com.dstc.security.kerberos.gssapi
Class GSSManager

java.lang.Object
  |
  +--org.ietf.jgss.GSSManager
        |
        +--com.dstc.security.kerberos.gssapi.GSSManager

public final class GSSManager
extends GSSManager

This class subclasses the org.ietf.jgss.GSSManager abstract class for the Kerberos mechanism. Its main purpose is to provide factory methods to obtain GSSName, GSSCredential and GSSContext objects in order to perform GSS API context establishment and message level protection.

An instance of this class can be obtained in two ways. The first is through the mechanism-independent getInstance() defined in the GSS API. The second is through a JCSI-specific constructor which takes a Kerberos instance as parameter.

Obtaining a valid GSSManager object using getInstance() is only valid for GSSAPI context initiators with a FileCredentialStore and context acceptors with a FileKeyTab (the standard MIT Kerberos V scenario). Applications with different needs should instead call the JCSI-specific constructor after suitably initializing a Kerberos instance.

Five system properties are consulted when calling getInstance():

  1. A jcsi.kerberos.principal property for the principal
  2. A jcsi.kerberos.realm property for the realm
  3. A jcsi.kerberos.KDChost property for the KDC host
  4. A jcsi.kerberos.ccache property for the location of the FileCredentialStore
  5. A jcsi.kerberos.keytab property for the location of the FileKeyTab

If jcsi.kerberos.principal is not set, the standard property java.user will be used in its place. If either jcsi.kerberos.realm or jcsi.kerberos.kdcHost is null, a RuntimeException will be thrown indicating a configuration error. Likewise if both the fourth and fifth properties are null.

See Also:
Kerberos

Field Summary
static Oid KRB5
          Kerberos mechanism OID
static int KRB5_CONF_QOP_DES
          Confidentiality with DES
static int KRB5_INTEG_QOP_DES_MAC
          Integrity using DES MAC of plaintext
static int KRB5_INTEG_QOP_DES_MD5
          Integrity using DES MAC of MD5 of plaintext
static int KRB5_INTEG_QOP_MD5
          Integrity using partial MD5 ("MD2.5") of plaintext
static Oid KRB5_NT_PRINCIPAL_NAME
          Kerberos-specific name type
 
Constructor Summary
GSSManager()
          Default constructor
GSSManager(Kerberos kerberos)
          Create a GSSManager using given Kerberos instance.
 
Method Summary
 void addProviderAtEnd(Provider p, Oid mech)
          This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism.
 void addProviderAtFront(Provider p, Oid mech)
          This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism.
 GSSContext createContext(byte[] interProcessToken)
          Factory method for creating a previously exported context.
 GSSContext createContext(GSSCredential myCred)
          Factory method for creating a context on the acceptor's side.
 GSSContext createContext(GSSName peer, Oid mech, GSSCredential myCred, int lifetime)
          Factory method for creating a context on the initiator's side.
 GSSCredential createCredential(GSSName aName, int lifetime, Oid[] mechs, int usage)
          Factory method for acquiring credentials over a set of mechanisms.
 GSSCredential createCredential(GSSName aName, int lifetime, Oid mech, int usage)
          Factory method for acquiring a single mechanism credential.
 GSSCredential createCredential(int usage)
          Factory method for acquiring default credentials.
 GSSName createName(byte[] name, Oid nameType)
          Factory method to convert a byte array containing a name from the specified namespace to an GSSName object.
 GSSName createName(byte[] name, Oid nameType, Oid mech)
          Factory method to convert a byte array containing a name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism.
 GSSName createName(String nameStr, Oid nameType)
          Factory method to convert a string name from the specified namespace to an GSSName object.
 GSSName createName(String nameStr, Oid nameType, Oid mech)
          Factory method to convert a string name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism.
 Oid[] getMechs()
          Returns a list of mechanisms that are available to GSS-API callers through this GSSManager.
 Oid[] getMechsForName(Oid nameType)
          Returns a list of mechanisms that support the indicated name type.
 Oid[] getNamesForMech(Oid mech)
          Returns the name types supported by the indicated mechanism.
 
Methods inherited from class org.ietf.jgss.GSSManager
createOid, getInstance
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

KRB5

public static final Oid KRB5
Kerberos mechanism OID

KRB5_NT_PRINCIPAL_NAME

public static final Oid KRB5_NT_PRINCIPAL_NAME
Kerberos-specific name type

KRB5_INTEG_QOP_MD5

public static final int KRB5_INTEG_QOP_MD5
Integrity using partial MD5 ("MD2.5") of plaintext

KRB5_INTEG_QOP_DES_MD5

public static final int KRB5_INTEG_QOP_DES_MD5
Integrity using DES MAC of MD5 of plaintext

KRB5_INTEG_QOP_DES_MAC

public static final int KRB5_INTEG_QOP_DES_MAC
Integrity using DES MAC of plaintext

KRB5_CONF_QOP_DES

public static final int KRB5_CONF_QOP_DES
Confidentiality with DES
Constructor Detail

GSSManager

public GSSManager()
Default constructor

GSSManager

public GSSManager(Kerberos kerberos)
Create a GSSManager using given Kerberos instance.
Method Detail

getMechs

public Oid[] getMechs()
Description copied from class: GSSManager
Returns a list of mechanisms that are available to GSS-API callers through this GSSManager. The default GSSManager obtained from the getInstance() method includes the Oid "1.2.840.113554.1.2.2" in its list. This Oid identifies the Kerberos v5 GSS-API mechanism that is defined in RFC 1964.
Overrides:
getMechs in class GSSManager
Tags copied from class: GSSManager
Returns:
an array of Oid objects corresponding to the mechanisms that are available. A "null" value is returned when no mechanism are available (an example of this would be when mechanism are dynamically configured, and currently no mechanisms are installed).

getMechsForName

public Oid[] getMechsForName(Oid nameType)
Description copied from class: GSSManager

Returns a list of mechanisms that support the indicated name type.

The Kerberos v5 mechanism ("1.2.840.113554.1.2.2") will always be returned in this list when the indicated nametype is one of GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_EXPORT_NAME, or "1.2.840.113554.1.2.2.1".

Overrides:
getMechsForName in class GSSManager
Tags copied from class: GSSManager
Parameters:
nameType - the Oid of the name type to look for.
Returns:
an array of Oid objects corresponding to the mechanisms that support the specified name type. null is returned when no mechanisms are found to support the specified name type.

getNamesForMech

public Oid[] getNamesForMech(Oid mech)
                      throws GSSException
Description copied from class: GSSManager

Returns the name types supported by the indicated mechanism.

The default GSSManager instance includes support for the Kerberos v5 mechanism. When this mechanism ("1.2.840.113554.1.2.2") is indicated, the returned list will contain at least the following nametypes: GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_EXPORT_NAME, and the Kerberos v5 specific Oid "1.2.840.113554.1.2.2.1". The namespace for the Oid "1.2.840.113554.1.2.2.1" is defined in RFC 1964.

Overrides:
getNamesForMech in class GSSManager
Tags copied from class: GSSManager
Parameters:
mech - the Oid of the mechanism to query.
Returns:
an array of Oid objects corresponding to the nametypes that the mechanism supports.
Throws:
GSSException - containing the following major error codes: GSSException.BAD_MECH GSSException.FAILURE

createName

public GSSName createName(String nameStr,
                          Oid nameType)
                   throws GSSException
Description copied from class: GSSManager
Factory method to convert a string name from the specified namespace to an GSSName object. In general, the GSSName object created will contain multiple representations of the name, one for each mechanism that is supported; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not multi-mechanism. It is not recommended to use this method with a NT_EXPORT_NAME type because representing a previously exported name consisting of arbitrary bytes as a String might cause problems with character encoding schemes. In such cases it is recommended that the bytes be passed in directly to the overloaded form of this method createName.
Overrides:
createName in class GSSManager
Tags copied from class: GSSManager
Parameters:
nameStr - the string representing a printable form of the name to create.
nameType - The Oid specifying the namespace of the printable name supplied. "null" can be used to specify that a mechanism specific default printable syntax should be assumed by each mechanism that examines nameStr.
Returns:
a GSSName representing the indicated principal
Throws:
GSSException - containing the following major error codes: GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.BAD_MECH, GSSException.FAILURE

createName

public GSSName createName(byte[] name,
                          Oid nameType)
                   throws GSSException
Description copied from class: GSSManager
Factory method to convert a byte array containing a name from the specified namespace to an GSSName object. In general, the GSSName object created will contain multiple representations of the name, one for each mechanism that is supported; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not multi- mechanism. The bytes that are passed in are interpreted by each underlying mechanism according to some encoding scheme of its choice for the given nametype.
Overrides:
createName in class GSSManager
Tags copied from class: GSSManager
Parameters:
name - the byte array containing the name to create.
nameType - the Oid specifying the namespace of the name supplied in the byte array. "null" can be used to specify that a mechanism specific default syntax should be assumed by each mechanism that examines the byte array.
Returns:
a GSSName representing the indicated principal
Throws:
GSSException - containing the following major error codes: GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.BAD_MECH, GSSException.FAILURE

createName

public GSSName createName(String nameStr,
                          Oid nameType,
                          Oid mech)
                   throws GSSException
Description copied from class: GSSManager
Factory method to convert a string name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism. In other words, this method is a utility that does the equivalent of two steps: the createName and then also the GSSName.canonicalize.
Overrides:
createName in class GSSManager
Tags copied from class: GSSManager
Parameters:
nameStr - the string representing a printable form of the name to create.
nameType - the Oid specifying the namespace of the printable name supplied. "null" can be used to specify that a mechanism specific default printable syntax should be assumed by each mechanism that examines nameStr. It is not advisable to use the nametype NT_EXPORT_NAME with this method.
mech - Oid specifying the mechanism for which the name should be canonicalized.
Returns:
a GSSName representing the indicated principal
Throws:
GSSException - containing the following major error codes: GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.BAD_MECH, GSSException.FAILURE

createName

public GSSName createName(byte[] name,
                          Oid nameType,
                          Oid mech)
                   throws GSSException
Description copied from class: GSSManager
Factory method to convert a byte array containing a name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism. In other words, this method is a utility that does the equivalent of two steps: the createName and then also GSSName.canonicalize.
Overrides:
createName in class GSSManager
Tags copied from class: GSSManager
Parameters:
name - the byte array containing the name to create.
nameType - the Oid specifying the namespace of the name supplied in the byte array. "null" can be used to specify that a mechanism specific default syntax should be assumed by each mechanism that examines the byte array.
mech - Oid specifying the mechanism for which the name should be canonicalized.
Returns:
a GSSName representing the indicated principal
Throws:
GSSException - containing the following major error codes: GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.BAD_MECH, GSSException.FAILURE

createCredential

public GSSCredential createCredential(int usage)
                               throws GSSException
Description copied from class: GSSManager

Factory method for acquiring default credentials. This will cause the GSS-API to use system specific defaults for the set of mechanisms, name, and lifetime.

GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.

Overrides:
createCredential in class GSSManager
Tags copied from class: GSSManager
Parameters:
usage - the intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
Returns:
a GSSCredential of the requested type.
Throws:
GSSException - containing the following major error codes: GSSException.BAD_MECH, GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.CREDENTIALS_EXPIRED, GSSException.NO_CRED, GSSException.FAILURE

createCredential

public GSSCredential createCredential(GSSName aName,
                                      int lifetime,
                                      Oid mech,
                                      int usage)
                               throws GSSException
Description copied from class: GSSManager

Factory method for acquiring a single mechanism credential.

GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.

Overrides:
createCredential in class GSSManager
Tags copied from class: GSSManager
Parameters:
name - the name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
lifetime - the number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
mech - the oid of the desired mechanism. Use "(Oid) null" to request the default mechanism.
usage - the intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
Returns:
a GSSCredential of the requested type.
Throws:
GSSException - containing the following major error codes: GSSException.BAD_MECH, GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.CREDENTIALS_EXPIRED, GSSException.NO_CRED, GSSException.FAILURE

createCredential

public GSSCredential createCredential(GSSName aName,
                                      int lifetime,
                                      Oid[] mechs,
                                      int usage)
                               throws GSSException
Description copied from class: GSSManager

Factory method for acquiring credentials over a set of mechanisms. This method attempts to acquire credentials for each of the mechanisms specified in the array called mechs. To determine the list of mechanisms for which the acquisition of credentials succeeded, the caller should use the GSSCredential.getMechs method.

GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.

Overrides:
createCredential in class GSSManager
Tags copied from class: GSSManager
Parameters:
name - the name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
lifetime - the number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
mechs - an array of Oid's indicating the mechanisms over which the credential is to be acquired. Use (Oid[]) null for requesting a system specific default set of mechanisms.
usage - the intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
Returns:
a GSSCredential of the requested type.
Throws:
GSSException - containing the following major error codes: GSSException.BAD_MECH, GSSException.BAD_NAMETYPE, GSSException.BAD_NAME, GSSException.CREDENTIALS_EXPIRED, GSSException.NO_CRED, GSSException.FAILURE

createContext

public GSSContext createContext(GSSName peer,
                                Oid mech,
                                GSSCredential myCred,
                                int lifetime)
                         throws GSSException
Description copied from class: GSSManager
Factory method for creating a context on the initiator's side. Some mechanism providers might require that the caller be granted permission to initiate a security context. A failed permission check might cause a SecurityException to be thrown from this method.
Overrides:
createContext in class GSSManager
Tags copied from class: GSSManager
Parameters:
peer - name of the target peer.
mech - the Oid of the desired mechanism. Use "null" to request default mechanism.
myCred - the credentials of the initiator. Use "null" to act as the default initiator principal.
lifetime - the lifetime, in seconds, requested for the context. Use GSSContext.INDEFINITE_LIFETIME to request that the context have the maximum permitted lifetime. Use GSSContext.DEFAULT_LIFETIME to request a default lifetime for the context.
Returns:
an unestablished GSSContext
Throws:
GSSException - containing the following major error codes: GSSException.NO_CRED GSSException.CREDENTIALS_EXPIRED GSSException.BAD_NAMETYPE GSSException.BAD_MECH GSSException.FAILURE

createContext

public GSSContext createContext(GSSCredential myCred)
                         throws GSSException
Description copied from class: GSSManager
Factory method for creating a context on the acceptor's side. The context's properties will be determined from the input token supplied to the accept method. Some mechanism providers might require that the caller be granted permission to accept a security context. A failed permission check might cause a SecurityException to be thrown from this method.
Overrides:
createContext in class GSSManager
Tags copied from class: GSSManager
Parameters:
myCred - the credentials for the acceptor. Use "null" to act as a default acceptor principal.
Returns:
an unestablished GSSContext.
Throws:
GSSException - containing the following major error codes: GSSException.NO_CRED GSSException.CREDENTIALS_EXPIRED GSSException.BAD_MECH GSSException.FAILURE

createContext

public GSSContext createContext(byte[] interProcessToken)
                         throws GSSException
Description copied from class: GSSManager

Factory method for creating a previously exported context. The context properties will be determined from the input token and cannot be modified through the set methods.

Implementations are not required to support the inter-process transfer of security contexts. Before exporting a context, calling the GSSContext.isTransferable will indicate if the context is transferable. Calling this method in an implementation that does not support it will result in a GSSException with the error code GSSException.UNAVAILABLE. Some mechanism providers might require that the caller be granted permission to initiate or accept a security context. A failed permission check might cause a SecurityException to be thrown from this method.

Overrides:
createContext in class GSSManager
Tags copied from class: GSSManager
Parameters:
interProcessToken - the token previously emitted from the export method.
Returns:
the previously established GSSContext.
Throws:
containing - the following major error codes: GSSException.NO_CONTEXT, GSSException.DEFECTIVE_TOKEN, GSSException.UNAVAILABLE, GSSException.UNAUTHORIZED, GSSException.FAILURE

addProviderAtFront

public void addProviderAtFront(Provider p,
                               Oid mech)
                        throws GSSException
Description copied from class: GSSManager

This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider ahead of all others no matter what the mechanism is. Only when the indicated provider does not support the needed mechanism should the GSSManager move on to a different provider.

Calling this method repeatedly preserves the older settings but lowers them in preference thus forming an ordered list of provider and Oid pairs that grows at the top.

Calling addProviderAtFront with a null Oid will remove all previous preferences that were set for this provider in the GSSManager instance. Calling addProviderAtFront with a non-null Oid will remove any previous preference that was set using this mechanism and this provider together.

If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.

Suppose an application desired that the provider A always be checked first when any mechanism is needed, it would call:

   GSSManager mgr = GSSManager.getInstance();
   // mgr may at this point have its own pre-configured list
   // of provider preferences. The following will prepend to
   // any such list:

   mgr.addProviderAtFront(A, null);
 

Now if it also desired that the mechanism of Oid m1 always be obtained from the provider B before the previously set A was checked, it would call:

   mgr.addProviderAtFront(B, m1);
 

The GSSManager would then first check with B if m1 was needed. In case B did not provide support for m1, the GSSManager would continue on to check with A. If any mechanism m2 is needed where m2 is different from m1 then the GSSManager would skip B and check with A directly.

Suppose at a later time the following call is made to the same GSSManager instance:

   mgr.addProviderAtFront(B, null)
 

then the previous setting with the pair (B, m1) is subsumed by this and should be removed. Effectively the list of preferences now becomes {(B, null), (A, null), ... //followed by the pre-configured list.

Please note, however, that the following call:

   mgr.addProviderAtFront(A, m3)
 

does not subsume the previous setting of (A, null) and the list will effectively become {(A, m3), (B, null), (A, null), ...}

Overrides:
addProviderAtFront in class GSSManager
Tags copied from class: GSSManager
Parameters:
p - the provider instance that should be used whenever support is needed for mech.
mech - the mechanism for which the provider is being set.
Throws:
GSSException - containing the following major error codes: GSSException.UNAVAILABLE, GSSException.FAILURE

addProviderAtEnd

public void addProviderAtEnd(Provider p,
                             Oid mech)
                      throws GSSException
Description copied from class: GSSManager

This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider for any mechanism.

Calling this method repeatedly preserves the older settings but raises them above newer ones in preference thus forming an ordered list of providers and Oid pairs that grows at the bottom. Thus the older provider settings will be utilized first before this one is.

If there are any previously existing preferences that conflict with the preference being set here, then the GSSManager should ignore this request.

If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.

Suppose an application desired that when a mechanism of Oid m1 is needed the system default providers always be checked first, and only when they do not support m1 should a provider A be checked. It would then make the call:

   GSSManager mgr = GSSManager.getInstance();
   mgr.addProviderAtEnd(A, m1);
 

Now, if it also desired that for all mechanisms the provider B be checked after all configured providers have been checked, it would then call:

   mgr.addProviderAtEnd(B, null);
 

Effectively the list of preferences now becomes {..., (A, m1), (B, null)}.

Suppose at a later time the following call is made to the same GSSManager instance:

   mgr.addProviderAtEnd(B, m2)
 

then the previous setting with the pair (B, null) subsumes this and therefore this request should be ignored. The same would happen if a request is made for the already existing pairs of (A, m1) or (B, null).

Please note, however, that the following call:

   mgr.addProviderAtEnd(A, null)
 

is not subsumed by the previous setting of (A, m1) and the list will effectively become {..., (A, m1), (B, null), (A, null)}

Overrides:
addProviderAtEnd in class GSSManager
Tags copied from class: GSSManager
Parameters:
p - the provider instance that should be used whenever support is needed for mech.
mech - the mechanism for which the provider is being set.
Throws:
GSSException - containing the following major error codes: GSSException.UNAVAILABLE, GSSException.FAILURE