2362N/A * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class encapsulates a Kerberos ticket and associated 0N/A * information as viewed from the client's point of view. It captures all 0N/A * information that the Key Distribution Center (KDC) sends to the client 0N/A * in the reply message KDC-REP defined in the Kerberos Protocol 0N/A * All Kerberos JAAS login modules that authenticate a user to a KDC should 0N/A * use this class. Where available, the login module might even read this 0N/A * information from a ticket cache in the operating system instead of 0N/A * directly communicating with the KDC. During the commit phase of the JAAS 0N/A * authentication process, the JAAS login module should instantiate this 0N/A * class and store the instance in the private credential set of a 0N/A * {@link javax.security.auth.Subject Subject}.<p> 0N/A * It might be necessary for the application to be granted a 0N/A * {@link javax.security.auth.PrivateCredentialPermission 0N/A * PrivateCredentialPermission} if it needs to access a KerberosTicket 0N/A * instance from a Subject. This permission is not needed when the 0N/A * application depends on the default JGSS Kerberos mechanism to access the 0N/A * KerberosTicket. In that case, however, the application will need an 0N/A * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. 0N/A * Note that this class is applicable to both ticket granting tickets and 0N/A * other regular service tickets. A ticket granting ticket is just a 0N/A * special case of a more generalized service ticket. 0N/A * @see javax.security.auth.Subject 0N/A * @see javax.security.auth.PrivateCredentialPermission 0N/A * @see javax.security.auth.login.LoginContext 0N/A * @see org.ietf.jgss.GSSCredential 0N/A * @see org.ietf.jgss.GSSManager 0N/A * @author Mayank Upadhyay 0N/A // XXX Make these flag indices public 0N/A * ASN.1 DER Encoding of the Ticket as defined in the 0N/A * Kerberos Protocol Specification RFC4120. 0N/A *<code>KeyImpl</code> is serialized by writing out the ASN1 Encoded bytes 0N/A * of the encryption key. The ASN1 encoding is defined in RFC4120 and as 0N/A * EncryptionKey ::= SEQUENCE { 0N/A * keytype [0] Int32 -- actually encryption type --, 0N/A * keyvalue [1] OCTET STRING 0N/A * Ticket Flags as defined in the Kerberos Protocol Specification RFC4120. 0N/A * Time of initial authentication 0N/A * Time after which the ticket is valid. 0N/A * Time after which the ticket will not be honored. (its expiration time). 0N/A * For renewable Tickets it indicates the maximum endtime that may be 0N/A * included in a renewal. It can be thought of as the absolute expiration 0N/A * time for the ticket, including all renewals. This field may be null 0N/A * for tickets that are not renewable. 0N/A * Client that owns the service ticket 0N/A * The service for which the ticket was issued. 0N/A * The addresses from where the ticket may be used by the client. 0N/A * This field may be null when the ticket is usable from any address. 0N/A * Constructs a KerberosTicket using credentials information that a 0N/A * client either receives from a KDC or reads from a cache. 0N/A * @param asn1Encoding the ASN.1 encoding of the ticket as defined by 0N/A * the Kerberos protocol specification. 0N/A * @param client the client that owns this service 0N/A * @param server the service that this ticket is for 0N/A * @param sessionKey the raw bytes for the session key that must be 0N/A * used to encrypt the authenticator that will be sent to the server 0N/A * @param keyType the key type for the session key as defined by the 0N/A * Kerberos protocol specification. 0N/A * @param flags the ticket flags. Each element in this array indicates 0N/A * the value for the corresponding bit in the ASN.1 BitString that 0N/A * represents the ticket flags. If the number of elements in this array 0N/A * is less than the number of flags used by the Kerberos protocol, 0N/A * then the missing flags will be filled in with false. 0N/A * @param authTime the time of initial authentication for the client 0N/A * @param startTime the time after which the ticket will be valid. This 0N/A * may be null in which case the value of authTime is treated as the 0N/A * @param endTime the time after which the ticket will no longer be 0N/A * @param renewTill an absolute expiration time for the ticket, 0N/A * including all renewal that might be possible. This field may be null 0N/A * for tickets that are not renewable. 0N/A * @param clientAddresses the addresses from where the ticket may be 0N/A * used by the client. This field may be null when the ticket is usable 0N/A +
" cannot be null");
0N/A +
" cannot be null");
0N/A +
" cannot be null");
265N/A // Caller needs to make sure `sessionKey` will not be null 0N/A // Fill in whatever we have 0N/A +
"end time cannot be null for renewable tickets.");
0N/A +
" cannot be null");
0N/A * Returns the client principal associated with this ticket. 0N/A * @return the client principal. 0N/A * Returns the service principal associated with this ticket. 0N/A * @return the service principal. 0N/A * Returns the session key associated with this ticket. 0N/A * @return the session key. 0N/A * Returns the key type of the session key associated with this 0N/A * ticket as defined by the Kerberos Protocol Specification. 0N/A * @return the key type of the session key associated with this 0N/A * @see #getSessionKey() 0N/A * Determines if this ticket is forwardable. 0N/A * @return true if this ticket is forwardable, false if not. 0N/A * Determines if this ticket had been forwarded or was issued based on 0N/A * authentication involving a forwarded ticket-granting ticket. 0N/A * @return true if this ticket had been forwarded or was issued based on 0N/A * authentication involving a forwarded ticket-granting ticket, 0N/A * Determines if this ticket is proxiable. 0N/A * @return true if this ticket is proxiable, false if not. 0N/A * Determines is this ticket is a proxy-ticket. 0N/A * @return true if this ticket is a proxy-ticket, false if not. 0N/A * Determines is this ticket is post-dated. 0N/A * @return true if this ticket is post-dated, false if not. 0N/A * Determines is this ticket is renewable. If so, the {@link #refresh() 0N/A * refresh} method can be called, assuming the validity period for 0N/A * renewing is not already over. 0N/A * @return true if this ticket is renewable, false if not. 0N/A * Determines if this ticket was issued using the Kerberos AS-Exchange 0N/A * protocol, and not issued based on some ticket-granting ticket. 0N/A * @return true if this ticket was issued using the Kerberos AS-Exchange 0N/A * protocol, false if not. 0N/A * Returns the flags associated with this ticket. Each element in the 0N/A * returned array indicates the value for the corresponding bit in the 0N/A * ASN.1 BitString that represents the ticket flags. 0N/A * @return the flags associated with this ticket. 0N/A * Returns the time that the client was authenticated. 0N/A * @return the time that the client was authenticated 0N/A * or null if not set. 0N/A * Returns the start time for this ticket's validity period. 0N/A * @return the start time for this ticket's validity period 0N/A * or null if not set. 0N/A * Returns the expiration time for this ticket's validity period. 0N/A * @return the expiration time for this ticket's validity period. 0N/A * Returns the latest expiration time for this ticket, including all 0N/A * renewals. This will return a null value for non-renewable tickets. 0N/A * @return the latest expiration time for this ticket. 0N/A * Returns a list of addresses from where the ticket can be used. 0N/A * @return ths list of addresses or null, if the field was not 0N/A * Returns an ASN.1 encoding of the entire ticket. 0N/A * @return an ASN.1 encoding of the entire ticket. 0N/A /** Determines if this ticket is still current. */ 0N/A * Extends the validity period of this ticket. The ticket will contain 0N/A * a new session key if the refresh operation succeeds. The refresh 0N/A * operation will fail if the ticket is not renewable or the latest 0N/A * allowable renew time has passed. Any other error returned by the 0N/A * KDC will also cause this method to fail. 0N/A * Note: This method is not synchronized with the the accessor 0N/A * methods of this object. Hence callers need to be aware of multiple 0N/A * threads that might access this and try to renew it at the same 0N/A * @throws RefreshFailedException if the ticket is not renewable, or 0N/A * the latest allowable renew time has passed, or the KDC returns some 0N/A * @see #isRenewable() 0N/A * @see #getRenewTill() 0N/A +
"cannot be renewd.");
0N/A +
"its last renewal time.");
0N/A * In case multiple threads try to refresh it at the same time. 0N/A synchronized (
this) {
0N/A // Squelch it since we don't care about the old ticket. 0N/A * Destroys the ticket and destroys any sensitive information stored in 0N/A * Determines if this ticket has been destroyed. 0N/A return (
"Ticket (hex) = " +
"\n" +
0N/A "Client Addresses " +
0N/A * Returns a hashcode for this KerberosTicket. 0N/A * @return a hashCode() for the <code>KerberosTicket</code> 0N/A // authTime may be null 0N/A // startTime may be null 0N/A // renewTill may be null 0N/A // clientAddress may be null, the array's hashCode is 0 0N/A * Compares the specified Object with this KerberosTicket for equality. 0N/A * Returns true if the given object is also a 0N/A * <code>KerberosTicket</code> and the two 0N/A * <code>KerberosTicket</code> instances are equivalent. 0N/A * @param other the Object to compare to 0N/A * @return true if the specified object is equal to this KerberosTicket, 0N/A * false otherwise. NOTE: Returns false if either of the KerberosTicket 0N/A * objects has been destroyed. 0N/A // authTime may be null 0N/A // startTime may be null