/*
 * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.net.www.protocol.http.spnego;

import com.sun.security.jgss.ExtendedGSSContext;
import java.io.IOException;

import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

import sun.net.www.protocol.http.HttpCallerInfo;
import sun.net.www.protocol.http.Negotiator;
import sun.security.jgss.GSSManagerImpl;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.HttpCaller;

This class encapsulates all JAAS and JGSS API calls in a separate class outside NegotiateAuthentication.java so that J2SE build can go smoothly without the presence of it.
Author:weijun.wang@sun.com
Since:1.6
/** * This class encapsulates all JAAS and JGSS API calls in a separate class * outside NegotiateAuthentication.java so that J2SE build can go smoothly * without the presence of it. * * @author weijun.wang@sun.com * @since 1.6 */
public class NegotiatorImpl extends Negotiator { private static final boolean DEBUG = java.security.AccessController.doPrivileged( new sun.security.action.GetBooleanAction("sun.security.krb5.debug")); private GSSContext context; private byte[] oneToken;
Initialize the object, which includes:
  • Find out what GSS mechanism to use from the system property http.negotiate.mechanism.oid, defaults SPNEGO
  • Creating the GSSName for the target host, "HTTP/"+hostname
  • Creating GSSContext
  • A first call to initSecContext
/** * Initialize the object, which includes:<ul> * <li>Find out what GSS mechanism to use from the system property * <code>http.negotiate.mechanism.oid</code>, defaults SPNEGO * <li>Creating the GSSName for the target host, "HTTP/"+hostname * <li>Creating GSSContext * <li>A first call to initSecContext</ul> */
private void init(HttpCallerInfo hci) throws GSSException { final Oid oid; if (hci.scheme.equalsIgnoreCase("Kerberos")) { // we can only use Kerberos mech when the scheme is kerberos oid = GSSUtil.GSS_KRB5_MECH_OID; } else { String pref = java.security.AccessController.doPrivileged( new java.security.PrivilegedAction<String>() { public String run() { return System.getProperty( "http.auth.preference", "spnego"); } }); if (pref.equalsIgnoreCase("kerberos")) { oid = GSSUtil.GSS_KRB5_MECH_OID; } else { // currently there is no 3rd mech we can use oid = GSSUtil.GSS_SPNEGO_MECH_OID; } } GSSManagerImpl manager = new GSSManagerImpl( new HttpCaller(hci)); // RFC 4559 4.1 uses uppercase service name "HTTP". // RFC 4120 6.2.1 demands the host be lowercase String peerName = "HTTP@" + hci.host.toLowerCase(); GSSName serverName = manager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE); context = manager.createContext(serverName, oid, null, GSSContext.DEFAULT_LIFETIME); // Always respect delegation policy in HTTP/SPNEGO. if (context instanceof ExtendedGSSContext) { ((ExtendedGSSContext)context).requestDelegPolicy(true); } oneToken = context.initSecContext(new byte[0], 0, 0); }
Constructor
Throws:
  • IOException – If negotiator cannot be constructed
/** * Constructor * @throws java.io.IOException If negotiator cannot be constructed */
public NegotiatorImpl(HttpCallerInfo hci) throws IOException { try { init(hci); } catch (GSSException e) { if (DEBUG) { System.out.println("Negotiate support not initiated, will " + "fallback to other scheme if allowed. Reason:"); e.printStackTrace(); } IOException ioe = new IOException("Negotiate support not initiated"); ioe.initCause(e); throw ioe; } }
Return the first token of GSS, in SPNEGO, it's called NegTokenInit
Returns:the first token
/** * Return the first token of GSS, in SPNEGO, it's called NegTokenInit * @return the first token */
@Override public byte[] firstToken() { return oneToken; }
Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg
Params:
  • token – the token received from server
Throws:
  • IOException – if the token cannot be created successfully
Returns:the next token
/** * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg * @param token the token received from server * @return the next token * @throws java.io.IOException if the token cannot be created successfully */
@Override public byte[] nextToken(byte[] token) throws IOException { try { return context.initSecContext(token, 0, token.length); } catch (GSSException e) { if (DEBUG) { System.out.println("Negotiate support cannot continue. Reason:"); e.printStackTrace(); } IOException ioe = new IOException("Negotiate support cannot continue"); ioe.initCause(e); throw ioe; } } }