net.jini.jeri.ssl
Class ClientAuthManager

java.lang.Object
  extended by net.jini.jeri.ssl.Utilities
      extended by net.jini.jeri.ssl.FilterX509TrustManager
          extended by net.jini.jeri.ssl.AuthManager
              extended by net.jini.jeri.ssl.ClientAuthManager
All Implemented Interfaces:
KeyManager, TrustManager, X509KeyManager, X509TrustManager

 class ClientAuthManager
extends AuthManager

An AuthManager for clients. Uses the fact that client connections only share SSLContexts after a single client and server principal have been chosen.

Author:
Sun Microsystems, Inc.

Nested Class Summary
 
Nested classes/interfaces inherited from class net.jini.jeri.ssl.Utilities
Utilities.SSLContextInfo
 
Field Summary
private  AuthenticationPermission authenticationPermission
          The permission to check for the last cached credential
private  X500PrivateCredential clientCredential
          The private credential supplied by chooseClientAlias in the last handshake or null if none was supplied.
private  Exception clientCredentialException
          The exception that occurred within the last call to chooseClientAlias if no credential could be supplied.
private  X500Principal clientPrincipal
          The client principal chosen by the first handshake.
private  long credentialsValidUntil
          The latest time for which all client and server credentials remain valid.
private static Logger logger
          Client logger
private  X509Certificate serverCredential
          The server certificate chosen by the first handshake.
private  X500Principal serverPrincipal
          The server principal chosen by the first handshake.
 
Fields inherited from class net.jini.jeri.ssl.AuthManager
subjectIsReadOnly
 
Fields inherited from class net.jini.jeri.ssl.Utilities
ANY_KEY_ALGORITHM, clientLogger, DSA_KEY_ALGORITHM, getSubjectPermission, initLogger, INTEGRITY_PREFERRED, INTEGRITY_REQUIRED, RSA_KEY_ALGORITHM, serverLogger, UNKNOWN_PRINCIPAL
 
Constructor Summary
ClientAuthManager(Subject subject, Set permittedLocalPrincipals, Set permittedRemotePrincipals)
          Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject.
 
Method Summary
(package private)  void checkAuthentication()
          Checks if the subject still contains the proper credentials, and the current access control context has the proper AuthenticationPermission, to use the current session.
 void checkServerTrusted(X509Certificate[] chain, String authType)
          Override this X509TrustManager method in order to cache the server principal and to continue to choose the same one.
 String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket)
           
 String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
           
private  AuthenticationPermission getAuthenticationPermission(X509Certificate cert)
          Returns the permission needed to connect to the last server principal with the specified client certificate.
 String[] getClientAliases(String keyType, Principal[] issuers)
           
(package private)  boolean getClientAuthenticated()
          Returns true if the last handshake authenticated the client, else false.
(package private)  Exception getClientCredentialException()
          Returns the last SecurityException or GeneralSecurityException that occurred when attempting to choose client credentials, or null if no exception occurred.
(package private)  X500Principal getClientPrincipal()
          Returns the client principal chosen.
(package private)  Logger getLogger()
          Returns the client logger
(package private)  X500PrivateCredential getPrivateCredential(X509Certificate cert)
          Gets the private credential for the specified X.509 certificate, checking for AuthenticationPermission to connect with the last server principal.
private  X500PrivateCredential getPrivateCredential(X509Certificate cert, AuthenticationPermission ap)
          Gets the private credential for the specified X.509 certificate, checking for the specified AuthenticationPermission.
 String[] getServerAliases(String keyType, Principal[] issuers)
           
(package private)  X500Principal getServerPrincipal()
          Returns the server principal chosen.
 
Methods inherited from class net.jini.jeri.ssl.AuthManager
certificatesValidUntil, certificatesValidUntil, chooseCredential, equalPrivateCredentials, getAliases, getCertificateChain, getPrivateKey, getSubject
 
Methods inherited from class net.jini.jeri.ssl.FilterX509TrustManager
checkClientTrusted, getAcceptedIssuers, setPermittedRemotePrincipals
 
Methods inherited from class net.jini.jeri.ssl.Utilities
checkValidity, contains, doesEncryption, doesServerAuthentication, equals, firstX509Cert, getCertFactory, getCipherAlgorithm, getClassName, getClientPrincipals, getClientPrincipals, getClientSSLContextInfo, getKeyAlgorithm, getKeyExchangeAlgorithm, getPermittedKeyAlgorithms, getServerPrincipals, getServerSSLContextInfo, getSupportedCipherSuites, hasStrongCipherAlgorithm, logThrow, maintainsIntegrity, permittedKeyAlgorithm, position, releaseClientSSLContextInfo, safeEquals, subjectString, toString
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

private static final Logger logger
Client logger


serverCredential

private X509Certificate serverCredential
The server certificate chosen by the first handshake.


serverPrincipal

private X500Principal serverPrincipal
The server principal chosen by the first handshake.


clientCredential

private X500PrivateCredential clientCredential
The private credential supplied by chooseClientAlias in the last handshake or null if none was supplied.


clientPrincipal

private X500Principal clientPrincipal
The client principal chosen by the first handshake.


clientCredentialException

private Exception clientCredentialException
The exception that occurred within the last call to chooseClientAlias if no credential could be supplied.


credentialsValidUntil

private long credentialsValidUntil
The latest time for which all client and server credentials remain valid.


authenticationPermission

private AuthenticationPermission authenticationPermission
The permission to check for the last cached credential

Constructor Detail

ClientAuthManager

ClientAuthManager(Subject subject,
                  Set permittedLocalPrincipals,
                  Set permittedRemotePrincipals)
            throws NoSuchAlgorithmException
Creates an AuthManager that retrieves principals and credentials for authentication from the specified subject. If permittedLocalPrincipals is non-null, then the principals used for authentication are restricted to the elements of that set. If permittedRemotePrincipals is non-null, then the server principals accepted are restricted to the elements of that set.

Parameters:
subject - the subject for retrieving principals and credentials
permittedLocalPrincipals - if non-null, then only principals in this set may be used for authentication
permittedRemotePrincipals - if non-null, then only principals in this set will be trusted when authenticating the peer
Throws:
NoSuchAlgorithmException - if the trust manager factory algorithm is not found
Method Detail

getClientAuthenticated

boolean getClientAuthenticated()
Returns true if the last handshake authenticated the client, else false.


getClientCredentialException

Exception getClientCredentialException()
Returns the last SecurityException or GeneralSecurityException that occurred when attempting to choose client credentials, or null if no exception occurred.


checkAuthentication

void checkAuthentication()
                   throws UnsupportedConstraintException
Checks if the subject still contains the proper credentials, and the current access control context has the proper AuthenticationPermission, to use the current session. Callers should only call this method if client authentication is being used.

Throws:
SecurityException - if the access control context does not have the proper AuthenticationPermission
UnsupportedConstraintException - if the subject does not contain the proper credentials

getPrivateCredential

X500PrivateCredential getPrivateCredential(X509Certificate cert)
Gets the private credential for the specified X.509 certificate, checking for AuthenticationPermission to connect with the last server principal.

Specified by:
getPrivateCredential in class AuthManager
Parameters:
cert - the certificate for the local principal
Returns:
the associated private credential or null if not found
Throws:
SecurityException - if the access control context does not have the proper AuthenticationPermission

getPrivateCredential

private X500PrivateCredential getPrivateCredential(X509Certificate cert,
                                                   AuthenticationPermission ap)
Gets the private credential for the specified X.509 certificate, checking for the specified AuthenticationPermission.

Parameters:
cert - the certificate for the local principal
ap - the permission needed to connect to the peer
Returns:
the associated private credential or null if not found
Throws:
SecurityException - if the access control context does not have the proper AuthenticationPermission

getLogger

Logger getLogger()
Returns the client logger

Specified by:
getLogger in class AuthManager

getAuthenticationPermission

private AuthenticationPermission getAuthenticationPermission(X509Certificate cert)
Returns the permission needed to connect to the last server principal with the specified client certificate.


getServerPrincipal

X500Principal getServerPrincipal()
Returns the server principal chosen.


getClientPrincipal

X500Principal getClientPrincipal()
Returns the client principal chosen.


checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException
Override this X509TrustManager method in order to cache the server principal and to continue to choose the same one.

Specified by:
checkServerTrusted in interface X509TrustManager
Overrides:
checkServerTrusted in class FilterX509TrustManager
Throws:
CertificateException

getClientAliases

public String[] getClientAliases(String keyType,
                                 Principal[] issuers)

getServerAliases

public String[] getServerAliases(String keyType,
                                 Principal[] issuers)

chooseClientAlias

public String chooseClientAlias(String[] keyTypes,
                                Principal[] issuers,
                                Socket socket)

chooseServerAlias

public String chooseServerAlias(String keyType,
                                Principal[] issuers,
                                Socket socket)


Copyright 2007-2010, multiple authors.
Licensed under the Apache License, Version 2.0, see the NOTICE file for attributions.