Package com.dstc.security.kerberos

This package defines the main Kerberos 5 interfaces and classes.

See:
          Description

Interface Summary
AuthorizationDataElement An interface to a Kerberos authorization data component.
EncryptionKey An interface to a Kerberos encryption key, which includes a key type, and a key value.
PaData An interface to pre-authentication data passed to an Authentication or Ticket Granting service in a ticket request or returned from the service in a response.
Ticket An interface to a Kerberos v5 Ticket, special cases of which are Ticket Granting Tickets (TGTs) and service Tickets.
TicketFlags An interface to a Kerberos Ticket's ticket flags, indicating which ticket options were used or requested when the ticket was issued.
 

Class Summary
APOptions A class to represent options which can be set with an application request to affect the way it is processed by the recipient.
Checksum A class representing a Kerberos checksum.
FileCredentialStore An implementation of CredentialStore for MIT v5 credential caches.
FileKeyTab A KeyTab implementing the MIT v5 keytab.
KDCOptions A class to represent options for flags to be set in a ticket to be requested from an Authentication Service or a Ticket Granting Service.
Kerberos This is the main class and point of entry to the kerberos package, providing Kerberos-level services to both Kerberos clients and servers.
KerberosContext A class for storing contextual information required by a Kerberos instance.
KerberosKey An implementation of EncryptionKey for use in initial authentication.
LastReqElement A class to represent a component of a LastReq sent by an Authentication Service or a Ticket Granting Service in response to a ticket request.
PaEncTimestamp A concrete PaData implementation class for encrypted timestamp pre-authentication.
PrincipalName A class representing a Kerberos principal's name.
 

Exception Summary
CryptoException An Exception for general crypto exceptions in Kerberos
DecryptionException An exception indicating decryption failures
KerberosError An Exception for an abnormal condition indicated by the receipt of a KrbError message from the KDC or a Kerberized application.
KerberosException An exception representing an exceptional condition in using the Kerberos service.
NotYetDecryptedException An exception thrown when access is made to a field belonging to the encrypted part of a message before a successful decryption is performed.
 

Package com.dstc.security.kerberos Description

This package defines the main Kerberos 5 interfaces and classes.

Kerberos 5 is defined in IETF RFC 1510 "The Kerberos Network Authentication Service (V5)".

The main classes in this package are Kerberos which supplies ticket requesting methods and a point of entry into the GSS-API implementation, KerberosContext which is a store of contextual information needed by Kerberos, FileCredentialStore and com.dstc.security.kerberos.FileKeyTable which are implementations of MIT Kerberos-compatible file-based credential caches and keytabs.

A prime example of a Kerberos application requiring ticket requesting methods in the Kerberos class is the standard Kerberos kinit utility. A sample implementation of kinit is distributed as a JCSI example. In many cases, especially where single sign on (SSO) is in operation, a native kinit (or kinit-like utility) is used to obtain the tickets (particularly, the TGT) which are stored in a credential cache. As long as the TGTs from the native credential cache are available as instances of Credential, the current package can be used for secure application-level messaging. Support is built-in for systems which use a MIT Kerberos-compatible file credential cache, via the FileCredentialStore class. For systems using other credential caches, the CredentialStore interface can be implemented and used instead.

The current release supports application-level messaging only through the GSS-API. It implements RFC 1964 "The Kerberos Version 5 GSS-API Mechanism" at the mechanism level, and RFC 2853 "Generic Security Services API Version 2: Java Bindings". Only DES encryption is supported in this release.

As a source of Credential, for GSS-API context initiators only CredentialStore is currently supported whereas on the context acceptor side, only KeyTab is currently supported. Support for MIT Kerberos-style file-based keytabs is built-in, via the FileKeyTab class.