org.ietf.jgss
Class GSSManager
- java.lang.Object
org.ietf.jgss.GSSManager
- public abstract class GSSManager
- extends java.lang.Object
All but one method in this class are declared abstract. This means that subclasses have to provide the complete implementation for those methods. The only exception to this is the static method getInstance() which will have platform specific code to return an instance of the default subclass.
Platform providers of GSS are required not to add any constructors to this class, private, public, or protected. This will ensure that all subclasses invoke only the default constructor provided to the base class by the compiler.
A subclass extending the GSSManager abstract class may be implemented as a modular provider based layer that utilizes some well known service provider specification. The GSSManager API provides the application with methods to set provider preferences on such an implementation. These methods also allow the implementation to throw a well-defined exception in case provider based configuration is not supported. Applications that expect to be portable should be aware of this and recover cleanly by catching the exception.
It is envisioned that there will be three most common ways in which providers will be used:
1) The application does not care about what provider is used (the default case).
2) The application wants a particular provider to be used preferentially, either for a particular mechanism or all the time, irrespective of mechanism.
3) The application wants to use the locally configured providers as far as possible but if support is missing for one or more mechanisms then it wants to fall back on its own provider.
The GSSManager class has two methods that enable these modes of
usage: addProviderAtFront() and addProviderAtEnd(). These methods
have the effect of creating an ordered list of
The use of these methods does not require any knowledge of whatever
service provider specification the GSSManager subclass follows. It is
hoped that these methods will serve the needs of most applications.
Additional methods may be added to an extended GSSManager that could
be part of a service provider specification that is standardized later.
Based on the IETF RFC-2853.
The only supported mechanism is Kerberos V5.
Calling this method repeatedly preserves the older settings but
lowers them in preference thus forming an ordered list of provider
and Oid pairs that grows at the top.
Calling addProviderAtFront with a null Oid will remove all previous
preferences that were set for this provider in the GSSManager
instance. Calling addProviderAtFront with a non-null Oid will remove
any previous preference that was set using this mechanism and this
provider together.
If the GSSManager implementation does not support an SPI with a
pluggable provider architecture it should throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable.
Here are some examples:
Suppose an application desired that the provider A always be checked
first when any mechanism is needed, it would call:
Suppose at a later time the following call is made to the same
GSSManager instance:
Please note, however, that the following call:
Calling this method repeatedly preserves the older settings but
raises them above newer ones in preference thus forming an ordered
list of providers and Oid pairs that grows at the bottom. Thus the
older provider settings will be utilized first before this one is.
If there are any previously existing preferences that conflict with
the preference being set here, then the GSSManager should ignore this
request.
If the GSSManager implementation does not support an SPI with a
pluggable provider architecture it should throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable.
Example Code
Suppose an application desired that when a mechanism of Oid m1 is
needed the system default providers always be checked first, and only
when they do not support m1 should a provider A be checked. It would
then make the call:
Suppose at a later time the following call is made to the same
GSSManager instance:
Please note, however, that the following call:
Constructor Summary
Constructor and Description
GSSManager()
Method Summary
Modifier and Type
Method and Description
addProviderAtEnd(java.security.Provider p,Oid mech)
addProviderAtFront(java.security.Provider p,Oid mech)
createContext(byte[] interProcessToken)
createContext(GSSCredential cred)
createContext(GSSName peer,Oid mech,GSSCredential cred,int lifetime)
createCredential(GSSName aName,int lifeTime,Oid[] mechs,int usage)
createCredential(GSSName aName,int lifeTime,Oid mech,int usage)
createCredential(int usage)
createName(byte[] name,Oid nameType)
createName(byte[] name,Oid nameType,Oid mechType)
createName(java.lang.String nameStr,Oid nameType)
createName(java.lang.String nameStr,Oid nameType,Oid mechType)
getInstance()
getMechs()
getMechsForName(Oid nameType)
getNamesForMech(Oid mech)
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Constructor Detail
GSSManager
Method Detail
getInstance
getMechs
getNamesForMech
mech
- The Oid object for the mechanism to query.
getMechsForName
nameType
- The Oid object for the name type.
createName
nameStr
- The string representing a printable form of the name to create. nameType
- The Oid specifying the namespace of the printable name
qualify the interpretation of the input nameStr, it
does not necessarily imply a type for the output
GSSName implementation. "null" value can be used to
specify that a mechanism specific default printable
syntax should be assumed by each mechanism that
examines nameStr.
createName
name
- The byte array containing the name to create. nameType
- The Oid specifying the namespace of the name supplied
in the byte array. Note that nameType serves to
describe and qualify the interpretation of the input
name byte array, it does not necessarily imply a type
for the output GSSName implementation. "null" value
can be used to specify that a mechanism specific
default syntax should be assumed by each mechanism
that examines the byte array.
createName
createName(String, Oid)
method and then also the
canonicalize
method.
nameStr
- The string representing a printable
form of the name to create. nameType
- The Oid specifying the namespace of the printable name
supplied. Note that nameType serves to describe and
qualify the interpretation of the input nameStr, it
does not necessarily imply a type for the output
GSSName implementation. "null" value can be used to
specify that a mechanism specific default printable
syntax should be assumed when the mechanism examines nameStr. mechType
- Oid specifying the mechanism for which this name
should be created.
createName
createName(byte[], Oid)
method followed by the
canonicalize
name
- The byte array representing the name to create. nameType
- The Oid specifying the namespace of the name supplied
in the byte array. Note that nameType serves to
describe and qualify the interpretation of the input
name byte array, it does not necessarily imply a type
for the output GSSName implementation. "null" value
can be used to specify that a mechanism specific
default syntax should be assumed by each mechanism
that examines the byte array. mechType
- Oid specifying the mechanism for which this name
should be created.
createCredential
usage
- The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
createCredential
aName
- Name of the principal for whom this credential is to be
acquired. Use "null" to specify the default principal. usage
- The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
createCredential
getMechs
method.
aName
- Name of the principal for whom this credential is to be
acquired. Use "null" to specify the default principal. usage
- The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.ACCEPT_AND_INITIATE,
GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
createContext
peer
- Name of the target peer. lifetime
- The request lifetime, in seconds, for the credential.
createContext
createContext
interProcessToken
- The token previously emitted
from the export method.
addProviderAtFront
Now if it also desired that the mechanism of Oid m1 always be
obtained from the provider B before the previously set A was checked,
it would call:
GSSManager mgr = GSSManager.getInstance();
// mgr may at this point have its own pre-configured list
// of provider preferences. The following will prepend to
// any such list:
mgr.addProviderAtFront(A, null);
The GSSManager would then first check with B if m1 was needed. In
case B did not provide support for m1, the GSSManager would continue
on to check with A. If any mechanism m2 is needed where m2 is
different from m1 then the GSSManager would skip B and check with A
directly.
mgr.addProviderAtFront(B, m1);
then the previous setting with the pair (B, m1) is subsumed by this
and should be removed. Effectively the list of preferences now
becomes {(B, null), (A, null),
... //followed by the pre-configured list.
mgr.addProviderAtFront(B, null)
does not subsume the previous setting of (A, null) and the list will
effectively become {(A, m3), (B, null), (A, null), ...}
mgr.addProviderAtFront(A, m3)
p
- The provider instance that should be used whenever
support is needed for mech. mech
- The mechanism for which the provider is being set
addProviderAtEnd
Now, if it also desired that for all mechanisms the provider B be
checked after all configured providers have been checked, it would
then call:
GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1);
Effectively the list of preferences now becomes {..., (A, m1), (B,
null)}.
mgr.addProviderAtEnd(B, null);
then the previous setting with the pair (B, null) subsumes this and
therefore this request should be ignored. The same would happen if a
request is made for the already existing pairs of (A, m1) or (B,
null).
mgr.addProviderAtEnd(B, m2)
is not subsumed by the previous setting of (A, m1) and the list will
effectively become {..., (A, m1), (B, null), (A, null)}
mgr.addProviderAtEnd(A, null)
p
- The provider instance that should be used whenever
support is needed for mech. mech
- The mechanism for which the provider is being set
© Portions Copyright 2003, 2011, Oracle and/or its affiliates. All rights reserved.