org.ietf.jgss
Interface GSSCredential
- Cloneable
This interface encapsulates the GSS-API credentials for an entity.
A credential contains all the necessary cryptographic information to
enable the creation of a context on behalf of the entity that it
represents. It may contain multiple, distinct, mechanism specific
credential elements, each containing information for a specific
security mechanism, but all referring to the same entity.
A credential may be used to perform context initiation, acceptance,
or both.
GSS-API implementations must impose a local access-control policy on
callers to prevent unauthorized callers from acquiring credentials to
which they are not entitled. GSS-API credential creation is not
intended to provide a "login to the network" function, as such a
function would involve the creation of new credentials rather than
merely acquiring a handle to existing credentials. Such functions,
if required, should be defined in implementation-specific extensions
to the API.
If credential acquisition is time-consuming for a mechanism, the
mechanism may choose to delay the actual acquisition until the
credential is required (e.g. by
GSSContext). Such mechanism-
specific implementation decisions should be invisible to the calling
application; thus the query methods immediately following the
creation of a credential object must return valid credential data,
and may therefore incur the overhead of a deferred credential
acquisition.
Applications will create a credential object passing the desired
parameters. The application can then use the query methods to obtain
specific information about the instantiated credential object
(equivalent to the gss_inquire routines). When the credential is no
longer needed, the application should call the dispose (equivalent to
gss_release_cred) method to release any resources held by the
credential object and to destroy any cryptographically sensitive
information.
Classes implementing this interface also implement the
Cloneable
interface. This indicates the the class will support the
Cloneable.clone() method that will allow the creation of duplicate
credentials. This is useful when called just before the
add(GSSName,int,int,Oid,int) call to retain
a copy of the original credential.
Example Code
GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity
GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity
GSSCredential cred = mgr.createCredential(name,
GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime,
// and the mechanisms it has been acquired over
print(cred.getName().toString());
print(cred.getRemainingLifetime());
Oid [] mechs = cred.getMechs();
if (mechs != null)
{
for (int i = 0; i <32mechs.length; i++)
print(mechs[i].toString());
}
// release system resources held by the credential
cred.dispose();
static int | ACCEPT_ONLY- Credential usage flag requesting that it be able to be used for
context acceptance only.
|
static int | DEFAULT_LIFETIME- A lifetime constant representing the default credential lifetime.
|
static int | INDEFINITE_LIFETIME- A lifetime constant representing indefinite credential lifetime.
|
static int | INITIATE_AND_ACCEPT- Credential usage flag requesting that it be able to be used for both
context initiation and acceptance.
|
static int | INITIATE_ONLY- Credential usage flag requesting that it be able to be used for
context initiation only.
|
void | add(GSSName aName, int initLifetime, int acceptLifetime, Oid mech, int usage)- Adds a mechanism specific credential-element to an existing
credential.
|
void | dispose()- Releases any sensitive information that the GSSCredential object may
be containing.
|
boolean | equals(Object another)- Tests if this GSSCredential refers to the same entity as the supplied
object.
|
Oid[] | getMechs()- Returns an array of mechanisms supported by this credential.
|
GSSName | getName()- Retrieves the name of the entity that the credential asserts.
|
GSSName | getName(Oid mechOID)- Retrieves a mechanism name of the entity that the credential asserts.
|
int | getRemainingAcceptLifetime(Oid mech)- Returns the remaining lifetime is seconds for the credential to
remain capable of accepting security contexts under the specified
mechanism.
|
int | getRemainingInitLifetime(Oid mech)- Returns the remaining lifetime is seconds for the credential to
remain capable of initiating security contexts under the specified
mechanism.
|
int | getRemainingLifetime()- Returns the remaining lifetime in seconds for a credential.
|
int | getUsage()- Returns the credential usage flag.
|
int | getUsage(Oid mechOID)- Returns the credential usage flag for the specified credential
mechanism.
|
int | hashCode()- Return the hash code of this credential.
|
ACCEPT_ONLY
public static final int ACCEPT_ONLY
Credential usage flag requesting that it be able to be used for
context acceptance only.
DEFAULT_LIFETIME
public static final int DEFAULT_LIFETIME
A lifetime constant representing the default credential lifetime.
INDEFINITE_LIFETIME
public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite credential lifetime.
INITIATE_AND_ACCEPT
public static final int INITIATE_AND_ACCEPT
Credential usage flag requesting that it be able to be used for both
context initiation and acceptance.
INITIATE_ONLY
public static final int INITIATE_ONLY
Credential usage flag requesting that it be able to be used for
context initiation only.
add
public void add(GSSName aName,
int initLifetime,
int acceptLifetime,
Oid mech,
int usage)
throws GSSException Adds a mechanism specific credential-element to an existing
credential. This method allows the construction of credentials one
mechanism at a time.
This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials which are to be used
with a variety of clients using different security mechanisms.
This routine adds the new credential element "in-place". To add the
element in a new credential, first call
Cloneable.clone() to
obtain a copy of this credential, then call its
add()
method.
aName - Name of the principal for whom this credential
is to be acquired. Use null to
specify the default principal.initLifetime - The number of seconds that credentials should
remain valid for initiating of security contexts.
Use INDEFINITE_LIFETIME to request that
the credentials have the maximum permitted lifetime.
Use DEFAULT_LIFETIME to
request the default credential lifetime.acceptLifetime - The number of seconds that credentials should
remain valid for accepting of security contexts.
Use INDEFINITE_LIFETIME to
request that the credentials have the maximum
permitted lifetime. Use DEFAULT_LIFETIME to request
the default credential lifetime.mech - The mechanisms over which the credential is to be
acquired.usage - The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential,
ACCEPT_ONLY,
INITIATE_ONLY.
dispose
public void dispose()
throws GSSException Releases any sensitive information that the GSSCredential object may
be containing. Applications should call this method as soon as the
credential is no longer needed to minimize the time any sensitive
information is maintained.
equals
public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns
true
if the two GSSCredentials refer to the same entity;
false
otherwise. (Note that the Java language specification requires that two
objects that are equal according to the
Object.equals(Object) method must return the same integer
result when the
Object.hashCode() method is called on them.)
- equals in interface Object
another - Another GSSCredential object for comparison.
- True if this object equals the other.
getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech)
throws GSSException Returns the remaining lifetime is seconds for the credential to
remain capable of accepting security contexts under the specified
mechanism. A return value of
INDEFINITE_LIFETIME
indicates that the credential does not expire for context acceptance.
A return value of 0 indicates that the credential is already expired.
mech - The mechanism for which information should be returned.
getRemainingInitLifetime
public int getRemainingInitLifetime(Oid mech)
throws GSSException Returns the remaining lifetime is seconds for the credential to
remain capable of initiating security contexts under the specified
mechanism. A return value of
INDEFINITE_LIFETIME
indicates that the credential does not expire for context initiation.
A return value of 0 indicates that the credential is already expired.
mech - The mechanism for which information should be returned.
getRemainingLifetime
public int getRemainingLifetime()
throws GSSException Returns the remaining lifetime in seconds for a credential. The
remaining lifetime is the minimum lifetime for any of the underlying
credential mechanisms. A return value of
INDEFINITE_LIFETIME indicates that the credential does
not expire. A return value of 0 indicates that the credential is
already expired.
getUsage
public int getUsage(Oid mechOID)
throws GSSExceptionmechOID - The mechanism for which information should be returned.
- The credential usage flag.
hashCode
public int hashCode()
Return the hash code of this credential. When overriding
equals(Object),
it is necessary to override hashCode() as well.
- hashCode in interface Object
- the hash code that must be the same for two credentials if
equals(Object) returns true.
GSSCredential.java -- GSS credential interface.
Copyright (C) 2004 Free Software Foundation, Inc.
This file is part of GNU Classpath.
GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNU Classpath; see the file COPYING. If not, write to the
Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
Linking this library statically or dynamically with other modules is
making a combined work based on this library. Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.
As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from
or based on this library. If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so. If you do not wish to do so, delete this
exception statement from your version.
The documentation comments of this class are derived from the text
of RFC 2853: Generic Security Service API Version 2: Java Bindings.
That document is covered under the following license notice:
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.