net.jini.jeri.kerberos
Class KerberosUtil

java.lang.Object
  extended by net.jini.jeri.kerberos.KerberosUtil

 class KerberosUtil
extends Object

Utility class for the Kerberos provider.

Since:
2.0
Author:
Sun Microsystems, Inc.

Nested Class Summary
(package private) static class KerberosUtil.Config
          An instances of this class records one configuration possibly satisfiable by this provider.
(package private) static class KerberosUtil.ConfigIter
          An iterator returns all possible configs
(package private) static class KerberosUtil.Connection
          Connection class serves as the parent of connection classes defined in both client and server end point classes.
(package private) static class KerberosUtil.ConnectionInputStream
          Input stream returned by getInputStream() of client or server connection
(package private) static class KerberosUtil.ConnectionOutputStream
          Output stream returned by getOutputStream() of client or server connection
(package private) static class KerberosUtil.SoftCache
          A synchronized hash map that only maintains soft reference to its value objects.
 
Field Summary
private static boolean[] BOOL_TABLE
          Field used by ConfigIter to generate configs
private static Map depends
          Map constraints to other constraints they depend on
(package private) static InvocationConstraints INTEGRITY_PREFERRED_CONSTRAINTS
           
(package private) static InvocationConstraints INTEGRITY_REQUIRED_CONSTRAINTS
           
(package private) static Oid krb5MechOid
          Oid used to represent the Kerberos v5 GSS-API mechanism, defined as in RFC 1964.
(package private) static Oid krb5NameType
          Oid used to represent the name syntax in Kerberos v5 GSS-API mechanism.
 
Constructor Summary
private KerberosUtil()
          make the null constructor private, so this class is non-instantiable
 
Method Summary
(package private) static boolean canGetSubject()
          Test whether the caller has AuthPermission("getSubject").
(package private) static void checkAuthPermission(AuthenticationPermission perm)
          Check whether the caller has the specified AuthenticationPermission.
(package private) static void checkAuthPermission(KerberosPrincipal local, KerberosPrincipal peer, String action)
          Check whether the caller has the AuthenticationPermission with the specified principals and action.
(package private) static boolean collectCpCandidates(InvocationConstraint c, Set cpCandidates)
          Collect all client principal candidates from the given constraint.
(package private) static boolean containsConstraint(Set constraints, InvocationConstraint candidate)
          Check whether the given set of constraints contains the candidate constraint.
(package private) static GSSCredential getGSSCredential(Subject subj, KerberosPrincipal principal, GSSManager manager, int usage)
          Get the GSSCredential corresponding to the given principal from the given Subject, whose usage type is governed by the usage parameter.
(package private) static boolean isSatisfiable(KerberosUtil.Config config, InvocationConstraint c)
          Test whether the specified configuration is satisfiable by the given constraint.
(package private) static boolean isSupportableConstraint(InvocationConstraint c)
          Test whether the specified constraint can possibly be supported by this provider.
(package private) static boolean isSupportedConstraintType(InvocationConstraint c)
          Check whether the type of the specified constraint is supported by this provider.
(package private) static void logThrow(Logger logger, Level level, Class sourceClass, String sourceMethod, String msg, Object[] params, Throwable e)
          Logs a throw.
(package private) static void secureThrow(Exception detailedException, UnsupportedConstraintException genericException)
          Only throw non-generic exception if caller has getSubject permission.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

krb5MechOid

static final Oid krb5MechOid
Oid used to represent the Kerberos v5 GSS-API mechanism, defined as in RFC 1964.


krb5NameType

static final Oid krb5NameType
Oid used to represent the name syntax in Kerberos v5 GSS-API mechanism. Examples: "joe@KERBEROSREALM" or "ftp/myhost.foo.com@KERBEROSREALM".


INTEGRITY_REQUIRED_CONSTRAINTS

static final InvocationConstraints INTEGRITY_REQUIRED_CONSTRAINTS

INTEGRITY_PREFERRED_CONSTRAINTS

static final InvocationConstraints INTEGRITY_PREFERRED_CONSTRAINTS

BOOL_TABLE

private static final boolean[] BOOL_TABLE
Field used by ConfigIter to generate configs


depends

private static final Map depends
Map constraints to other constraints they depend on

Constructor Detail

KerberosUtil

private KerberosUtil()
make the null constructor private, so this class is non-instantiable

Method Detail

canGetSubject

static boolean canGetSubject()
Test whether the caller has AuthPermission("getSubject").

Returns:
true if the caller has AuthPermission("getSubject"), false otherwise.

isSupportedConstraintType

static boolean isSupportedConstraintType(InvocationConstraint c)
Check whether the type of the specified constraint is supported by this provider.

Parameters:
c - the constraint to be tested
Returns:
true if the specified constraints has a known type, false otherwise.

isSupportableConstraint

static boolean isSupportableConstraint(InvocationConstraint c)
Test whether the specified constraint can possibly be supported by this provider.

Parameters:
c - the constraint to be tested
Returns:
true if the specified constraints can possibly be supported, false otherwise.

isSatisfiable

static boolean isSatisfiable(KerberosUtil.Config config,
                             InvocationConstraint c)
Test whether the specified configuration is satisfiable by the given constraint.

Parameters:
config - configuration to be tested
c - the constraint to be tested
Returns:
true if the specified configuration is allowed by the given constraint, false otherwise.

collectCpCandidates

static boolean collectCpCandidates(InvocationConstraint c,
                                   Set cpCandidates)
Collect all client principal candidates from the given constraint. This method assumes homogeneous alternatives.

Parameters:
c - the given constraint
cpCandidates - the set of candidates satisfiable by the constraints previously checked, which new principals should be added to. This set contains no principals if no client principal constraint has been checked yet.
Returns:
false if the passed in constraint is ClientMinPrincipal or ClientMaxPrincipal, or ConstraintAlternatives whose elements are of those types, and is not satisfiable regarding to the given set of candidates, true other wise.

checkAuthPermission

static void checkAuthPermission(KerberosPrincipal local,
                                KerberosPrincipal peer,
                                String action)
Check whether the caller has the AuthenticationPermission with the specified principals and action.

Parameters:
local - local principal of the AuthenticationPermission, cannot be * null.
peer - peer principal of the AuthenticationPermission.
action - action of the AuthenticationPermission, valid values include: * "connect", "delegate", "listen", and "accept".
Throws:
SecurityException - if the caller does not have the checked permission

checkAuthPermission

static void checkAuthPermission(AuthenticationPermission perm)
Check whether the caller has the specified AuthenticationPermission.

Parameters:
perm - the AuthenticationPermission to be checked
Throws:
SecurityException - if the caller does not have the checked permission

containsConstraint

static boolean containsConstraint(Set constraints,
                                  InvocationConstraint candidate)
Check whether the given set of constraints contains the candidate constraint.

Parameters:
constraints - the constraints to be checked
candidate - candidate constraint
Returns:
true if the candidate constraint is found in the give set of constraints, false otherwise.

getGSSCredential

static GSSCredential getGSSCredential(Subject subj,
                                      KerberosPrincipal principal,
                                      GSSManager manager,
                                      int usage)
                               throws GSSException
Get the GSSCredential corresponding to the given principal from the given Subject, whose usage type is governed by the usage parameter.

Parameters:
subj - the subject from which the TGT or KerberosKey will be extracted to construct the GSSCredential, can not be null
principal - the principal whose name will be used to construct the GSSCredential. If null, then a null name will be passed to the manager to allow it to choose a default.
manager - the GSSManager instance that will be used to construct the GSSCredential, can not be null
usage - intended usage for the GSScredential. The value of this parameter must be one of: GSSCredential.INITIATE_AND_ACCEPT, GSSCredential.ACCEPT_ONLY, and GSSCredential.INITIATE_ONLY.
Returns:
the requested GSSCredential
Throws:
UnsupportedConstraintException - if failed to get the requested GSSCredential
GSSException

secureThrow

static void secureThrow(Exception detailedException,
                        UnsupportedConstraintException genericException)
                 throws UnsupportedConstraintException
Only throw non-generic exception if caller has getSubject permission.

Parameters:
detailedException - the real UnsupportedConstraintException or SecurityException to be thrown if caller has the "getSubject" AuthPermission.
genericException - the generic UnsupportedConstraintException to be thrown if caller does not have the "getSubject" AuthPermission.
Throws:
UnsupportedConstraintException

logThrow

static void logThrow(Logger logger,
                     Level level,
                     Class sourceClass,
                     String sourceMethod,
                     String msg,
                     Object[] params,
                     Throwable e)
Logs a throw. Use this method to log a throw when the log message needs parameters.

Parameters:
logger - logger to log to
level - the log level
sourceClass - class where throw occurred
sourceMethod - name of the method where throw occurred
msg - log message
params - log message parameters
e - exception thrown


Copyright 2007-2010, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.