com.dstc.security.kerberos
Interface Ticket


public interface Ticket
extends EncryptedPart

An interface to a Kerberos v5 Ticket, special cases of which are Ticket Granting Tickets (TGTs) and service Tickets.

Kerberos Tickets are for presentation to the Kerberos Ticket Granting Service (in the case of a TGT) or to Kerberized application services (in the case of service Tickets). A Ticket contains a non-encrypted part, which includes the realm and principal names of the target service. It also contains an encrypted part which includes the realm and principal names of the client and the session key shared by the client and the service. The encrypted part of a Ticket is encrypted in the long-term key of the target service.

The Kerberos Ticket structure is defined in RFC 1510 as

    Ticket ::=   [APPLICATION 1] SEQUENCE {
                    tkt-vno[0]                   INTEGER,
                    realm[1]                     Realm,
                    sname[2]                     PrincipalName,
                   enc-part[3]                  EncryptedData
               }

    -- Encrypted part of ticket
    EncTicketPart ::= [APPLICATION 3] SEQUENCE {
                      flags[0]             TicketFlags,
                      key[1]               EncryptionKey,
                      crealm[2]            Realm,
                      cname[3]             PrincipalName,
                      transited[4]         TransitedEncoding,
                      authtime[5]          KerberosTime,
                      starttime[6]         KerberosTime OPTIONAL,
                      endtime[7]           KerberosTime,
                      renew-till[8]        KerberosTime OPTIONAL,
                      caddr[9]             HostAddresses OPTIONAL,
                      authorization-data[10]   AuthorizationData OPTIONAL
                    }
 

This interface allows examination of all Ticket fields. However, if the Ticket has not already been decrypted with the target's long-term key, calling get() methods on the encrypted fields will throw a NotYetDecryptedException. These methods are primarily for the use of Kerberized services. For clients of these services, a Kerberos Ticket is normally to be treated as an opaque blob.

See Also:
Kerberos

Method Summary
 AuthorizationDataElement[] getAuthData()
          Returns all the authorization data for this Ticket.
 Date getAuthTime()
          Returns the time of initial authentication for this Ticket
 InetAddress[] getClientAddresses()
          Returns all client addresses for which this Ticket is valid.
 PrincipalName getClientName()
          Returns the client's principal name for this Ticket
 String getClientRealm()
          Returns the client's realm for this Ticket
 byte[] getEncoded()
          Returns the ASN.1 DER encoding for this Ticket
 Date getEndTime()
          Returns the expiration time for this Ticket
 EncryptionKey getKey()
          Returns the session key in this Ticket
 String getRealm()
          Returns the service realm for this Ticket
 Date getRenewTill()
          Returns the absolute expiration time for this Ticket, including renewals or null if absent.
 PrincipalName getServerName()
          Returns the service principal name for this Ticket
 Date getStartTime()
          Returns the time after which this Ticket is valid, or null if absent in which case the initial authentication time is the effective start time.
 TicketFlags getTicketFlags()
          Returns the ticket flags for this Ticket
 String[] getTransited()
          Returns the names of the realms which took part in authenticating the user to whom this Ticket was issued.
 boolean isValid()
          Returns true if this Ticket is valid at the time this method call is made.
 
Methods inherited from interface com.dstc.security.kerberos.msg.EncryptedPart
decrypt, encryptionType, initDecrypt
 

Method Detail

getRealm

public String getRealm()
Returns the service realm for this Ticket

getServerName

public PrincipalName getServerName()
Returns the service principal name for this Ticket

getTicketFlags

public TicketFlags getTicketFlags()
                           throws NotYetDecryptedException
Returns the ticket flags for this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getKey

public EncryptionKey getKey()
                     throws NotYetDecryptedException
Returns the session key in this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getClientRealm

public String getClientRealm()
                      throws NotYetDecryptedException
Returns the client's realm for this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getClientName

public PrincipalName getClientName()
                            throws NotYetDecryptedException
Returns the client's principal name for this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getTransited

public String[] getTransited()
                      throws NotYetDecryptedException
Returns the names of the realms which took part in authenticating the user to whom this Ticket was issued.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getAuthTime

public Date getAuthTime()
                 throws NotYetDecryptedException
Returns the time of initial authentication for this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getStartTime

public Date getStartTime()
                  throws NotYetDecryptedException
Returns the time after which this Ticket is valid, or null if absent in which case the initial authentication time is the effective start time.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getEndTime

public Date getEndTime()
                throws NotYetDecryptedException
Returns the expiration time for this Ticket
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

isValid

public boolean isValid()
                throws NotYetDecryptedException
Returns true if this Ticket is valid at the time this method call is made.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getRenewTill

public Date getRenewTill()
                  throws NotYetDecryptedException
Returns the absolute expiration time for this Ticket, including renewals or null if absent. This is relevant only if this Ticket has been marked RENEWABLE in the TicketFlags.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getClientAddresses

public InetAddress[] getClientAddresses()
                                 throws NotYetDecryptedException
Returns all client addresses for which this Ticket is valid. Only Internet addresses are supported in this release. If zero addresses are returned, this Ticket is valid from all locations.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getAuthData

public AuthorizationDataElement[] getAuthData()
                                       throws NotYetDecryptedException
Returns all the authorization data for this Ticket.
Throws:
NotYetDecryptedException - if this Ticket has not been decrypted

getEncoded

public byte[] getEncoded()
                  throws KerberosException
Returns the ASN.1 DER encoding for this Ticket