in kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcHandler.java [68:165]
public ByteBuffer handleMessage(ByteBuffer receivedMessage, boolean isTcp,
InetAddress remoteAddress) throws KrbException {
KrbMessage krbRequest;
KdcRequest kdcRequest = null;
KrbMessage krbResponse;
ByteBuffer message = receivedMessage.duplicate();
try {
krbRequest = KrbCodec.decodeMessage(receivedMessage);
} catch (IOException e) {
LOG.error("Krb decoding message failed", e);
KrbError error = createValidationError(KrbErrorCode.KRB_AP_ERR_MSG_TYPE,
e.getMessage(),
null, kdcContext.getKdcRealm(),
null, null);
return encodeKrbMessage(error, isTcp);
}
KrbMessageType messageType = krbRequest.getMsgType();
if (messageType == KrbMessageType.TGS_REQ || messageType
== KrbMessageType.AS_REQ) {
KdcReq kdcReq = (KdcReq) krbRequest;
String realm = getRequestRealm(kdcReq);
if (realm == null || !kdcContext.getKdcRealm().equals(realm)) {
LOG.error("Invalid realm from kdc request: " + realm);
KrbError error = createValidationError(KrbErrorCode.WRONG_REALM,
"Invalid realm from kdc request: " + realm,
realm, kdcContext.getKdcRealm(),
kdcReq.getReqBody().getCname(), kdcReq.getReqBody().getSname());
return encodeKrbMessage(error, isTcp);
}
if (messageType == KrbMessageType.TGS_REQ) {
kdcRequest = new TgsRequest((TgsReq) kdcReq, kdcContext);
} else {
kdcRequest = new AsRequest((AsReq) kdcReq, kdcContext);
}
} else {
LOG.error("Invalid message type: " + messageType);
KrbError error = createValidationError(KrbErrorCode.KRB_AP_ERR_MSG_TYPE,
"Invalid message type: " + messageType,
null, kdcContext.getKdcRealm(),
null, null);
return encodeKrbMessage(error, isTcp);
}
// For checksum
if (kdcRequest == null) {
throw new KrbException("Kdc request is null.");
}
kdcRequest.setReqPackage(message);
if (remoteAddress == null) {
throw new KrbException("Remote address is null, not available.");
}
kdcRequest.setClientAddress(remoteAddress);
kdcRequest.isTcp(isTcp);
try {
kdcRequest.process();
krbResponse = kdcRequest.getReply();
} catch (Throwable e) {
if (e instanceof KdcRecoverableException) {
krbResponse = handleRecoverableException(
(KdcRecoverableException) e, kdcRequest);
} else {
KrbError krbError = new KrbError();
krbError.setStime(KerberosTime.now());
krbError.setSusec(100);
KrbErrorCode errorCode = KrbErrorCode.UNKNOWN_ERR;
if (e instanceof KrbException && ((KrbException) e).getKrbErrorCode() != null) {
errorCode = ((KrbException) e).getKrbErrorCode();
}
krbError.setErrorCode(errorCode);
krbError.setCrealm(kdcContext.getKdcRealm());
if (kdcRequest.getClientPrincipal() != null) {
krbError.setCname(kdcRequest.getClientPrincipal());
}
krbError.setRealm(kdcContext.getKdcRealm());
if (kdcRequest.getServerPrincipal() != null) {
krbError.setSname(kdcRequest.getServerPrincipal());
} else {
PrincipalName serverPrincipal = kdcRequest.getKdcReq().getReqBody().getSname();
serverPrincipal.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
krbError.setSname(serverPrincipal);
}
if (KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY.equals(errorCode)) {
krbError.setEtext("PREAUTH_FAILED");
} else {
krbError.setEtext(e.getMessage());
}
krbResponse = krbError;
}
}
return encodeKrbMessage(krbResponse, isTcp);
}