net.jini.jeri.ssl
Class AuthManager

java.lang.Object
  extended by net.jini.jeri.ssl.Utilities
      extended by net.jini.jeri.ssl.FilterX509TrustManager
          extended by net.jini.jeri.ssl.AuthManager
All Implemented Interfaces:
KeyManager, TrustManager, X509KeyManager, X509TrustManager
Direct Known Subclasses:
ClientAuthManager, ServerAuthManager

abstract class AuthManager
extends FilterX509TrustManager
implements X509KeyManager

Implements X509KeyManager by getting its key and credential information from a JAAS subject, and X509TrustManager by using FilterX509TrustManager. Combines both the key and trust managers to enable subclasses to use information for both when checking permissions.

Author:
Sun Microsystems, Inc.

Nested Class Summary
 
Nested classes/interfaces inherited from class net.jini.jeri.ssl.Utilities
Utilities.SSLContextInfo
 
Field Summary
private  Set permittedLocalPrincipals
          If non-null, then only principals in this set may be used to authenticate the local end of the connection.
(package private)  boolean subjectIsReadOnly
          Whether the subject was read-only when it was stored -- used to avoid checking for changes in the contents of the subject.
private  WeakReference subjectRef
          The Subject from which to retrieve principals and credentials.
 
Fields inherited from class net.jini.jeri.ssl.Utilities
ANY_KEY_ALGORITHM, clientLogger, DSA_KEY_ALGORITHM, getSubjectPermission, initLogger, INTEGRITY_PREFERRED, INTEGRITY_REQUIRED, RSA_KEY_ALGORITHM, serverLogger, UNKNOWN_PRINCIPAL
 
Constructor Summary
AuthManager(Subject subject, Set permittedLocalPrincipals, Set permittedRemotePrincipals)
          Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject.
 
Method Summary
(package private) static long certificatesValidUntil(CertPath chain)
          Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.
(package private) static long certificatesValidUntil(X509Certificate[] chain)
          Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.
private  X500PrivateCredential checkChain(CertPath chain, String keyType, Principal[] issuers)
          Checks if the specified certificate chain can be used for keys of the specified type and with the specified issuers.
(package private)  X500PrivateCredential chooseCredential(String keyType, Principal[] issuers)
          Returns a private credential that matches the specified key type and issuers for which checkChain returns a non-null value, or null if no matching credentials are found.
(package private)  boolean equalPrivateCredentials(X500PrivateCredential cred1, X500PrivateCredential cred2)
          Checks if the two private credentials refer to the same principal and have the equivalent private key.
(package private)  String[] getAliases(String keyType, Principal[] issuers)
          Returns all the aliases that match the specified key type and issuers for which checkChain succeeds.
 X509Certificate[] getCertificateChain(String alias)
           
(package private) abstract  Logger getLogger()
          Returns the logger to use for logging.
(package private) abstract  X500PrivateCredential getPrivateCredential(X509Certificate cert)
          Gets the private credential for the specified X.509 certificate.
 PrivateKey getPrivateKey(String alias)
           
(package private)  Subject getSubject()
          Returns the Subject, or null if the subject was null or if the weak reference has been cleared.
 
Methods inherited from class net.jini.jeri.ssl.FilterX509TrustManager
checkClientTrusted, checkServerTrusted, getAcceptedIssuers, setPermittedRemotePrincipals
 
Methods inherited from class net.jini.jeri.ssl.Utilities
checkValidity, contains, doesEncryption, doesServerAuthentication, equals, firstX509Cert, getCertFactory, getCipherAlgorithm, getClassName, getClientPrincipals, getClientPrincipals, getClientSSLContextInfo, getKeyAlgorithm, getKeyExchangeAlgorithm, getPermittedKeyAlgorithms, getServerPrincipals, getServerSSLContextInfo, getSupportedCipherSuites, hasStrongCipherAlgorithm, logThrow, maintainsIntegrity, permittedKeyAlgorithm, position, releaseClientSSLContextInfo, safeEquals, subjectString, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface javax.net.ssl.X509KeyManager
chooseClientAlias, chooseServerAlias, getClientAliases, getServerAliases
 

Field Detail

subjectRef

private final WeakReference subjectRef
The Subject from which to retrieve principals and credentials. Use a weak reference to insure that the subject can be GC'ed if it is only being referenced by the SSLContextMap that maps subjects to AuthManagers. The weak key map won't be weak if the value contains a strong reference to the key.


subjectIsReadOnly

final boolean subjectIsReadOnly
Whether the subject was read-only when it was stored -- used to avoid checking for changes in the contents of the subject.


permittedLocalPrincipals

private final Set permittedLocalPrincipals
If non-null, then only principals in this set may be used to authenticate the local end of the connection.

Constructor Detail

AuthManager

AuthManager(Subject subject,
            Set permittedLocalPrincipals,
            Set permittedRemotePrincipals)
      throws NoSuchAlgorithmException
Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject. If permittedLocalPrincipals or permittedRemotePrincipals are set, then only those principals may be used for authentication.

Parameters:
subject - the subject for retrieving principals and credentials
permittedLocalPrincipals - if non-null, then only principals in this set may be used to authenticate the local end of the connection
permittedRemotePrincipals - if non-null, then only principals in this set will be trusted to authenticate the peer
Throws:
NoSuchAlgorithmException - if the trust manager factory algorithm is not found
Method Detail

getPrivateCredential

abstract X500PrivateCredential getPrivateCredential(X509Certificate cert)
Gets the private credential for the specified X.509 certificate.

Parameters:
cert - the X.509 certificate
Returns:
the associated X500PrivateCredential or null if it is not found
Throws:
SecurityException - if the current access control context does not have the proper AuthenticationPermission

getLogger

abstract Logger getLogger()
Returns the logger to use for logging.


getSubject

Subject getSubject()
Returns the Subject, or null if the subject was null or if the weak reference has been cleared.


getAliases

String[] getAliases(String keyType,
                    Principal[] issuers)
Returns all the aliases that match the specified key type and issuers for which checkChain succeeds. Returns null if no matching aliases are found.


chooseCredential

X500PrivateCredential chooseCredential(String keyType,
                                       Principal[] issuers)
                                 throws GeneralSecurityException
Returns a private credential that matches the specified key type and issuers for which checkChain returns a non-null value, or null if no matching credentials are found. Throws a GeneralSecurityException or SecurityException if a problem occurs with all matching credentials.

Throws:
GeneralSecurityException

checkChain

private X500PrivateCredential checkChain(CertPath chain,
                                         String keyType,
                                         Principal[] issuers)
                                  throws GeneralSecurityException
Checks if the specified certificate chain can be used for keys of the specified type and with the specified issuers. Returns null if the chain has the wrong key type, throws an exception if the credentials or subject has problems, and otherwise returns the associated private credential.

Checks that:

Because the following things should only occur because of a configuration problem, this method does not check for:

Throws:
GeneralSecurityException

certificatesValidUntil

static long certificatesValidUntil(CertPath chain)
Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.


certificatesValidUntil

static long certificatesValidUntil(X509Certificate[] chain)
Returns the latest time for which all of the X.509 certificates in the certificate chain are valid.


equalPrivateCredentials

boolean equalPrivateCredentials(X500PrivateCredential cred1,
                                X500PrivateCredential cred2)
Checks if the two private credentials refer to the same principal and have the equivalent private key.


getCertificateChain

public X509Certificate[] getCertificateChain(String alias)
Specified by:
getCertificateChain in interface X509KeyManager

getPrivateKey

public PrivateKey getPrivateKey(String alias)
Specified by:
getPrivateKey in interface X509KeyManager


Copyright 2007-2010, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.