3261N/A * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * Implements the CRAM-MD5 SASL server-side mechanism. 0N/A * CRAM-MD5 has no initial response. 0N/A * client <---- M={random, timestamp, server-fqdn} ------- server 0N/A * client ----- {username HMAC_MD5(pw, M)} --------------> server 0N/A * CallbackHandler must be able to handle the following callbacks: 0N/A * - NameCallback: default name is name of user for whom to get password 0N/A * - PasswordCallback: must fill in password; if empty, no pw 0N/A * - AuthorizeCallback: must setAuthorized() and canonicalized authorization id 0N/A * - auth id == authzid, but needed to get canonicalized authzid 0N/A * @author Rosanna Lee 0N/A * Creates a SASL mechanism with client credentials that it needs 0N/A * to participate in CRAM-MD5 authentication exchange with the server. 0N/A * @param authID A non-null string representing the principal 0N/A * being authenticated. 0N/A * @param pw A non-null String or byte[] 0N/A * containing the password. If it is an array, it is first cloned. 0N/A "CRAM-MD5: fully qualified server name must be specified");
0N/A * Generates challenge based on response sent by client. 0N/A * CRAM-MD5 has no initial response. 0N/A * First call generates challenge. 0N/A * Second call verifies client response. If authentication fails, throws 0N/A * @param responseData A non-null byte array containing the response 0N/A * data from the client. 0N/A * @return A non-null byte array containing the challenge to be sent to 0N/A * the client for the first call; null when 2nd call is successful. 0N/A * @throws SaslException If authentication fails. 0N/A // See if we've been here before 0N/A "CRAM-MD5 authentication already completed");
0N/A "CRAM-MD5 authentication previously aborted due to error");
0N/A "CRAM-MD5 does not expect any initial response");
0N/A // Generate challenge {random, timestamp, fqdn} 0N/A // Examine response to see if correctly encrypted challengeData 0N/A "CRAMSRV02:Received response: {0}",
0N/A // Extract username from response 0N/A "CRAM-MD5: Invalid response; space missing");
0N/A // Get user's password 0N/A // user has no password; OK to disclose to server 0N/A // Generate a keyed-MD5 digest from the user's password and 0N/A // original challenge. 0N/A // clear pw when we no longer need it 0N/A // Check whether digest is as expected 0N/A // All checks out, use AuthorizeCallback to canonicalize name 0N/A "CRAM-MD5 authentication not completed");