/*
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package javax.security.auth.kerberos;
import java.io.*;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.Realm;
import sun.security.util.*;
This class encapsulates a Kerberos principal.
Author: Mayank Upadhyay Since: 1.4
/**
* This class encapsulates a Kerberos principal.
*
* @author Mayank Upadhyay
* @since 1.4
*/
public final class KerberosPrincipal
implements java.security.Principal, java.io.Serializable {
private static final long serialVersionUID = -7374788026156829911L;
//name types
unknown name type.
/**
* unknown name type.
*/
public static final int KRB_NT_UNKNOWN = 0;
user principal name type.
/**
* user principal name type.
*/
public static final int KRB_NT_PRINCIPAL = 1;
service and other unique instance (krbtgt) name type.
/**
* service and other unique instance (krbtgt) name type.
*/
public static final int KRB_NT_SRV_INST = 2;
service with host name as instance (telnet, rcommands) name type.
/**
* service with host name as instance (telnet, rcommands) name type.
*/
public static final int KRB_NT_SRV_HST = 3;
service with host as remaining components name type.
/**
* service with host as remaining components name type.
*/
public static final int KRB_NT_SRV_XHST = 4;
unique ID name type.
/**
* unique ID name type.
*/
public static final int KRB_NT_UID = 5;
Enterprise name (alias)
/**
* Enterprise name (alias)
*/
static final int KRB_NT_ENTERPRISE = 10;
private transient String fullName;
private transient String realm;
private transient int nameType;
Constructs a KerberosPrincipal
from the provided string input. The name type for this principal defaults to KRB_NT_PRINCIPAL
This string is assumed to contain a name in the format that is specified in Section 2.1.1. (Kerberos Principal Name Form) of RFC 1964
(for example, duke@FOO.COM, where duke
represents a principal, and FOO.COM represents a realm).
If the input name does not contain a realm, the default realm is used. The default realm can be specified either in a Kerberos configuration file or via the java.security.krb5.realm system property. For more information, see the {@extLink security_guide_jgss_tutorial Kerberos Requirements}. Additionally, if a security manager is installed, a ServicePermission
must be granted and the service principal of the permission must minimally be inside the KerberosPrincipal
's realm. For example, if the result of new KerberosPrincipal("user")
is user@EXAMPLE.COM
, then a ServicePermission
with service principal host/www.example.com@EXAMPLE.COM
(and any action) must be granted.
Params: - name – the principal name
Throws: - IllegalArgumentException – if name is improperly
formatted, if name is null, or if name does not contain
the realm to use and the default realm is not specified
in either a Kerberos configuration file or via the
java.security.krb5.realm system property.
- SecurityException – if a security manager is installed and
name
does not contain the realm to use, and a proper ServicePermission
as described above is not granted.
/**
* Constructs a {@code KerberosPrincipal} from the provided string input.
* The name type for this principal defaults to
* {@link #KRB_NT_PRINCIPAL KRB_NT_PRINCIPAL}
* This string is assumed to contain a name in the format
* that is specified in Section 2.1.1. (Kerberos Principal Name Form) of
* <a href=http://www.ietf.org/rfc/rfc1964.txt> RFC 1964 </a>
* (for example, <i>duke@FOO.COM</i>, where <i>duke</i>
* represents a principal, and <i>FOO.COM</i> represents a realm).
*
* <p>If the input name does not contain a realm, the default realm
* is used. The default realm can be specified either in a Kerberos
* configuration file or via the java.security.krb5.realm
* system property. For more information, see the
* {@extLink security_guide_jgss_tutorial Kerberos Requirements}.
* Additionally, if a security manager is
* installed, a {@link ServicePermission} must be granted and the service
* principal of the permission must minimally be inside the
* {@code KerberosPrincipal}'s realm. For example, if the result of
* {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM},
* then a {@code ServicePermission} with service principal
* {@code host/www.example.com@EXAMPLE.COM} (and any action)
* must be granted.
*
* @param name the principal name
* @throws IllegalArgumentException if name is improperly
* formatted, if name is null, or if name does not contain
* the realm to use and the default realm is not specified
* in either a Kerberos configuration file or via the
* java.security.krb5.realm system property.
* @throws SecurityException if a security manager is installed and
* {@code name} does not contain the realm to use, and a proper
* {@link ServicePermission} as described above is not granted.
*/
public KerberosPrincipal(String name) {
this(name, KRB_NT_PRINCIPAL);
}
Constructs a KerberosPrincipal
from the provided string and name type input. The string is assumed to contain a name in the format that is specified in Section 2.1 (Mandatory Name Forms) of RFC 1964.
Valid name types are specified in Section 6.2 (Principal Names) of
RFC 4120.
The input name must be consistent with the provided name type.
(for example, duke@FOO.COM, is a valid input string for the
name type, KRB_NT_PRINCIPAL where duke
represents a principal, and FOO.COM represents a realm).
If the input name does not contain a realm, the default realm is used. The default realm can be specified either in a Kerberos configuration file or via the java.security.krb5.realm system property. For more information, see the {@extLink security_guide_jgss_tutorial Kerberos Requirements}. Additionally, if a security manager is installed, a ServicePermission
must be granted and the service principal of the permission must minimally be inside the KerberosPrincipal
's realm. For example, if the result of new KerberosPrincipal("user")
is user@EXAMPLE.COM
, then a ServicePermission
with service principal host/www.example.com@EXAMPLE.COM
(and any action) must be granted.
Params: - name – the principal name
- nameType – the name type of the principal
Throws: - IllegalArgumentException – if name is improperly
formatted, if name is null, if the nameType is not supported,
or if name does not contain the realm to use and the default
realm is not specified in either a Kerberos configuration
file or via the java.security.krb5.realm system property.
- SecurityException – if a security manager is installed and
name
does not contain the realm to use, and a proper ServicePermission
as described above is not granted.
/**
* Constructs a {@code KerberosPrincipal} from the provided string and
* name type input. The string is assumed to contain a name in the
* format that is specified in Section 2.1 (Mandatory Name Forms) of
* <a href=http://www.ietf.org/rfc/rfc1964.txt>RFC 1964</a>.
* Valid name types are specified in Section 6.2 (Principal Names) of
* <a href=http://www.ietf.org/rfc/rfc4120.txt>RFC 4120</a>.
* The input name must be consistent with the provided name type.
* (for example, <i>duke@FOO.COM</i>, is a valid input string for the
* name type, KRB_NT_PRINCIPAL where <i>duke</i>
* represents a principal, and <i>FOO.COM</i> represents a realm).
*
* <p>If the input name does not contain a realm, the default realm
* is used. The default realm can be specified either in a Kerberos
* configuration file or via the java.security.krb5.realm
* system property. For more information, see the
* {@extLink security_guide_jgss_tutorial Kerberos Requirements}.
* Additionally, if a security manager is
* installed, a {@link ServicePermission} must be granted and the service
* principal of the permission must minimally be inside the
* {@code KerberosPrincipal}'s realm. For example, if the result of
* {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM},
* then a {@code ServicePermission} with service principal
* {@code host/www.example.com@EXAMPLE.COM} (and any action)
* must be granted.
*
* @param name the principal name
* @param nameType the name type of the principal
* @throws IllegalArgumentException if name is improperly
* formatted, if name is null, if the nameType is not supported,
* or if name does not contain the realm to use and the default
* realm is not specified in either a Kerberos configuration
* file or via the java.security.krb5.realm system property.
* @throws SecurityException if a security manager is installed and
* {@code name} does not contain the realm to use, and a proper
* {@link ServicePermission} as described above is not granted.
*/
public KerberosPrincipal(String name, int nameType) {
PrincipalName krb5Principal = null;
try {
// Appends the default realm if it is missing
krb5Principal = new PrincipalName(name,nameType);
} catch (KrbException e) {
throw new IllegalArgumentException(e.getMessage());
}
if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
sm.checkPermission(new ServicePermission(
"@" + krb5Principal.getRealmAsString(), "-"));
} catch (SecurityException se) {
// Swallow the actual exception to hide info
throw new SecurityException("Cannot read realm info");
}
}
}
this.nameType = nameType;
fullName = krb5Principal.toString();
realm = krb5Principal.getRealmString();
}
Returns the realm component of this Kerberos principal.
Returns: the realm component of this Kerberos principal.
/**
* Returns the realm component of this Kerberos principal.
*
* @return the realm component of this Kerberos principal.
*/
public String getRealm() {
return realm;
}
Returns a hash code for this KerberosPrincipal
. The hash code is defined to be the result of the following calculation:
hashCode = getName().hashCode();
Returns: a hash code for this KerberosPrincipal
.
/**
* Returns a hash code for this {@code KerberosPrincipal}. The hash code
* is defined to be the result of the following calculation:
* <pre>{@code
* hashCode = getName().hashCode();
* }</pre>
*
* @return a hash code for this {@code KerberosPrincipal}.
*/
public int hashCode() {
return getName().hashCode();
}
Compares the specified object with this principal for equality. Returns true if the given object is also a KerberosPrincipal
and the two KerberosPrincipal
instances are equivalent. More formally two KerberosPrincipal
instances are equal if the values returned by getName()
are equal. Params: - other – the object to compare to
Returns: true if the object passed in represents the same principal
as this one, false otherwise.
/**
* Compares the specified object with this principal for equality.
* Returns true if the given object is also a
* {@code KerberosPrincipal} and the two
* {@code KerberosPrincipal} instances are equivalent.
* More formally two {@code KerberosPrincipal} instances are equal
* if the values returned by {@code getName()} are equal.
*
* @param other the object to compare to
* @return true if the object passed in represents the same principal
* as this one, false otherwise.
*/
public boolean equals(Object other) {
if (other == this)
return true;
if (! (other instanceof KerberosPrincipal)) {
return false;
}
String myFullName = getName();
String otherFullName = ((KerberosPrincipal) other).getName();
return myFullName.equals(otherFullName);
}
Save the KerberosPrincipal
object to a stream @serialData this KerberosPrincipal
is serialized by writing out the PrincipalName and the Realm in their DER-encoded form as specified in Section 5.2.2 of RFC4120.
/**
* Save the {@code KerberosPrincipal} object to a stream
*
* @serialData this {@code KerberosPrincipal} is serialized
* by writing out the PrincipalName and the
* Realm in their DER-encoded form as specified in Section 5.2.2 of
* <a href=http://www.ietf.org/rfc/rfc4120.txt> RFC4120</a>.
*/
private void writeObject(ObjectOutputStream oos)
throws IOException {
PrincipalName krb5Principal;
try {
krb5Principal = new PrincipalName(fullName, nameType);
oos.writeObject(krb5Principal.asn1Encode());
oos.writeObject(krb5Principal.getRealm().asn1Encode());
} catch (Exception e) {
throw new IOException(e);
}
}
Reads this object from a stream (i.e., deserializes it)
/**
* Reads this object from a stream (i.e., deserializes it)
*/
private void readObject(ObjectInputStream ois)
throws IOException, ClassNotFoundException {
byte[] asn1EncPrincipal = (byte [])ois.readObject();
byte[] encRealm = (byte [])ois.readObject();
try {
Realm realmObject = new Realm(new DerValue(encRealm));
PrincipalName krb5Principal = new PrincipalName(
new DerValue(asn1EncPrincipal), realmObject);
realm = realmObject.toString();
fullName = krb5Principal.toString();
nameType = krb5Principal.getNameType();
} catch (Exception e) {
throw new IOException(e);
}
}
The returned string corresponds to the single-string
representation of a Kerberos Principal name as specified in
Section 2.1 of RFC 1964.
Returns: the principal name.
/**
* The returned string corresponds to the single-string
* representation of a Kerberos Principal name as specified in
* Section 2.1 of <a href=http://www.ietf.org/rfc/rfc1964.txt>RFC 1964</a>.
*
* @return the principal name.
*/
public String getName() {
return fullName;
}
Returns the name type of the KerberosPrincipal
. Valid name types are specified in Section 6.2 of RFC4120.
Returns: the name type.
/**
* Returns the name type of the {@code KerberosPrincipal}. Valid name types
* are specified in Section 6.2 of
* <a href=http://www.ietf.org/rfc/rfc4120.txt> RFC4120</a>.
*
* @return the name type.
*/
public int getNameType() {
return nameType;
}
Returns an informative textual representation of this KerberosPrincipal
. Returns: an informative textual representation of this KerberosPrincipal
.
/**
* Returns an informative textual representation of this {@code KerberosPrincipal}.
*
* @return an informative textual representation of this {@code KerberosPrincipal}.
*/
public String toString() {
return getName();
}
}