private final class KerberosEndpoint.RequestHandleImpl extends Object implements OutboundRequestHandle
OutboundRequestHandle implementation| Modifier and Type | Field and Description |
|---|---|
private Set |
clientPrincipals
The set of Kerberos principals allowed by the constraint
requirements and found in the principal set of the subject.
|
private Subject |
clientSubject
Subject from which private credentials will be extracted
|
private KerberosUtil.Config[] |
configs
Set of configurations that can satisfy the given set of
constraints using principals in the current subject.
|
(package private) long |
connectionAbsoluteTime
Absolute time by when the connection must be established
|
private InvocationConstraints |
constraints
Constraints of this request handle
|
private String |
detailedExceptionMsg
The message explains the reason of the failure, later on an
UnsupportedConstraintException will be
instantiated using this message and conditionally thrown to
the caller, depending on whether the caller has the
"getSubject" AuthPermission. |
private int |
errorCode
Error code of this request handle.
|
private Set |
subjectClientPrincipals
In case of subject is not readonly, snapshot its Kerberos
principals
|
private boolean |
subjectReadOnly
True if the subject is readonly when this handle is instantiated
|
private InvocationConstraints |
unfulfilledConstraints
Constraints that must be partially or fully implemented by
higher layers for an outbound request using this handle.
|
| Constructor and Description |
|---|
KerberosEndpoint.RequestHandleImpl(Subject clientSubject,
InvocationConstraints constraints)
Construct a
RequestHandleImpl. |
| Modifier and Type | Method and Description |
|---|---|
private long |
computeConnectionTimeLimit(Set constraints)
Compute the connection time limit basing on the specified
set of constraints.
|
private KerberosTicket |
findTicket(KerberosTicket[] tickets,
KerberosPrincipal p) |
private AuthenticationPermission |
getAuthenticationPermission(KerberosPrincipal client,
boolean deleg) |
private Set |
getClientPrincipals(Subject subj)
Return the set of Kerberos principals contained in the
given subject.
|
(package private) List |
getConfigs()
Get a list of satisfiable configurations.
|
(package private) KerberosEndpoint |
getEndpoint()
Get the enclosing endpoint instance
|
private KerberosTicket[] |
getTickets()
Return all valid Ticket Granting Tickets (TGTs) in the
clientSubject as an array.
|
(package private) boolean |
reusable(Subject subject)
Check whether this cached request handle can be used for
the given subject.
|
String |
toString()
Returns a string representation of this request handle.
|
private Subject clientSubject
private InvocationConstraints constraints
private boolean subjectReadOnly
private Set subjectClientPrincipals
private Set clientPrincipals
private int errorCode
private String detailedExceptionMsg
UnsupportedConstraintException will be
instantiated using this message and conditionally thrown to
the caller, depending on whether the caller has the
"getSubject" AuthPermission.private KerberosUtil.Config[] configs
private InvocationConstraints unfulfilledConstraints
long connectionAbsoluteTime
KerberosEndpoint.RequestHandleImpl(Subject clientSubject, InvocationConstraints constraints)
RequestHandleImpl.
For each outgoing request, the computation took to
determine the KerberosUtil.Config for the Connection carrying it is divided into two
phases. The first phase includes steps that no
AuthenticationPermission checks are needed,
which are done once for each constraints and subject pair
in this constructor. The second phase contains steps that
require AuthenticationPermission checks, which
are done for each request in getConfigs(). All problems, even
encountered in the first phase, are reported in the second
phase in getConfigs.
The computation steps taken in phase one are listed as the following:
Configs based on
the set of client principal candidates, and whether
encryption and delegation are mentioned/allowed by the
constraints
Config through the constraints
and filter out those that conflict with requirements
Config list by
preferences
clientSubject - the client subject that contains
client principals and TGTs, can not be
null.constraints - the security constraint set, can not be
nullpublic String toString()
boolean reusable(Subject subject)
== on both the security
constraints and subject.List getConfigs() throws UnsupportedConstraintException
UnsupportedConstraintException - if the caller has
required unsupported constraints, or there are
conflicts or unsatisfiable constraint in the
requirements, or the JAAS login has not been done
(Subject.getSubject(AccessController.getContext())
returns null), or no appropriate
Kerberos principal and corresponding TGT allowed by
the requirements can be found in the current
subject. If the caller has not been granted
javax.security.auth.AuthPermission("getSubject")
and cause is not unsupported constraints
being required, the exception message will be
generic and enumerate all these possible causes.
Otherwise, the message will spell out the reason
caused the exception.SecurityException - if there is a security manager
and the caller has
javax.security.auth.AuthPermission("getSubject")
but not any
AuthenticationPermission whose local
principal is a member of the client principal
candidate set. The action of the
AuthenticationPermission is either
connect or delegate,
determined by the requirements of the constraints.KerberosEndpoint getEndpoint()
private Set getClientPrincipals(Subject subj)
subj - the subject whose principals will be extractedprivate long computeConnectionTimeLimit(Set constraints)
constraints - the set of constraints based on which
the connection time limit will be computedprivate KerberosTicket[] getTickets()
private KerberosTicket findTicket(KerberosTicket[] tickets, KerberosPrincipal p)
private AuthenticationPermission getAuthenticationPermission(KerberosPrincipal client, boolean deleg)
Copyright 2007-2013, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.