|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object | +--org.ietf.jgss.GSSManager | +--com.dstc.security.kerberos.gssapi.GSSManager
This class subclasses the org.ietf.jgss.GSSManager abstract class for the Kerberos mechanism. Its main purpose is to provide factory methods to obtain GSSName, GSSCredential and GSSContext objects in order to perform GSS API context establishment and message level protection.
An instance of this class can be obtained in two ways. The first is through the mechanism-independent getInstance() defined in the GSS API. The second is through a JCSI-specific constructor which takes a Kerberos instance as parameter.
Obtaining a valid GSSManager object using getInstance() is only valid for GSSAPI context initiators with a FileCredentialStore and context acceptors with a FileKeyTab (the standard MIT Kerberos V scenario). Applications with different needs should instead call the JCSI-specific constructor after suitably initializing a Kerberos instance.
Five system properties are consulted when calling getInstance():
jcsi.kerberos.principal
property for the principal
jcsi.kerberos.realm
property for the realm
jcsi.kerberos.KDChost
property for the KDC host
jcsi.kerberos.ccache
property for the location of
the FileCredentialStore
jcsi.kerberos.keytab
property for the location of
the FileKeyTab
If jcsi.kerberos.principal
is not set, the standard property
java.user
will be used in its place. If either
jcsi.kerberos.realm
or jcsi.kerberos.kdcHost
is null, a
RuntimeException will be thrown
indicating a configuration error. Likewise if both the fourth and
fifth properties are null.
Kerberos
Field Summary | |
static Oid |
KRB5
Kerberos mechanism OID |
static int |
KRB5_CONF_QOP_DES
Confidentiality with DES |
static int |
KRB5_INTEG_QOP_DES_MAC
Integrity using DES MAC of plaintext |
static int |
KRB5_INTEG_QOP_DES_MD5
Integrity using DES MAC of MD5 of plaintext |
static int |
KRB5_INTEG_QOP_MD5
Integrity using partial MD5 ("MD2.5") of plaintext |
static Oid |
KRB5_NT_PRINCIPAL_NAME
Kerberos-specific name type |
Constructor Summary | |
GSSManager()
Default constructor |
|
GSSManager(Kerberos kerberos)
Create a GSSManager using given Kerberos instance. |
Method Summary | |
void |
addProviderAtEnd(Provider p,
Oid mech)
This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism. |
void |
addProviderAtFront(Provider p,
Oid mech)
This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. |
GSSContext |
createContext(byte[] interProcessToken)
Factory method for creating a previously exported context. |
GSSContext |
createContext(GSSCredential myCred)
Factory method for creating a context on the acceptor's side. |
GSSContext |
createContext(GSSName peer,
Oid mech,
GSSCredential myCred,
int lifetime)
Factory method for creating a context on the initiator's side. |
GSSCredential |
createCredential(GSSName aName,
int lifetime,
Oid[] mechs,
int usage)
Factory method for acquiring credentials over a set of mechanisms. |
GSSCredential |
createCredential(GSSName aName,
int lifetime,
Oid mech,
int usage)
Factory method for acquiring a single mechanism credential. |
GSSCredential |
createCredential(int usage)
Factory method for acquiring default credentials. |
GSSName |
createName(byte[] name,
Oid nameType)
Factory method to convert a byte array containing a name from the specified namespace to an GSSName object. |
GSSName |
createName(byte[] name,
Oid nameType,
Oid mech)
Factory method to convert a byte array containing a name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism. |
GSSName |
createName(String nameStr,
Oid nameType)
Factory method to convert a string name from the specified namespace to an GSSName object. |
GSSName |
createName(String nameStr,
Oid nameType,
Oid mech)
Factory method to convert a string name from the specified namespace to a GSSName object and canonicalize it at the same time for a mechanism. |
Oid[] |
getMechs()
Returns a list of mechanisms that are available to GSS-API callers through this GSSManager. |
Oid[] |
getMechsForName(Oid nameType)
Returns a list of mechanisms that support the indicated name type. |
Oid[] |
getNamesForMech(Oid mech)
Returns the name types supported by the indicated mechanism. |
Methods inherited from class org.ietf.jgss.GSSManager |
getInstance |
Methods inherited from class java.lang.Object |
clone,
equals,
finalize,
getClass,
hashCode,
notify,
notifyAll,
toString,
wait,
wait,
wait |
Field Detail |
public static final Oid KRB5
public static final Oid KRB5_NT_PRINCIPAL_NAME
public static final int KRB5_INTEG_QOP_MD5
public static final int KRB5_INTEG_QOP_DES_MD5
public static final int KRB5_INTEG_QOP_DES_MAC
public static final int KRB5_CONF_QOP_DES
Constructor Detail |
public GSSManager()
public GSSManager(Kerberos kerberos)
Method Detail |
public Oid[] getMechs()
public Oid[] getMechsForName(Oid nameType)
Returns a list of mechanisms that support the indicated name type.
The Kerberos v5 mechanism ("1.2.840.113554.1.2.2") will always be returned in this list when the indicated nametype is one of GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_EXPORT_NAME, or "1.2.840.113554.1.2.2.1".
nameType
- the Oid of the name type to look for.public Oid[] getNamesForMech(Oid mech) throws GSSException
Returns the name types supported by the indicated mechanism.
The default GSSManager instance includes support for the Kerberos v5 mechanism. When this mechanism ("1.2.840.113554.1.2.2") is indicated, the returned list will contain at least the following nametypes: GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_EXPORT_NAME, and the Kerberos v5 specific Oid "1.2.840.113554.1.2.2.1". The namespace for the Oid "1.2.840.113554.1.2.2.1" is defined in RFC 1964.
mech
- the Oid of the mechanism to query.public GSSName createName(String nameStr, Oid nameType) throws GSSException
nameStr
- the string representing a printable form of the name to
create.nameType
- The Oid specifying the namespace of the printable name
supplied. "null" can be used to specify that a mechanism specific
default printable syntax should be assumed by each mechanism that
examines nameStr.public GSSName createName(byte[] name, Oid nameType) throws GSSException
name
- the byte array containing the name to create.nameType
- the Oid specifying the namespace of the name supplied in
the byte array. "null" can be used to specify that a mechanism
specific default syntax should be assumed by each mechanism that
examines the byte array.public GSSName createName(String nameStr, Oid nameType, Oid mech) throws GSSException
nameStr
- the string representing a printable form of the name to
create.nameType
- the Oid specifying the namespace of the printable name
supplied. "null" can be used to specify that a mechanism specific
default printable syntax should be assumed by each mechanism that
examines nameStr. It is not advisable to use the nametype
NT_EXPORT_NAME with this method.mech
- Oid specifying the mechanism for which the name should be
canonicalized.public GSSName createName(byte[] name, Oid nameType, Oid mech) throws GSSException
name
- the byte array containing the name to create.nameType
- the Oid specifying the namespace of the name supplied in
the byte array. "null" can be used to specify that a mechanism
specific default syntax should be assumed by each mechanism that
examines the byte array.mech
- Oid specifying the mechanism for which the name should be
canonicalized.public GSSCredential createCredential(int usage) throws GSSException
Factory method for acquiring default credentials. This will cause the GSS-API to use system specific defaults for the set of mechanisms, name, and lifetime.
GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.
usage
- the intended usage for this credential object. The value of
this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLYpublic GSSCredential createCredential(GSSName aName, int lifetime, Oid mech, int usage) throws GSSException
Factory method for acquiring a single mechanism credential.
GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.
name
- the name of the principal for whom this credential is to be
acquired. Use "null" to specify the default principal.lifetime
- the number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the
credentials have the maximum permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request default credential
lifetime.mech
- the oid of the desired mechanism. Use "(Oid) null" to
request the default mechanism.usage
- the intended usage for this credential object. The value of
this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLYpublic GSSCredential createCredential(GSSName aName, int lifetime, Oid[] mechs, int usage) throws GSSException
Factory method for acquiring credentials over a set of mechanisms. This method attempts to acquire credentials for each of the mechanisms specified in the array called mechs. To determine the list of mechanisms for which the acquisition of credentials succeeded, the caller should use the GSSCredential.getMechs method.
GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. The kinds of permissions needed by different mechanism providers will be documented on a per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from this method.
name
- the name of the principal for whom this credential is to be
acquired. Use "null" to specify the default principal.lifetime
- the number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the
credentials have the maximum permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request default credential
lifetime.mechs
- an array of Oid's indicating the mechanisms over which the
credential is to be acquired. Use (Oid[]) null for requesting a
system specific default set of mechanisms.usage
- the intended usage for this credential object. The value of
this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLYpublic GSSContext createContext(GSSName peer, Oid mech, GSSCredential myCred, int lifetime) throws GSSException
peer
- name of the target peer.mech
- the Oid of the desired mechanism. Use "null" to request
default mechanism.myCred
- the credentials of the initiator. Use "null" to act as the
default initiator principal.lifetime
- the lifetime, in seconds, requested for the context. Use
GSSContext.INDEFINITE_LIFETIME to request that the context have
the maximum permitted lifetime. Use GSSContext.DEFAULT_LIFETIME
to request a default lifetime for the context.public GSSContext createContext(GSSCredential myCred) throws GSSException
myCred
- the credentials for the acceptor. Use "null" to act as a
default acceptor principal.public GSSContext createContext(byte[] interProcessToken) throws GSSException
Factory method for creating a previously exported context. The context properties will be determined from the input token and cannot be modified through the set methods.
Implementations are not required to support the inter-process transfer of security contexts. Before exporting a context, calling the GSSContext.isTransferable will indicate if the context is transferable. Calling this method in an implementation that does not support it will result in a GSSException with the error code GSSException.UNAVAILABLE. Some mechanism providers might require that the caller be granted permission to initiate or accept a security context. A failed permission check might cause a SecurityException to be thrown from this method.
interProcessToken
- the token previously emitted from the export
method.public void addProviderAtFront(Provider p, Oid mech) throws GSSException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider ahead of all others no matter what the mechanism is. Only when the indicated provider does not support the needed mechanism should the GSSManager move on to a different provider.
Calling this method repeatedly preserves the older settings but lowers them in preference thus forming an ordered list of provider and Oid pairs that grows at the top.
Calling addProviderAtFront with a null Oid will remove all previous preferences that were set for this provider in the GSSManager instance. Calling addProviderAtFront with a non-null Oid will remove any previous preference that was set using this mechanism and this provider together.
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
Suppose an application desired that the provider A always be checked first when any mechanism is needed, it would call:
GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list: mgr.addProviderAtFront(A, null);
Now if it also desired that the mechanism of Oid m1 always be obtained from the provider B before the previously set A was checked, it would call:
mgr.addProviderAtFront(B, m1);
The GSSManager would then first check with B if m1 was needed. In case B did not provide support for m1, the GSSManager would continue on to check with A. If any mechanism m2 is needed where m2 is different from m1 then the GSSManager would skip B and check with A directly.
Suppose at a later time the following call is made to the same GSSManager instance:
mgr.addProviderAtFront(B, null)
then the previous setting with the pair (B, m1) is subsumed by this and should be removed. Effectively the list of preferences now becomes {(B, null), (A, null), ... //followed by the pre-configured list.
Please note, however, that the following call:
mgr.addProviderAtFront(A, m3)
does not subsume the previous setting of (A, null) and the list will effectively become {(A, m3), (B, null), (A, null), ...}
p
- the provider instance that should be used whenever support is
needed for mech.mech
- the mechanism for which the provider is being set.public void addProviderAtEnd(Provider p, Oid mech) throws GSSException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider for any mechanism.
Calling this method repeatedly preserves the older settings but raises them above newer ones in preference thus forming an ordered list of providers and Oid pairs that grows at the bottom. Thus the older provider settings will be utilized first before this one is.
If there are any previously existing preferences that conflict with the preference being set here, then the GSSManager should ignore this request.
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
Suppose an application desired that when a mechanism of Oid m1 is needed the system default providers always be checked first, and only when they do not support m1 should a provider A be checked. It would then make the call:
GSSManager mgr = GSSManager.getInstance(); mgr.addProviderAtEnd(A, m1);
Now, if it also desired that for all mechanisms the provider B be checked after all configured providers have been checked, it would then call:
mgr.addProviderAtEnd(B, null);
Effectively the list of preferences now becomes {..., (A, m1), (B, null)}.
Suppose at a later time the following call is made to the same GSSManager instance:
mgr.addProviderAtEnd(B, m2)
then the previous setting with the pair (B, null) subsumes this and therefore this request should be ignored. The same would happen if a request is made for the already existing pairs of (A, m1) or (B, null).
Please note, however, that the following call:
mgr.addProviderAtEnd(A, null)
is not subsumed by the previous setting of (A, m1) and the list will effectively become {..., (A, m1), (B, null), (A, null)}
p
- the provider instance that should be used whenever support is
needed for mech.mech
- the mechanism for which the provider is being set.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |