net.jini.jeri.ssl

Class AuthManager

java.lang.Object

net.jini.jeri.ssl.Utilities

net.jini.jeri.ssl.FilterX509TrustManager

net.jini.jeri.ssl.AuthManager

All Implemented Interfaces:

KeyManager, TrustManager, X509KeyManager, X509TrustManager

Direct Known Subclasses:

ClientAuthManager, ServerAuthManager

abstract class AuthManager
extends FilterX509TrustManager
implements X509KeyManager

Implements X509KeyManager by getting its key and credential information from a JAAS subject, and X509TrustManager by using FilterX509TrustManager. Combines both the key and trust managers to enable subclasses to use information for both when checking permissions.

Author:

Sun Microsystems, Inc.

Nested Class Summary

Nested classes/interfaces inherited from class net.jini.jeri.ssl.Utilities

Utilities.SSLContextInfo

Field Summary

Fields

Modifier and Type	Field and Description
private Set	permittedLocalPrincipals If non-null, then only principals in this set may be used to authenticate the local end of the connection.
(package private) boolean	subjectIsReadOnly Whether the subject was read-only when it was stored -- used to avoid checking for changes in the contents of the subject.
private WeakReference	subjectRef The Subject from which to retrieve principals and credentials.

Fields inherited from class net.jini.jeri.ssl.Utilities

ANY_KEY_ALGORITHM, clientLogger, DSA_KEY_ALGORITHM, getSubjectPermission, initLogger, INTEGRITY_PREFERRED, INTEGRITY_REQUIRED, RSA_KEY_ALGORITHM, serverLogger, UNKNOWN_PRINCIPAL

Constructor Summary

Constructors

Constructor and Description
AuthManager(Subject subject, Set permittedLocalPrincipals, Set permittedRemotePrincipals) Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject.

Method Summary

Methods

Modifier and Type	Method and Description
(package private) static long	certificatesValidUntil(CertPath chain) Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.
(package private) static long	certificatesValidUntil(X509Certificate[] chain) Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.
private X500PrivateCredential	checkChain(CertPath chain, String keyType, Principal[] issuers) Checks if the specified certificate chain can be used for keys of the specified type and with the specified issuers.
(package private) X500PrivateCredential	chooseCredential(String keyType, Principal[] issuers) Returns a private credential that matches the specified key type and issuers for which checkChain returns a non-null value, or null if no matching credentials are found.
(package private) boolean	equalPrivateCredentials(X500PrivateCredential cred1, X500PrivateCredential cred2) Checks if the two private credentials refer to the same principal and have the equivalent private key.
(package private) String[]	getAliases(String keyType, Principal[] issuers) Returns all the aliases that match the specified key type and issuers for which checkChain succeeds.
X509Certificate[]	getCertificateChain(String alias)
(package private) abstract Logger	getLogger() Returns the logger to use for logging.
(package private) abstract X500PrivateCredential	getPrivateCredential(X509Certificate cert) Gets the private credential for the specified X.509 certificate.
PrivateKey	getPrivateKey(String alias)
(package private) Subject	getSubject() Returns the Subject, or null if the subject was null or if the weak reference has been cleared.

Methods inherited from class net.jini.jeri.ssl.FilterX509TrustManager

checkClientTrusted, checkServerTrusted, getAcceptedIssuers, setPermittedRemotePrincipals

Methods inherited from class net.jini.jeri.ssl.Utilities

checkValidity, contains, doesEncryption, doesServerAuthentication, equals, firstX509Cert, getCertFactory, getCipherAlgorithm, getClassName, getClientPrincipals, getClientPrincipals, getClientSSLContextInfo, getKeyAlgorithm, getKeyExchangeAlgorithm, getPermittedKeyAlgorithms, getServerPrincipals, getServerSSLContextInfo, getSupportedCipherSuites, hasStrongCipherAlgorithm, logThrow, maintainsIntegrity, permittedKeyAlgorithm, position, releaseClientSSLContextInfo, safeEquals, subjectString, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.net.ssl.X509KeyManager

chooseClientAlias, chooseServerAlias, getClientAliases, getServerAliases

Field Detail

subjectRef

private final WeakReference subjectRef

The Subject from which to retrieve principals and credentials. Use a weak reference to insure that the subject can be GC'ed if it is only being referenced by the SSLContextMap that maps subjects to AuthManagers. The weak key map won't be weak if the value contains a strong reference to the key.

subjectIsReadOnly

final boolean subjectIsReadOnly

Whether the subject was read-only when it was stored -- used to avoid checking for changes in the contents of the subject.

permittedLocalPrincipals

private final Set permittedLocalPrincipals

If non-null, then only principals in this set may be used to authenticate the local end of the connection.

Constructor Detail

AuthManager

AuthManager(Subject subject,
           Set permittedLocalPrincipals,
           Set permittedRemotePrincipals)
      throws NoSuchAlgorithmException

Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject. If permittedLocalPrincipals or permittedRemotePrincipals are set, then only those principals may be used for authentication.

Parameters:

subject - the subject for retrieving principals and credentials

permittedLocalPrincipals - if non-null, then only principals in this set may be used to authenticate the local end of the connection

permittedRemotePrincipals - if non-null, then only principals in this set will be trusted to authenticate the peer

Throws:

NoSuchAlgorithmException - if the trust manager factory algorithm is not found

Method Detail

getPrivateCredential

abstract X500PrivateCredential getPrivateCredential(X509Certificate cert)

Gets the private credential for the specified X.509 certificate.

Parameters:

cert - the X.509 certificate

Returns:

the associated X500PrivateCredential or null if it is not found

Throws:

SecurityException - if the current access control context does not have the proper AuthenticationPermission

getLogger

abstract Logger getLogger()

Returns the logger to use for logging.

getSubject

Subject getSubject()

Returns the Subject, or null if the subject was null or if the weak reference has been cleared.

getAliases

String[] getAliases(String keyType,
                  Principal[] issuers)

Returns all the aliases that match the specified key type and issuers for which checkChain succeeds. Returns null if no matching aliases are found.

chooseCredential

X500PrivateCredential chooseCredential(String keyType,
                                     Principal[] issuers)
                                 throws GeneralSecurityException

Returns a private credential that matches the specified key type and issuers for which checkChain returns a non-null value, or null if no matching credentials are found. Throws a GeneralSecurityException or SecurityException if a problem occurs with all matching credentials.

Throws:

GeneralSecurityException

checkChain

private X500PrivateCredential checkChain(CertPath chain,
                               String keyType,
                               Principal[] issuers)
                                  throws GeneralSecurityException

Checks if the specified certificate chain can be used for keys of the specified type and with the specified issuers. Returns null if the chain has the wrong key type, throws an exception if the credentials or subject has problems, and otherwise returns the associated private credential.

Checks that:

• The key algorithm matches that of the certificate's public key
• The subject contains the principal for the certificate's issuer DN
• That principal is a permitted local principal
• The certificate chain terminates with one of the issuers, if issuers are specified
• The certificate chain is currently valid
• If the certificate specifies a KeyUsage extension, that the extension permits use in digital signatures
• The caller has the proper AuthenticationPermission

Because the following things should only occur because of a configuration problem, this method does not check for:

• Gaps in certificate chains
• CA extensions
• Incorrect private key

Throws:

GeneralSecurityException

certificatesValidUntil

static long certificatesValidUntil(CertPath chain)

Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.

certificatesValidUntil

static long certificatesValidUntil(X509Certificate[] chain)

Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.

equalPrivateCredentials

boolean equalPrivateCredentials(X500PrivateCredential cred1,
                              X500PrivateCredential cred2)

Checks if the two private credentials refer to the same principal and have the equivalent private key.

getCertificateChain

public X509Certificate[] getCertificateChain(String alias)

Specified by:

getCertificateChain in interface X509KeyManager

getPrivateKey

public PrivateKey getPrivateKey(String alias)

Specified by:

getPrivateKey in interface X509KeyManager