net.jini.jeri.kerberos
Class KerberosEndpoint.RequestHandleImpl

java.lang.Object
  extended by net.jini.jeri.kerberos.KerberosEndpoint.RequestHandleImpl
All Implemented Interfaces:
OutboundRequestHandle
Enclosing class:
KerberosEndpoint

private final class KerberosEndpoint.RequestHandleImpl
extends Object
implements OutboundRequestHandle

OutboundRequestHandle implementation


Field Summary
private  Set clientPrincipals
          The set of Kerberos principals allowed by the constraint requirements and found in the principal set of the subject.
private  Subject clientSubject
          Subject from which private credentials will be extracted
private  KerberosUtil.Config[] configs
          Set of configurations that can satisfy the given set of constraints using principals in the current subject.
(package private)  long connectionAbsoluteTime
          Absolute time by when the connection must be established
private  InvocationConstraints constraints
          Constraints of this request handle
private  String detailedExceptionMsg
          The message explains the reason of the failure, later on an UnsupportedConstraintException will be instantiated using this message and conditionally thrown to the caller, depending on whether the caller has the "getSubject" AuthPermission.
private  int errorCode
          Error code of this request handle.
private  Set subjectClientPrincipals
          In case of subject is not readonly, snapshot its Kerberos principals
private  boolean subjectReadOnly
          True if the subject is readonly when this handle is instantiated
private  InvocationConstraints unfulfilledConstraints
          Constraints that must be partially or fully implemented by higher layers for an outbound request using this handle.
 
Constructor Summary
KerberosEndpoint.RequestHandleImpl(Subject clientSubject, InvocationConstraints constraints)
          Construct a RequestHandleImpl.
 
Method Summary
private  long computeConnectionTimeLimit(Set constraints)
          Compute the connection time limit basing on the specified set of constraints.
private  KerberosTicket findTicket(KerberosTicket[] tickets, KerberosPrincipal p)
           
private  AuthenticationPermission getAuthenticationPermission(KerberosPrincipal client, boolean deleg)
           
private  Set getClientPrincipals(Subject subj)
          Return the set of Kerberos principals contained in the given subject.
(package private)  List getConfigs()
          Get a list of satisfiable configurations.
(package private)  KerberosEndpoint getEndpoint()
          Get the enclosing endpoint instance
private  KerberosTicket[] getTickets()
          Return all valid Ticket Granting Tickets (TGTs) in the clientSubject as an array.
(package private)  boolean reusable(Subject subject)
          Check whether this cached request handle can be used for the given subject.
 String toString()
          Returns a string representation of this request handle.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

clientSubject

private Subject clientSubject
Subject from which private credentials will be extracted


constraints

private InvocationConstraints constraints
Constraints of this request handle


subjectReadOnly

private boolean subjectReadOnly
True if the subject is readonly when this handle is instantiated


subjectClientPrincipals

private Set subjectClientPrincipals
In case of subject is not readonly, snapshot its Kerberos principals


clientPrincipals

private Set clientPrincipals
The set of Kerberos principals allowed by the constraint requirements and found in the principal set of the subject.


errorCode

private int errorCode
Error code of this request handle. A request will not succeed if its handle's errorCode != NO_ERROR.


detailedExceptionMsg

private String detailedExceptionMsg
The message explains the reason of the failure, later on an UnsupportedConstraintException will be instantiated using this message and conditionally thrown to the caller, depending on whether the caller has the "getSubject" AuthPermission.


configs

private KerberosUtil.Config[] configs
Set of configurations that can satisfy the given set of constraints using principals in the current subject. The set is composed without checking the private credentials of the subject and AuthenticationPermissions of the caller.


unfulfilledConstraints

private InvocationConstraints unfulfilledConstraints
Constraints that must be partially or fully implemented by higher layers for an outbound request using this handle.


connectionAbsoluteTime

long connectionAbsoluteTime
Absolute time by when the connection must be established

Constructor Detail

KerberosEndpoint.RequestHandleImpl

KerberosEndpoint.RequestHandleImpl(Subject clientSubject,
                                   InvocationConstraints constraints)
Construct a RequestHandleImpl.

For each outgoing request, the computation took to determine the KerberosUtil.Config for the Connection carrying it is divided into two phases. The first phase includes steps that no AuthenticationPermission checks are needed, which are done once for each constraints and subject pair in this constructor. The second phase contains steps that require AuthenticationPermission checks, which are done for each request in getConfigs(). All problems, even encountered in the first phase, are reported in the second phase in getConfigs.

The computation steps taken in phase one are listed as the following:

Parameters:
clientSubject - the client subject that contains client principals and TGTs, can not be null.
constraints - the security constraint set, can not be null
Method Detail

toString

public String toString()
Returns a string representation of this request handle.

Overrides:
toString in class Object

reusable

boolean reusable(Subject subject)
Check whether this cached request handle can be used for the given subject. It is assumed that the caller has already checked == on both the security constraints and subject.


getConfigs

List getConfigs()
          throws UnsupportedConstraintException
Get a list of satisfiable configurations. Elements of the list is from the configs array of this handle, with those who failed their corresponding AuthenticationPermission and private credential (TGT) checks filtered out. The returned list is ordered by decreasing preference.

Returns:
a list of satisfiable configurations in decreasing preference order.
Throws:
UnsupportedConstraintException - if the caller has required unsupported constraints, or there are conflicts or unsatisfiable constraint in the requirements, or the JAAS login has not been done (Subject.getSubject(AccessController.getContext()) returns null), or no appropriate Kerberos principal and corresponding TGT allowed by the requirements can be found in the current subject. If the caller has not been granted javax.security.auth.AuthPermission("getSubject") and cause is not unsupported constraints being required, the exception message will be generic and enumerate all these possible causes. Otherwise, the message will spell out the reason caused the exception.
SecurityException - if there is a security manager and the caller has javax.security.auth.AuthPermission("getSubject") but not any AuthenticationPermission whose local principal is a member of the client principal candidate set. The action of the AuthenticationPermission is either connect or delegate, determined by the requirements of the constraints.

getEndpoint

KerberosEndpoint getEndpoint()
Get the enclosing endpoint instance


getClientPrincipals

private Set getClientPrincipals(Subject subj)
Return the set of Kerberos principals contained in the given subject.

Parameters:
subj - the subject whose principals will be extracted
Returns:
the set of Kerberos principals

computeConnectionTimeLimit

private long computeConnectionTimeLimit(Set constraints)
Compute the connection time limit basing on the specified set of constraints.

Parameters:
constraints - the set of constraints based on which the connection time limit will be computed
Returns:
the resulting connection time limit

getTickets

private KerberosTicket[] getTickets()
Return all valid Ticket Granting Tickets (TGTs) in the clientSubject as an array. The server name of a TGT starts with "krbtgt/".

Returns:
an array of valid TGTs

findTicket

private KerberosTicket findTicket(KerberosTicket[] tickets,
                                  KerberosPrincipal p)

getAuthenticationPermission

private AuthenticationPermission getAuthenticationPermission(KerberosPrincipal client,
                                                             boolean deleg)


Copyright 2007-2010, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.