     {
198         return isProxiableAllowed;
199     }
200 
201 
202     /**
203      * @return the isRenewableAllowed
204      */
205     public boolean isRenewableAllowed()
206     {
207         return isRenewableAllowed;
208     }
209 
210 
211     /**
212      * @return the maximumRenewableLifetime
213      */
214     public long getMaximumRenewableLifetime()
215     {
216         return maximumRenewableLifetime;
217     }
218 
219 
220     /**
221      * @return the maximumTicketLifetime
222      */
223     public long getMaximumTicketLifetime()
224     {
225         return maximumTicketLifetime;
226     }
227 
228 
229     /**
230      * @param allowableClockSkew the allowableClockSkew to set
231      */
232     public void setAllowableClockSkew( long allowableClockSkew )
233     {
234         this.allowableClockSkew = allowableClockSkew;
235     }
236 
237 
238     /**
239      * Initialize the encryptionTypes set
240      * 
241      * @param encryptionTypes the encryptionTypes to set
242      */
243     public void setEncryptionTypes( EncryptionType[] encryptionTypes )
244     {
245         if ( encryptionTypes != null )
246         {
247             this.encryptionTypes.clear();
248             
249             for ( EncryptionType encryptionType:encryptionTypes )
250             {
251                 this.encryptionTypes.add( encryptionType );
252             }
253         }
254     }
255 
256 
257     /**
258      * Initialize the encryptionTypes set
259      * 
260      * @param encryptionTypes the encryptionTypes to set
261      */
262     public void setEncryptionTypes( Set<EncryptionType> encryptionTypes )
263     {
264         this.encryptionTypes = encryptionTypes;
265     }
266 
267 
268     /**
269      * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set
270      */
271     public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
272     {
273         this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
274     }
275 
276 
277     /**
278      * @param isForwardableAllowed the isForwardableAllowed to set
279      */
280     public void setForwardableAllowed( boolean isForwardableAllowed )
281     {
282         this.isForwardableAllowed = isForwardableAllowed;
283     }
284 
285 
286     /**
287      * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set
288      */
289     public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
290     {
291         this.isPaEncTimestampRequired = isPaEncTimestampRequired;
292     }
293 
294 
295     /**
296      * @param isPostdatedAllowed the isPostdatedAllowed to set
297      */
298     public void setPostdatedAllowed( boolean isPostdatedAllowed )
299     {
300         this.isPostdatedAllowed = isPostdatedAllowed;
301     }
302 
303 
304     /**
305      * @param isProxiableAllowed the isProxiableAllowed to set
306      */
307     public void setProxiableAllowed( boolean isProxiableAllowed )
308     {
309         this.isProxiableAllowed = isProxiableAllowed;
310     }
311 
312 
313     /**
314      * @param isRenewableAllowed the isRenewableAllowed to set
315      */
316     public void setRenewableAllowed( boolean isRenewableAllowed )
317     {
318         this.isRenewableAllowed = isRenewableAllowed;
319     }
320 
321 
322     /**
323      * @param kdcPrincipal the kdcPrincipal to set
324      */
325     public void setKdcPrincipal( String kdcPrincipal )
326     {
327         this.servicePrincipal = kdcPrincipal;
328     }
329 
330 
331     /**
332      * @param maximumRenewableLifetime the maximumRenewableLifetime to set
333      */
334     public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
335     {
336         this.maximumRenewableLifetime = maximumRenewableLifetime;
337     }
338 
339 
340     /**
341      * @param maximumTicketLifetime the maximumTicketLifetime to set
342      */
343     public void setMaximumTicketLifetime( long maximumTicketLifetime )
344     {
345         this.maximumTicketLifetime = maximumTicketLifetime;
346     }
347 
348 
349     /**
350      * @param primaryRealm the primaryRealm to set
351      */
352     public void setPrimaryRealm( String primaryRealm )
353     {
354         this.primaryRealm = primaryRealm;
355     }
356 
357 
358     /**
359      * Returns the primary realm.
360      *
361      * @return The primary realm.
362      */
363     public String getPrimaryRealm()
364     {
365         return primaryRealm;
366     }
367 
368 
369     /**
370      * Returns the service principal for this KDC service.
371      *
372      * @return The service principal for this KDC service.
373      */
374     public KerberosPrincipal getServicePrincipal()
375     {
376         return new KerberosPrincipal( servicePrincipal );
377     }
378 
379 
380     /**
381      * Returns the encryption types.
382      *
383      * @return The encryption types.
384      */
385     public Set<EncryptionType> getEncryptionTypes()
386     {
387         return encryptionTypes;
388     }
389 
390 
391     /**
392      * Returns whether pre-authentication by encrypted timestamp is required.
393      *
394      * @return Whether pre-authentication by encrypted timestamp is required.
395      */
396     public boolean isPaEncTimestampRequired()
397     {
398         return isPaEncTimestampRequired;
399     }
400 
401 
402     /**
403      * @return the isBodyChecksumVerified
404      */
405     public boolean isBodyChecksumVerified()
406     {
407         return isBodyChecksumVerified;
408     }
409 
410 
411     /**
412      * @param isBodyChecksumVerified the isBodyChecksumVerified to set
413      */
414     public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
415     {
416         this.isBodyChecksumVerified = isBodyChecksumVerified;
417     }
418 
419 
420     /**
421      * @throws IOException if we cannot bind to the sockets
422      */
423     public void start() throws IOException
424     {
425         PrincipalStore store;
426 
427         // TODO - for now ignoring this catelog crap
428         
429         store = new DirectoryPrincipalStore( getDirectoryService() );
430 
431         
432 //        if ( isCatelogBased() )
433 //        {
434 //            store = new JndiPrincipalStoreImpl( getSearchBaseDn(), null, getDirectoryService() );
435 //        }
436 //        else
437 //        {
438 //            store = new JndiPrincipalStoreImpl( null, getSearchBaseDn(), getDirectoryService() );
439 //        }
440         
441         
442 
443         if ( getDatagramAcceptor() != null )
444         {
445             DatagramAcceptorConfig udpConfig = new DatagramAcceptorConfig();
446             getDatagramAcceptor().bind( new InetSocketAddress( getIpPort() ), new KerberosProtocolHandler( this, store ), udpConfig );
447         }
448 
449         if ( getSocketAcceptor() != null )
450         {
451             SocketAcceptorConfig tcpConfig = new SocketAcceptorConfig();
452             tcpConfig.setDisconnectOnUnbind( false );
453             tcpConfig.setReuseAddress( true );
454             getSocketAcceptor().bind( new InetSocketAddress( getIpPort() ), new KerberosProtocolHandler( this, store ), tcpConfig );
455         }
456     }
457 
458     
459     public void stop()
460     {
461         if ( getDatagramAcceptor() != null )
462         {
463             getDatagramAcceptor().unbind( new InetSocketAddress( getIpPort() ));
464         }
465         if ( getSocketAcceptor() != null )
466         {
467             getSocketAcceptor().unbind( new InetSocketAddress( getIpPort() ));
468         }
469     }
470 
471 
472     /**
473      * Construct an HashSet containing the default encryption types
474      */
475     private void prepareEncryptionTypes()
476     {
477         String[] encryptionTypeStrings = DEFAULT_ENCRYPTION_TYPES;
478 
479         encryptionTypes = new HashSet<EncryptionType>();
480 
481         for ( String enc : encryptionTypeStrings )
482         {
483             for ( EncryptionType type : EncryptionType.getEncryptionTypes() )
484             {
485                 if ( type.getName().equalsIgnoreCase( enc ) )
486                 {
487                     encryptionTypes.add( type );
488                 }
489             }
490         }
491     }
492 }