/*
 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.jgss.krb5;

import java.io.IOException;
import org.ietf.jgss.*;
import sun.security.jgss.GSSCaller;
import sun.security.jgss.spi.*;
import sun.security.krb5.*;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.AccessController;
import java.security.AccessControlContext;
import javax.security.auth.DestroyFailedException;

Implements the krb5 acceptor credential element.
Author:Mayank Upadhyay
Since:1.4
/** * Implements the krb5 acceptor credential element. * * @author Mayank Upadhyay * @since 1.4 */
public class Krb5AcceptCredential implements Krb5CredElement { private final Krb5NameElement name; private final ServiceCreds screds; private Krb5AcceptCredential(Krb5NameElement name, ServiceCreds creds) { /* * Initialize this instance with the data from the acquired * KerberosKey. This class needs to be a KerberosKey too * hence we can't just store a reference. */ this.name = name; this.screds = creds; } static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name) throws GSSException { final String serverPrinc = (name == null? null: name.getKrb5PrincipalName().getName()); final AccessControlContext acc = AccessController.getContext(); ServiceCreds creds = null; try { creds = AccessController.doPrivileged( new PrivilegedExceptionAction<ServiceCreds>() { public ServiceCreds run() throws Exception { return Krb5Util.getServiceCreds( caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller, serverPrinc, acc); }}); } catch (PrivilegedActionException e) { GSSException ge = new GSSException(GSSException.NO_CRED, -1, "Attempt to obtain new ACCEPT credentials failed!"); ge.initCause(e.getException()); throw ge; } if (creds == null) throw new GSSException(GSSException.NO_CRED, -1, "Failed to find any Kerberos credentails"); if (name == null) { String fullName = creds.getName(); if (fullName != null) { name = Krb5NameElement.getInstance(fullName, Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); } } return new Krb5AcceptCredential(name, creds); }
Returns the principal name for this credential. The name is in mechanism specific format.
Throws:
Returns:GSSNameSpi representing principal name of this credential
/** * Returns the principal name for this credential. The name * is in mechanism specific format. * * @return GSSNameSpi representing principal name of this credential * @exception GSSException may be thrown */
public final GSSNameSpi getName() throws GSSException { return name; }
Returns the init lifetime remaining.
Throws:
Returns:the init lifetime remaining in seconds
/** * Returns the init lifetime remaining. * * @return the init lifetime remaining in seconds * @exception GSSException may be thrown */
public int getInitLifetime() throws GSSException { return 0; }
Returns the accept lifetime remaining.
Throws:
Returns:the accept lifetime remaining in seconds
/** * Returns the accept lifetime remaining. * * @return the accept lifetime remaining in seconds * @exception GSSException may be thrown */
public int getAcceptLifetime() throws GSSException { return GSSCredential.INDEFINITE_LIFETIME; } public boolean isInitiatorCredential() throws GSSException { return false; } public boolean isAcceptorCredential() throws GSSException { return true; }
Returns the oid representing the underlying credential mechanism oid.
Throws:
Returns:the Oid for this credential mechanism
/** * Returns the oid representing the underlying credential * mechanism oid. * * @return the Oid for this credential mechanism * @exception GSSException may be thrown */
public final Oid getMechanism() { return Krb5MechFactory.GSS_KRB5_MECH_OID; } public final java.security.Provider getProvider() { return Krb5MechFactory.PROVIDER; } public EncryptionKey[] getKrb5EncryptionKeys(PrincipalName princ) { return screds.getEKeys(princ); }
Called to invalidate this credential element.
/** * Called to invalidate this credential element. */
public void dispose() throws GSSException { try { destroy(); } catch (DestroyFailedException e) { GSSException gssException = new GSSException(GSSException.FAILURE, -1, "Could not destroy credentials - " + e.getMessage()); gssException.initCause(e); } }
Destroys the locally cached EncryptionKey value and then calls destroy in the base class.
/** * Destroys the locally cached EncryptionKey value and then calls * destroy in the base class. */
public void destroy() throws DestroyFailedException { screds.destroy(); }
Impersonation is only available on the initiator side. The service must starts as an initiator to get an initial TGT to complete the S4U2self protocol.
/** * Impersonation is only available on the initiator side. The * service must starts as an initiator to get an initial TGT to complete * the S4U2self protocol. */
@Override public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException { Credentials cred = screds.getInitCred(); if (cred != null) { return Krb5InitCredential.getInstance(this.name, cred) .impersonate(name); } else { throw new GSSException(GSSException.FAILURE, -1, "Only an initiate credentials can impersonate"); } } }