[CalendarServer-changes] [1042] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Mon Jan 15 11:15:37 PST 2007
Revision: 1042
http://trac.macosforge.org/projects/calendarserver/changeset/1042
Author: cdaboo at apple.com
Date: 2007-01-15 11:15:37 -0800 (Mon, 15 Jan 2007)
Log Message:
-----------
Must check the Kerberos realm as cross-realm authentication is possible with Kerberos but the calendar server can only
support a single realm right now.
Modified Paths:
--------------
CalendarServer/trunk/conf/caldavd-test.plist
CalendarServer/trunk/conf/caldavd.plist
CalendarServer/trunk/twistedcaldav/authkerb.py
CalendarServer/trunk/twistedcaldav/tap.py
Modified: CalendarServer/trunk/conf/caldavd-test.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-test.plist 2007-01-12 20:58:30 UTC (rev 1041)
+++ CalendarServer/trunk/conf/caldavd-test.plist 2007-01-15 19:15:37 UTC (rev 1042)
@@ -184,6 +184,8 @@
<false/>
<key>ServicePrincipal</key>
<string></string>
+ <key>Realm</key>
+ <string></string>
</dict>
</dict>
Modified: CalendarServer/trunk/conf/caldavd.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd.plist 2007-01-12 20:58:30 UTC (rev 1041)
+++ CalendarServer/trunk/conf/caldavd.plist 2007-01-15 19:15:37 UTC (rev 1042)
@@ -129,6 +129,8 @@
<false/>
<key>ServicePrincipal</key>
<string></string>
+ <key>Realm</key>
+ <string></string>
</dict>
</dict>
Modified: CalendarServer/trunk/twistedcaldav/authkerb.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/authkerb.py 2007-01-12 20:58:30 UTC (rev 1041)
+++ CalendarServer/trunk/twistedcaldav/authkerb.py 2007-01-15 19:15:37 UTC (rev 1042)
@@ -142,9 +142,10 @@
scheme = 'negotiate'
- def __init__(self, service):
+ def __init__(self, service, realm):
self.service = service
+ self.realm = realm
def getChallenge(self, peer):
return {}
@@ -172,11 +173,22 @@
response = kerberos.authGSSServerResponse(context)
username = kerberos.authGSSServerUserName(context)
+ realmname = ""
# Username may include realm suffix which we want to strip
if username.find("@") != -1:
- username = username.split("@", 1)[0]
+ splits = username.split("@", 1)
+ username = splits[0]
+ realmname = splits[1]
+
+ # We currently do not support cross-realm authentciation, so we
+ # must verify that the realm we got exactly matches the one we expect.
+ if realmname != self.realm:
+ logging.err("authGSSServer Realms do not match: %s vs %s" % (realmname, self.realm,), system="NegotiateCredentialFactory")
+ kerberos.authGSSServerClean(context)
+ raise error.UnauthorizedLogin('Bad credentials: mismatched realm')
+
# Close the context
try:
result = kerberos.authGSSServerClean(context);
Modified: CalendarServer/trunk/twistedcaldav/tap.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/tap.py 2007-01-12 20:58:30 UTC (rev 1041)
+++ CalendarServer/trunk/twistedcaldav/tap.py 2007-01-15 19:15:37 UTC (rev 1042)
@@ -242,7 +242,8 @@
continue
credFactory = NegotiateCredentialFactory(
- schemeConfig['ServicePrincipal'])
+ schemeConfig['ServicePrincipal'],
+ schemeConfig['Realm'],)
elif scheme == 'digest':
credFactory = DigestCredentialFactory(
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070115/59a7d0c5/attachment.html
More information about the calendarserver-changes
mailing list