com.ibm.security.jgss.mech.spnego

Class SPNEGOContext

  1. java.lang.Object
  2. extended bycom.ibm.security.jgss.mech.spnego.SPNEGOContext
All implemented interfaces:
GSSContextSpi

  1. public class SPNEGOContext
  2. extends java.lang.Object
  3. implements GSSContextSpi
Implements SPNEGO mechanism specific instance of a GSS security context.

A GSSContextSpi object can be thought of having 3 states: -before initialization -during initialization with its peer -after it is established

The context options can only be requested in state 1. In state 3, the per message operations are available to the callers. The get methods for the context options will return the requested options while in state 1 and 2, and the established values in state 3. Some mechanisms may allow the access to the per-message operations and the context flags before the context is fully established. The isProtReady method is used to indicate that these services are available.

Version:
1.0
Author:
Yanni Zhang

Constructor Summary

Constructor and Description
SPNEGOContext(byte[] interProcessToken)
SPNEGOContext(GSSCredentialSpi acceptCred)
Constructs a security context to be used on context acceptor side
SPNEGOContext(GSSCredentialSpi acceptCred,GSSContext ctx)
SPNEGOContext(GSSNameSpi peer,GSSCredentialSpi initCred,int lifetime)
Constructor.

Method Summary

Modifier and Type Method and Description
  1. byte[]
acceptSecContext(java.io.InputStream is,int mechTokenSize)
Acceptor's context establishment call.
  1. void
dispose()
Releases context resources and terminates the context between 2 peer.This will invalidate the context.
  1. byte[]
export()
Produces a token representing this context.
  1. boolean
getAnonymityState()
  1. boolean
getConfState()
  1. boolean
getCredDelegState()
  1. GSSCredentialSpi
getDelegCred()
  1. boolean
getIntegState()
  1. int
getLifetime()
  1. Oid
getMech()
  1. byte[]
getMIC(byte[] inMsg,int offset,int len,MessageProp msgProp)
  1. void
getMIC(java.io.InputStream is,java.io.OutputStream os,MessageProp msgProp)
Applies per-message integrity services.
  1. boolean
getMutualAuthState()
  1. java.security.Provider
getProvider()
Returns the provider that facilitated the creation of this mechanism context.
  1. boolean
getReplayDetState()
  1. boolean
getSequenceDetState()
  1. GSSNameSpi
getSrcName()
  1. GSSNameSpi
getTargName()
  1. int
getWrapSizeLimit(int qop,boolean confReq,int maxTokSize)
Queries the context for largest data size to accomodate the specified protection and for the token to remain less then maxTokSize.
  1. byte[]
initSecContext(java.io.InputStream is,int mechTokenSize)
Initiator context establishment call.
  1. boolean
isEstablished()
Used during context establishment to determine the state of the context.
  1. boolean
isProtReady()
  1. boolean
isTransferable()
  1. void
requestAnonymity(boolean state)
  1. void
requestConf(boolean state)
  1. void
requestCredDeleg(boolean state)
  1. void
requestInteg(boolean state)
  1. void
requestLifetime(int lifetime)
  1. void
requestMutualAuth(boolean state)
  1. void
requestReplayDet(boolean state)
  1. void
requestSequenceDet(boolean state)
  1. void
setCaller(int caller)
  1. void
setChannelBinding(ChannelBinding cb)
  1. void
setNegMechs(Oid[] mechTypes,GSSCredential credential)
Sets the list of security mechanism Oids available for negotiation.
  1. int
unwrap(byte[] inBuf,int inOffset,int len,byte[] outBuf,int outOffset,MessageProp msgProp)
For apps that care about buffer copies but either cannot use streams or want to avoid them for whatever reason.
  1. byte[]
unwrap(byte[] inBuf,int offset,int len,MessageProp msgProp)
For apps that want simplicity and dont care about buffer copies.
  1. int
unwrap(java.io.InputStream is,byte[] outBuf,int outOffset,MessageProp msgProp)
For apps that care about buffer copies and want to read straight from the network, but also want the output in a specific application provided buffer, say to reduce buffer allocation or subsequent copy.
  1. void
unwrap(java.io.InputStream is,java.io.OutputStream os,MessageProp msgProp)
Retrieves the message token previously encapsulated in the wrap call.
  1. void
verifyMIC(byte[] inTok,int tokOffset,int tokLen,byte[] inMsg,int msgOffset,int msgLen,MessageProp msgProp)
  1. void
verifyMIC(java.io.InputStream is,java.io.InputStream msgStr,MessageProp mProp)
Checks the integrity of the supplied tokens.
  1. int
wrap(byte[] inBuf,int inOffset,int len,byte[] outBuf,int outOffset,MessageProp msgProp)
For apps that care about buffer copies but either cannot use streams or want to avoid them for whatever reason.
  1. byte[]
wrap(byte[] inBuf,int offset,int len,MessageProp msgProp)
For apps that want simplicity and don't care about buffer copies.
  1. void
wrap(byte[] inBuf,int offset,int len,java.io.OutputStream os,MessageProp msgProp)
For apps that want to read from a specific application provided buffer but want to write directly to the network stream.
  1. void
wrap(java.io.InputStream is,java.io.OutputStream os,MessageProp msgProp)
Provides per-message token encapsulation.
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SPNEGOContext

  1. public SPNEGOContext(GSSCredentialSpi acceptCred)
  2. throws GSSException
Constructs a security context to be used on context acceptor side
Throws:

SPNEGOContext

  1. public SPNEGOContext(GSSCredentialSpi acceptCred,
  2. GSSContext ctx)
  3. throws GSSException
Throws:

SPNEGOContext

  1. public SPNEGOContext(GSSNameSpi peer,
  2. GSSCredentialSpi initCred,
  3. int lifetime)
  4. throws GSSException
Constructor.
Parameters:
peer - Name of the target peer.
initCred - Credentials of the initiator.
lifetime - The request lifetime, in seconds, for the credential.
Throws:

SPNEGOContext

  1. public SPNEGOContext(byte[] interProcessToken)
  2. throws GSSException
Throws:

Method Detail

setCaller

  1. public void setCaller(int caller)

getProvider

  1. public java.security.Provider getProvider( )
Returns the provider that facilitated the creation of this mechanism context. A mechanism context is created via a factory specified by a provider.
Specified by:
getProvider in interface GSSContextSpi

requestMutualAuth

  1. public void requestMutualAuth(boolean state)
  2. throws GSSException
Specified by:
Throws:

requestReplayDet

  1. public void requestReplayDet(boolean state)
  2. throws GSSException
Specified by:
Throws:

requestSequenceDet

  1. public void requestSequenceDet( boolean state)
  2. throws GSSException
Specified by:
Throws:

requestCredDeleg

  1. public void requestCredDeleg(boolean state)
  2. throws GSSException
Specified by:
Throws:

requestAnonymity

  1. public void requestAnonymity(boolean state)
  2. throws GSSException
Specified by:
Throws:

requestConf

  1. public void requestConf(boolean state)
  2. throws GSSException
Specified by:
requestConf in interface GSSContextSpi
Throws:

requestInteg

  1. public void requestInteg(boolean state)
  2. throws GSSException
Specified by:
Throws:

requestLifetime

  1. public void requestLifetime(int lifetime)
  2. throws GSSException
Specified by:
Throws:

setChannelBinding

  1. public void setChannelBinding(ChannelBinding cb)
  2. throws GSSException
Specified by:
Throws:

setNegMechs

  1. public void setNegMechs(Oid[] mechTypes,
  2. GSSCredential credential)
  3. throws GSSException
Sets the list of security mechanism Oids available for negotiation.

If more than one mechanism is specified in mechTypes, the order in which those mechanisms are specified implies a relative mechanism preference for the target.

Specified by:
setNegMechs in interface GSSContextSpi
Parameters:
mechTypes - The array list of Oids representing a set or subset of available security mechanisms based on the credential. Must contain at least one element.
credential - The GSSCredential. User null to request the default credential.
Throws:
GSSException - containing the following major error codes: GSSException.FAILURE, GSSException.BAD_MECH

getCredDelegState

  1. public boolean getCredDelegState( )
Specified by:

getMutualAuthState

  1. public boolean getMutualAuthState( )
Specified by:

getReplayDetState

  1. public boolean getReplayDetState( )
Specified by:

getSequenceDetState

  1. public boolean getSequenceDetState( )
Specified by:

getAnonymityState

  1. public boolean getAnonymityState( )
Specified by:

isTransferable

  1. public boolean isTransferable()
  2. throws GSSException
Specified by:
Throws:

isProtReady

  1. public boolean isProtReady()
Specified by:
isProtReady in interface GSSContextSpi

getConfState

  1. public boolean getConfState()
Specified by:

getIntegState

  1. public boolean getIntegState()
Specified by:

getLifetime

  1. public int getLifetime()
Specified by:
getLifetime in interface GSSContextSpi

isEstablished

  1. public boolean isEstablished()
Used during context establishment to determine the state of the context.
Specified by:
Returns:
true if this is a fully established context on the caller's side and no more tokens are needed from the peer.

getSrcName

  1. public GSSNameSpi getSrcName()
  2. throws GSSException
Specified by:
getSrcName in interface GSSContextSpi
Throws:

getTargName

  1. public GSSNameSpi getTargName()
  2. throws GSSException
Specified by:
getTargName in interface GSSContextSpi
Throws:

getMech

  1. public Oid getMech()
  2. throws GSSException
Specified by:
getMech in interface GSSContextSpi
Throws:

getDelegCred

  1. public GSSCredentialSpi getDelegCred( )
  2. throws GSSException
Specified by:
Throws:

initSecContext

  1. public byte[] initSecContext(java.io.InputStream is,
  2. int mechTokenSize)
  3. throws GSSException
Initiator context establishment call. This method may be required to be called several times. A CONTINUE_NEEDED return call indicates that more calls are needed after the next token is received from the peer.

This method is called by the GSS-Framework when the application calls the initSecContext method on the GSSContext implementation that it has a reference to.

All overloaded forms of GSSContext.initSecContext() can be handled with this mechanism level initSecContext. Since the output token from this method is a fixed size, not exeedingly large, and a one time deal, an overloaded form that takes an OutputStream has not been defined. The GSS-Framwork can write the returned byte[] to any application provided OutputStream. Similarly, any application input int he form of byte arrays will be wrapped in an input stream by the GSS-Framework and then passed here.

The GSS-Framework will strip off the leading mechanism independent GSS-API header. In other words, only the mechanism specific inner-context token of RFC 2743 section 3.1 will be available on the InputStream.

Specified by:
Parameters:
is - contains the inner context token portion of the GSS token received from the peer. On the first call to initSecContext, there will be no token hence it will be ignored.
mechTokenSize - the size of the inner context token as read by the GSS-Framework from the mechanism independent GSS-API level header.
Returns:
any inner-context token required to be sent to the peer as part of a GSS token. The mechanism should not add the mechanism independent part of the token. The GSS-Framework will add that on the way out.
Throws:
GSSException - may be thrown

acceptSecContext

  1. public byte[] acceptSecContext( java.io.InputStream is,
  2. int mechTokenSize)
  3. throws GSSException
Acceptor's context establishment call. This method may be required to be called several times. A CONTINUE_NEEDED return call indicates that more calls are needed after the next token is received from the peer.

This method is called by the GSS-Framework when the application calls the acceptSecContext method on the GSSContext implementation that it has a reference to.

All overloaded forms of GSSContext.acceptSecContext() can be handled with this mechanism level acceptSecContext. Since the output token from this method is a fixed size, not exeedingly large, and a one time deal, an overloaded form that takes an OutputStream has not been defined. The GSS-Framwork can write the returned byte[] to any application provided OutputStream. Similarly, any application input int he form of byte arrays will be wrapped in an input stream by the GSS-Framework and then passed here.

The GSS-Framework will strip off the leading mechanism independent GSS-API header. In other words, only the mechanism specific inner-context token of RFC 2743 section 3.1 will be available on the InputStream.

Specified by:
Parameters:
is - contains the inner context token portion of the GSS token received from the peer.
mechTokenSize - the size of the inner context token as read by the GSS-Framework from the mechanism independent GSS-API level header.
Returns:
any inner-context token required to be sent to the peer as part of a GSS token. The mechanism should not add the mechanism independent part of the token. The GSS-Framework will add that on the way out.
Throws:
GSSException - may be thrown

getWrapSizeLimit

  1. public int getWrapSizeLimit(int qop,
  2. boolean confReq,
  3. int maxTokSize)
  4. throws GSSException
Queries the context for largest data size to accomodate the specified protection and for the token to remain less then maxTokSize.
Specified by:
Parameters:
qop - the quality of protection that the context will be asked to provide.
confReq - a flag indicating whether confidentiality will be requested or not
Returns:
the maximum size for the input message that can be provided to the wrap() method in order to guarantee that these requirements are met.
Throws:
GSSException - may be thrown

wrap

  1. public void wrap(java.io.InputStream is,
  2. java.io.OutputStream os,
  3. MessageProp msgProp)
  4. throws GSSException
Provides per-message token encapsulation.
Specified by:
wrap in interface GSSContextSpi
Parameters:
is - the user-provided message to be protected
os - the token to be sent to the peer. It includes the message from is with the requested protection.
msgProp - on input it contains the requested qop and confidentiality state, on output, the applied values
Throws:
GSSException - may be thrown
See Also:

wrap

  1. public byte[] wrap(byte[] inBuf,
  2. int offset,
  3. int len,
  4. MessageProp msgProp)
  5. throws GSSException
For apps that want simplicity and don't care about buffer copies.
Specified by:
wrap in interface GSSContextSpi
Throws:

wrap

  1. public int wrap(byte[] inBuf,
  2. int inOffset,
  3. int len,
  4. byte[] outBuf,
  5. int outOffset,
  6. MessageProp msgProp)
  7. throws GSSException
For apps that care about buffer copies but either cannot use streams or want to avoid them for whatever reason. (Say, they are using block ciphers.)
Specified by:
wrap in interface GSSContextSpi
Throws:

wrap

  1. public void wrap(byte[] inBuf,
  2. int offset,
  3. int len,
  4. java.io.OutputStream os,
  5. MessageProp msgProp)
  6. throws GSSException
For apps that want to read from a specific application provided buffer but want to write directly to the network stream.
Specified by:
wrap in interface GSSContextSpi
Throws:

unwrap

  1. public void unwrap(java.io.InputStream is,
  2. java.io.OutputStream os,
  3. MessageProp msgProp)
  4. throws GSSException
Retrieves the message token previously encapsulated in the wrap call.
Specified by:
unwrap in interface GSSContextSpi
Parameters:
is - the token from the peer
os - unprotected message data
msgProp - will contain the applied qop and confidentiality of the input token and any informatory status values
Throws:
GSSException - may be thrown
See Also:

unwrap

  1. public byte[] unwrap(byte[] inBuf,
  2. int offset,
  3. int len,
  4. MessageProp msgProp)
  5. throws GSSException
For apps that want simplicity and dont care about buffer copies.
Specified by:
unwrap in interface GSSContextSpi
Throws:

unwrap

  1. public int unwrap(byte[] inBuf,
  2. int inOffset,
  3. int len,
  4. byte[] outBuf,
  5. int outOffset,
  6. MessageProp msgProp)
  7. throws GSSException
For apps that care about buffer copies but either cannot use streams or want to avoid them for whatever reason. (Say, they are using block ciphers.)
Specified by:
unwrap in interface GSSContextSpi
Throws:

unwrap

  1. public int unwrap(java.io.InputStream is,
  2. byte[] outBuf,
  3. int outOffset,
  4. MessageProp msgProp)
  5. throws GSSException
For apps that care about buffer copies and want to read straight from the network, but also want the output in a specific application provided buffer, say to reduce buffer allocation or subsequent copy.
Specified by:
unwrap in interface GSSContextSpi
Throws:

getMIC

  1. public void getMIC(java.io.InputStream is,
  2. java.io.OutputStream os,
  3. MessageProp msgProp)
  4. throws GSSException
Applies per-message integrity services.
Specified by:
getMIC in interface GSSContextSpi
Parameters:
is - the user-provided message
os - the token to be sent to the peer along with the message token. The message token is not encapsulated.
msgProp - on input the desired QOP and output the applied QOP
Throws:

getMIC

  1. public byte[] getMIC(byte[] inMsg,
  2. int offset,
  3. int len,
  4. MessageProp msgProp)
  5. throws GSSException
Specified by:
getMIC in interface GSSContextSpi
Throws:

verifyMIC

  1. public void verifyMIC(java.io.InputStream is,
  2. java.io.InputStream msgStr,
  3. MessageProp mProp)
  4. throws GSSException
Checks the integrity of the supplied tokens. This token was previously generated by getMIC.
Specified by:
verifyMIC in interface GSSContextSpi
Parameters:
is - token generated by getMIC
msgStr - the message to check integrity for
Throws:
GSSException - may be thrown

verifyMIC

  1. public void verifyMIC(byte[] inTok,
  2. int tokOffset,
  3. int tokLen,
  4. byte[] inMsg,
  5. int msgOffset,
  6. int msgLen,
  7. MessageProp msgProp)
  8. throws GSSException
Specified by:
verifyMIC in interface GSSContextSpi
Throws:

export

  1. public byte[] export()
  2. throws GSSException
Produces a token representing this context. After this call the context will no longer be usable until an import is performed on the returned token.
Specified by:
export in interface GSSContextSpi
Returns:
exported context token
Throws:
GSSException - may be thrown

dispose

  1. public void dispose()
  2. throws GSSException
Releases context resources and terminates the context between 2 peer.This will invalidate the context.
Specified by:
dispose in interface GSSContextSpi
Throws:
GSSException - may be thrown

© Portions Copyright 2003, 2011 IBM Corporation. All rights reserved.
© Portions Copyright 2003, 2011, Oracle and/or its affiliates. All rights reserved.