net.jini.jeri.ssl

Class ClientAuthManager

java.lang.Object

net.jini.jeri.ssl.Utilities

net.jini.jeri.ssl.FilterX509TrustManager

net.jini.jeri.ssl.AuthManager

net.jini.jeri.ssl.ClientAuthManager

All Implemented Interfaces:

KeyManager, TrustManager, X509KeyManager, X509TrustManager

 class ClientAuthManager
extends AuthManager

An AuthManager for clients. Uses the fact that client connections only share SSLContexts after a single client and server principal have been chosen.

Author:

Sun Microsystems, Inc.

Nested Class Summary

Nested classes/interfaces inherited from class net.jini.jeri.ssl.Utilities

Utilities.SSLContextInfo

Field Summary

Fields

Modifier and Type	Field and Description
private AuthenticationPermission	authenticationPermission The permission to check for the last cached credential
private X500PrivateCredential	clientCredential The private credential supplied by chooseClientAlias in the last handshake or null if none was supplied.
private Exception	clientCredentialException The exception that occurred within the last call to chooseClientAlias if no credential could be supplied.
private X500Principal	clientPrincipal The client principal chosen by the first handshake.
private long	credentialsValidUntil The latest time for which all client and server credentials remain valid.
private static Logger	logger Client logger
private X509Certificate	serverCredential The server certificate chosen by the first handshake.
private X500Principal	serverPrincipal The server principal chosen by the first handshake.

Fields inherited from class net.jini.jeri.ssl.AuthManager

subjectIsReadOnly

Fields inherited from class net.jini.jeri.ssl.Utilities

ANY_KEY_ALGORITHM, clientLogger, DSA_KEY_ALGORITHM, getSubjectPermission, initLogger, INTEGRITY_PREFERRED, INTEGRITY_REQUIRED, RSA_KEY_ALGORITHM, serverLogger, UNKNOWN_PRINCIPAL

Constructor Summary

Constructors

Constructor and Description
ClientAuthManager(Subject subject, Set permittedLocalPrincipals, Set permittedRemotePrincipals) Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject.

Method Summary

Methods

Modifier and Type	Method and Description
(package private) void	checkAuthentication() Checks if the subject still contains the proper credentials, and the current access control context has the proper AuthenticationPermission, to use the current session.
void	checkServerTrusted(X509Certificate[] chain, String authType) Override this X509TrustManager method in order to cache the server principal and to continue to choose the same one.
String	chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket)
String	chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
private AuthenticationPermission	getAuthenticationPermission(X509Certificate cert) Returns the permission needed to connect to the last server principal with the specified client certificate.
String[]	getClientAliases(String keyType, Principal[] issuers)
(package private) boolean	getClientAuthenticated() Returns true if the last handshake authenticated the client, else false.
(package private) Exception	getClientCredentialException() Returns the last SecurityException or GeneralSecurityException that occurred when attempting to choose client credentials, or null if no exception occurred.
(package private) X500Principal	getClientPrincipal() Returns the client principal chosen.
(package private) Logger	getLogger() Returns the client logger
(package private) X500PrivateCredential	getPrivateCredential(X509Certificate cert) Gets the private credential for the specified X.509 certificate, checking for AuthenticationPermission to connect with the last server principal.
private X500PrivateCredential	getPrivateCredential(X509Certificate cert, AuthenticationPermission ap) Gets the private credential for the specified X.509 certificate, checking for the specified AuthenticationPermission.
String[]	getServerAliases(String keyType, Principal[] issuers)
(package private) X500Principal	getServerPrincipal() Returns the server principal chosen.

Methods inherited from class net.jini.jeri.ssl.AuthManager

certificatesValidUntil, certificatesValidUntil, chooseCredential, equalPrivateCredentials, getAliases, getCertificateChain, getPrivateKey, getSubject

Methods inherited from class net.jini.jeri.ssl.FilterX509TrustManager

checkClientTrusted, getAcceptedIssuers, setPermittedRemotePrincipals

Methods inherited from class net.jini.jeri.ssl.Utilities

checkValidity, contains, doesEncryption, doesServerAuthentication, equals, firstX509Cert, getCertFactory, getCipherAlgorithm, getClassName, getClientPrincipals, getClientPrincipals, getClientSSLContextInfo, getKeyAlgorithm, getKeyExchangeAlgorithm, getPermittedKeyAlgorithms, getServerPrincipals, getServerSSLContextInfo, getSupportedCipherSuites, hasStrongCipherAlgorithm, logThrow, maintainsIntegrity, permittedKeyAlgorithm, position, releaseClientSSLContextInfo, safeEquals, subjectString, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final Logger logger

Client logger

serverCredential

private X509Certificate serverCredential

The server certificate chosen by the first handshake.

serverPrincipal

private X500Principal serverPrincipal

The server principal chosen by the first handshake.

clientCredential

private X500PrivateCredential clientCredential

The private credential supplied by chooseClientAlias in the last handshake or null if none was supplied.

clientPrincipal

private X500Principal clientPrincipal

The client principal chosen by the first handshake.

clientCredentialException

private Exception clientCredentialException

The exception that occurred within the last call to chooseClientAlias if no credential could be supplied.

credentialsValidUntil

private long credentialsValidUntil

The latest time for which all client and server credentials remain valid.

authenticationPermission

private AuthenticationPermission authenticationPermission

The permission to check for the last cached credential

Constructor Detail

ClientAuthManager

ClientAuthManager(Subject subject,
                 Set permittedLocalPrincipals,
                 Set permittedRemotePrincipals)
            throws NoSuchAlgorithmException

Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject. If permittedLocalPrincipals is non-null, then the principals used for authentication are restricted to the elements of that set. If permittedRemotePrincipals is non-null, then the server principals accepted are restricted to the elements of that set.

Parameters:

subject - the subject for retrieving principals and credentials

permittedLocalPrincipals - if non-null, then only principals in this set may be used for authentication

permittedRemotePrincipals - if non-null, then only principals in this set will be trusted when authenticating the peer

Throws:

NoSuchAlgorithmException - if the trust manager factory algorithm is not found

Method Detail

getClientAuthenticated

boolean getClientAuthenticated()

Returns true if the last handshake authenticated the client, else false.

getClientCredentialException

Exception getClientCredentialException()

Returns the last SecurityException or GeneralSecurityException that occurred when attempting to choose client credentials, or null if no exception occurred.

checkAuthentication

void checkAuthentication()
                   throws UnsupportedConstraintException

Checks if the subject still contains the proper credentials, and the current access control context has the proper AuthenticationPermission, to use the current session. Callers should only call this method if client authentication is being used.

Throws:

SecurityException - if the access control context does not have the proper AuthenticationPermission

UnsupportedConstraintException - if the subject does not contain the proper credentials

getPrivateCredential

X500PrivateCredential getPrivateCredential(X509Certificate cert)

Gets the private credential for the specified X.509 certificate, checking for AuthenticationPermission to connect with the last server principal.

Specified by:

getPrivateCredential in class AuthManager

Parameters:

cert - the certificate for the local principal

Returns:

the associated private credential or null if not found

Throws:

SecurityException - if the access control context does not have the proper AuthenticationPermission

getPrivateCredential

private X500PrivateCredential getPrivateCredential(X509Certificate cert,
                                         AuthenticationPermission ap)

Gets the private credential for the specified X.509 certificate, checking for the specified AuthenticationPermission.

Parameters:

cert - the certificate for the local principal

ap - the permission needed to connect to the peer

Returns:

the associated private credential or null if not found

Throws:

SecurityException - if the access control context does not have the proper AuthenticationPermission

getLogger

Logger getLogger()

Returns the client logger

Specified by:

getLogger in class AuthManager

getAuthenticationPermission

private AuthenticationPermission getAuthenticationPermission(X509Certificate cert)

Returns the permission needed to connect to the last server principal with the specified client certificate.

getServerPrincipal

X500Principal getServerPrincipal()

Returns the server principal chosen.

getClientPrincipal

X500Principal getClientPrincipal()

Returns the client principal chosen.

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                      String authType)
                        throws CertificateException

Override this X509TrustManager method in order to cache the server principal and to continue to choose the same one.

Specified by:

checkServerTrusted in interface X509TrustManager

Overrides:

checkServerTrusted in class FilterX509TrustManager

Throws:

CertificateException

getClientAliases

public String[] getClientAliases(String keyType,
                        Principal[] issuers)

getServerAliases

public String[] getServerAliases(String keyType,
                        Principal[] issuers)

chooseClientAlias

public String chooseClientAlias(String[] keyTypes,
                       Principal[] issuers,
                       Socket socket)

chooseServerAlias

public String chooseServerAlias(String keyType,
                       Principal[] issuers,
                       Socket socket)