diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java index acbaccb91..9a76cbc31 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandle.java @@ -42,8 +42,8 @@ public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbExce preauth.provideEdata(kdcRequest, requestContext, outPaData); } - public void verify(KdcRequest kdcRequest, PaDataEntry paData) throws KrbException { - preauth.verify(kdcRequest, requestContext, paData); + public boolean verify(KdcRequest kdcRequest, PaDataEntry paData) throws KrbException { + return preauth.verify(kdcRequest, requestContext, paData); } public void providePaData(KdcRequest kdcRequest, PaData paData) { diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java index b9482d5da..4284dcb94 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/PreauthHandler.java @@ -94,13 +94,14 @@ public void provideEdata(KdcRequest kdcRequest, PaData outPaData) throws KrbExce } } - public void verify(KdcRequest kdcRequest, PaData paData) throws KrbException { + public boolean verify(KdcRequest kdcRequest, PaData paData) throws KrbException { for (PaDataEntry paEntry : paData.getElements()) { PreauthHandle handle = findHandle(kdcRequest, paEntry.getPaDataType()); - if (handle != null) { - handle.verify(kdcRequest, paEntry); + if (handle != null && handle.verify(kdcRequest, paEntry)) { + return true; } } + return false; } public void providePaData(KdcRequest kdcRequest, PaData paData) { diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java index 9fe331a70..b9d873ea6 100644 --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java @@ -678,18 +678,16 @@ protected void preauth() throws KrbException { } PaData preAuthData = request.getPaData(); - if (preAuthData == null || preAuthData.isEmpty()) { - if (isPreauthRequired()) { - LOG.info("The preauth data is empty."); - KrbError krbError = makePreAuthenticationError(kdcContext, request, - KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); - throw new KdcRecoverableException(krbError); - } - } else { - getPreauthHandler().verify(this, preAuthData); + if (preAuthData != null && !preAuthData.isEmpty()) { + boolean preAuthenticated = getPreauthHandler().verify(this, preAuthData); + setPreAuthenticated(preAuthenticated); + } + if (isPreauthRequired() && !isPreAuthenticated()) { + LOG.info("The preauth verification failed."); + KrbError krbError = makePreAuthenticationError(kdcContext, request, + KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); + throw new KdcRecoverableException(krbError); } - - setPreAuthenticated(true); } /**