net.jini.jeri.kerberos

Class KerberosUtil

java.lang.Object

net.jini.jeri.kerberos.KerberosUtil

class KerberosUtil
extends Object

Utility class for the Kerberos provider.

Since:

2.0

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
(package private) static class	KerberosUtil.Config An instances of this class records one configuration possibly satisfiable by this provider.
(package private) static class	KerberosUtil.ConfigIter An iterator returns all possible configs
(package private) static class	KerberosUtil.Connection Connection class serves as the parent of connection classes defined in both client and server end point classes.
(package private) static class	KerberosUtil.ConnectionInputStream Input stream returned by getInputStream() of client or server connection
(package private) static class	KerberosUtil.ConnectionOutputStream Output stream returned by getOutputStream() of client or server connection
(package private) static class	KerberosUtil.SoftCache A synchronized hash map that only maintains soft reference to its value objects.

Field Summary

Fields

Modifier and Type	Field and Description
private static boolean[]	BOOL_TABLE Field used by ConfigIter to generate configs
private static Map	depends Map constraints to other constraints they depend on
(package private) static InvocationConstraints	INTEGRITY_PREFERRED_CONSTRAINTS
(package private) static InvocationConstraints	INTEGRITY_REQUIRED_CONSTRAINTS
(package private) static Oid	krb5MechOid Oid used to represent the Kerberos v5 GSS-API mechanism, defined as in RFC 1964.
(package private) static Oid	krb5NameType Oid used to represent the name syntax in Kerberos v5 GSS-API mechanism.

Constructor Summary

Constructors

Modifier	Constructor and Description
private	KerberosUtil() make the null constructor private, so this class is non-instantiable

Method Summary

Modifier and Type	Method and Description
(package private) static boolean	canGetSubject() Test whether the caller has AuthPermission("getSubject").
(package private) static void	checkAuthPermission(AuthenticationPermission perm) Check whether the caller has the specified AuthenticationPermission.
(package private) static void	checkAuthPermission(KerberosPrincipal local, KerberosPrincipal peer, String action) Check whether the caller has the AuthenticationPermission with the specified principals and action.
(package private) static boolean	collectCpCandidates(InvocationConstraint c, Set cpCandidates) Collect all client principal candidates from the given constraint.
(package private) static boolean	containsConstraint(Set constraints, InvocationConstraint candidate) Check whether the given set of constraints contains the candidate constraint.
(package private) static GSSCredential	getGSSCredential(Subject subj, KerberosPrincipal principal, GSSManager manager, int usage) Get the GSSCredential corresponding to the given principal from the given Subject, whose usage type is governed by the usage parameter.
(package private) static boolean	isSatisfiable(KerberosUtil.Config config, InvocationConstraint c) Test whether the specified configuration is satisfiable by the given constraint.
(package private) static boolean	isSupportableConstraint(InvocationConstraint c) Test whether the specified constraint can possibly be supported by this provider.
(package private) static boolean	isSupportedConstraintType(InvocationConstraint c) Check whether the type of the specified constraint is supported by this provider.
(package private) static void	logThrow(Logger logger, Level level, Class sourceClass, String sourceMethod, String msg, Object[] params, Throwable e) Logs a throw.
(package private) static void	secureThrow(Exception detailedException, UnsupportedConstraintException genericException) Only throw non-generic exception if caller has getSubject permission.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

krb5MechOid

static final Oid krb5MechOid

Oid used to represent the Kerberos v5 GSS-API mechanism, defined as in RFC 1964.

krb5NameType

static final Oid krb5NameType

Oid used to represent the name syntax in Kerberos v5 GSS-API mechanism. Examples: "joe@KERBEROSREALM" or "ftp/myhost.foo.com@KERBEROSREALM".

INTEGRITY_REQUIRED_CONSTRAINTS

static final InvocationConstraints INTEGRITY_REQUIRED_CONSTRAINTS

INTEGRITY_PREFERRED_CONSTRAINTS

static final InvocationConstraints INTEGRITY_PREFERRED_CONSTRAINTS

BOOL_TABLE

private static final boolean[] BOOL_TABLE

Field used by ConfigIter to generate configs

depends

private static final Map depends

Map constraints to other constraints they depend on

Constructor Detail

KerberosUtil

private KerberosUtil()

make the null constructor private, so this class is non-instantiable

Method Detail

canGetSubject

static boolean canGetSubject()

Test whether the caller has AuthPermission("getSubject").

Returns:

true if the caller has AuthPermission("getSubject"), false otherwise.

isSupportedConstraintType

static boolean isSupportedConstraintType(InvocationConstraint c)

Check whether the type of the specified constraint is supported by this provider.

Parameters:

c - the constraint to be tested

Returns:

true if the specified constraints has a known type, false otherwise.

isSupportableConstraint

static boolean isSupportableConstraint(InvocationConstraint c)

Test whether the specified constraint can possibly be supported by this provider.

Parameters:

c - the constraint to be tested

Returns:

true if the specified constraints can possibly be supported, false otherwise.

isSatisfiable

static boolean isSatisfiable(KerberosUtil.Config config,
                             InvocationConstraint c)

Test whether the specified configuration is satisfiable by the given constraint.

Parameters:

config - configuration to be tested

c - the constraint to be tested

Returns:

true if the specified configuration is allowed by the given constraint, false otherwise.

collectCpCandidates

static boolean collectCpCandidates(InvocationConstraint c,
                                   Set cpCandidates)

Collect all client principal candidates from the given constraint. This method assumes homogeneous alternatives.

Parameters:

c - the given constraint

cpCandidates - the set of candidates satisfiable by the constraints previously checked, which new principals should be added to. This set contains no principals if no client principal constraint has been checked yet.

Returns:

false if the passed in constraint is ClientMinPrincipal or ClientMaxPrincipal, or ConstraintAlternatives whose elements are of those types, and is not satisfiable regarding to the given set of candidates, true other wise.

checkAuthPermission

static void checkAuthPermission(KerberosPrincipal local,
                                KerberosPrincipal peer,
                                String action)

Check whether the caller has the AuthenticationPermission with the specified principals and action.

Parameters:

local - local principal of the AuthenticationPermission, cannot be * null.

peer - peer principal of the AuthenticationPermission.

action - action of the AuthenticationPermission, valid values include: * "connect", "delegate", "listen", and "accept".

Throws:

SecurityException - if the caller does not have the checked permission

checkAuthPermission

static void checkAuthPermission(AuthenticationPermission perm)

Check whether the caller has the specified AuthenticationPermission.

Parameters:

perm - the AuthenticationPermission to be checked

Throws:

SecurityException - if the caller does not have the checked permission

containsConstraint

static boolean containsConstraint(Set constraints,
                                  InvocationConstraint candidate)

Check whether the given set of constraints contains the candidate constraint.

Parameters:

constraints - the constraints to be checked

candidate - candidate constraint

Returns:

true if the candidate constraint is found in the give set of constraints, false otherwise.

getGSSCredential

static GSSCredential getGSSCredential(Subject subj,
                                      KerberosPrincipal principal,
                                      GSSManager manager,
                                      int usage)
                               throws GSSException

Get the GSSCredential corresponding to the given principal from the given Subject, whose usage type is governed by the usage parameter.

Parameters:

subj - the subject from which the TGT or KerberosKey will be extracted to construct the GSSCredential, can not be null

principal - the principal whose name will be used to construct the GSSCredential. If null, then a null name will be passed to the manager to allow it to choose a default.

manager - the GSSManager instance that will be used to construct the GSSCredential, can not be null

usage - intended usage for the GSScredential. The value of this parameter must be one of: GSSCredential.INITIATE_AND_ACCEPT, GSSCredential.ACCEPT_ONLY, and GSSCredential.INITIATE_ONLY.

Returns:

the requested GSSCredential

Throws:

UnsupportedConstraintException - if failed to get the requested GSSCredential

GSSException

secureThrow

static void secureThrow(Exception detailedException,
                        UnsupportedConstraintException genericException)
                 throws UnsupportedConstraintException

Only throw non-generic exception if caller has getSubject permission.

Parameters:

detailedException - the real UnsupportedConstraintException or SecurityException to be thrown if caller has the "getSubject" AuthPermission.

genericException - the generic UnsupportedConstraintException to be thrown if caller does not have the "getSubject" AuthPermission.

Throws:

UnsupportedConstraintException

logThrow

static void logThrow(Logger logger,
                     Level level,
                     Class sourceClass,
                     String sourceMethod,
                     String msg,
                     Object[] params,
                     Throwable e)

Logs a throw. Use this method to log a throw when the log message needs parameters.

Parameters:

logger - logger to log to

level - the log level

sourceClass - class where throw occurred

sourceMethod - name of the method where throw occurred

msg - log message

params - log message parameters

e - exception thrown