|
||||||||||
| PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES | |||||||||
See:
Description
| Interface Summary | |
| AuthorizationDataElement | An interface to a Kerberos authorization data component. |
| EncryptionKey | An interface to a Kerberos encryption key, which includes a key type, and a key value. |
| PaData | An interface to pre-authentication data passed to an Authentication or Ticket Granting service in a ticket request or returned from the service in a response. |
| Ticket | An interface to a Kerberos v5 Ticket, special cases of which are Ticket Granting Tickets (TGTs) and service Tickets. |
| TicketFlags | An interface to a Kerberos Ticket's ticket flags, indicating which ticket options were used or requested when the ticket was issued. |
| Class Summary | |
| APOptions | A class to represent options which can be set with an application request to affect the way it is processed by the recipient. |
| Checksum | A class representing a Kerberos checksum. |
| FileCredentialStore | An implementation of CredentialStore for MIT v5 credential caches. |
| FileKeyTab | A KeyTab implementing the MIT v5 keytab. |
| KDCOptions | A class to represent options for flags to be set in a ticket to be requested from an Authentication Service or a Ticket Granting Service. |
| Kerberos | This is the main class and point of entry to the kerberos package, providing Kerberos-level services to both Kerberos clients and servers. |
| KerberosContext | A class for storing contextual information required by a Kerberos instance. |
| KerberosKey | An implementation of EncryptionKey for use in initial authentication. |
| LastReqElement | A class to represent a component of a LastReq sent by an Authentication Service or a Ticket Granting Service in response to a ticket request. |
| PaEncTimestamp | A concrete PaData implementation class for encrypted timestamp pre-authentication. |
| PrincipalName | A class representing a Kerberos principal's name. |
| Exception Summary | |
| CryptoException | An Exception for general crypto exceptions in Kerberos |
| DecryptionException | An exception indicating decryption failures |
| KerberosError | An Exception for an abnormal condition indicated by the receipt of a KrbError message from the KDC or a Kerberized application. |
| KerberosException | An exception representing an exceptional condition in using the Kerberos service. |
| NotYetDecryptedException | An exception thrown when access is made to a field belonging to the encrypted part of a message before a successful decryption is performed. |
This package defines the main Kerberos 5 interfaces and classes.
Kerberos 5 is defined in IETF RFC 1510 "The Kerberos Network Authentication Service (V5)".
The main classes in this package are
Kerberos
which supplies ticket requesting methods and a point of entry into
the GSS-API implementation, KerberosContext
which is a store of contextual information needed by
Kerberos,
FileCredentialStore and
com.dstc.security.kerberos.FileKeyTable which are
implementations of MIT Kerberos-compatible file-based credential caches
and keytabs.
A prime example of a Kerberos application requiring ticket requesting
methods in the
Kerberos class is the standard Kerberos
kinit utility. A sample implementation of
kinit is distributed as a JCSI example. In many cases, especially where
single sign on (SSO) is in operation, a native kinit (or kinit-like
utility) is used to obtain the tickets (particularly, the TGT) which are
stored in a credential cache. As long as the TGTs from the native credential
cache are available as
instances of Credential,
the current package can be used for secure application-level messaging.
Support is built-in for systems which use a MIT Kerberos-compatible
file credential cache, via the
FileCredentialStore class.
For systems using other credential caches, the
CredentialStore interface
can be implemented and used instead.
The current release supports application-level messaging only through the GSS-API. It implements RFC 1964 "The Kerberos Version 5 GSS-API Mechanism" at the mechanism level, and RFC 2853 "Generic Security Services API Version 2: Java Bindings". Only DES encryption is supported in this release.
As a source of
Credential, for GSS-API
context initiators only
CredentialStore
is currently supported whereas on the context acceptor side, only
KeyTab is currently
supported. Support for MIT Kerberos-style file-based keytabs is built-in,
via the
FileKeyTab class.
|
||||||||||
| PREV PACKAGE NEXT PACKAGE | FRAMES NO FRAMES | |||||||||