/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* This class represents the JGSS security context and its associated
* operations. JGSS security contexts are established between
* peers using locally established credentials. Multiple contexts
* may exist simultaneously between a pair of peers, using the same
* or different set of credentials. The JGSS is independent of
* the underlying transport protocols and depends on its callers to
* transport the tokens between peers.
* <p>
* The context object can be thought of as having 3 implicit states:
* before it is established, during its context establishment, and
* after a fully established context exists.
* <p>
* Before the context establishment phase is initiated, the context
* initiator may request specific characteristics desired of the
* established context. These can be set using the set methods. After the
* context is established, the caller can check the actual characteristic
* and services offered by the context using the query methods.
* <p>
* The context establishment phase begins with the first call to the
* initSecContext method by the context initiator. During this phase the
* initSecContext and acceptSecContext methods will produce GSS-API
* authentication tokens which the calling application needs to send to its
* peer. The initSecContext and acceptSecContext methods may
* return a CONTINUE_NEEDED code which indicates that a token is needed
* from its peer in order to continue the context establishment phase. A
* return code of COMPLETE signals that the local end of the context is
* established. This may still require that a token be sent to the peer,
* depending if one is produced by GSS-API. The isEstablished method can
* also be used to determine if the local end of the context has been
* fully established. During the context establishment phase, the
* isProtReady method may be called to determine if the context can be
* used for the per-message operations. This allows implementation to
* use per-message operations on contexts which aren't fully established.
* <p>
* After the context has been established or the isProtReady method
* returns "true", the query routines can be invoked to determine the actual
* characteristics and services of the established context. The
* application can also start using the per-message methods of wrap and
* getMIC to obtain cryptographic operations on application supplied data.
* <p>
* When the context is no longer needed, the application should call
* dispose to release any system resources the context may be using.
* <DL><DT><B>RFC 2078</b>
* <DD>This class corresponds to the context level calls together with
* the per message calls of RFC 2078. The gss_init_sec_context and
* gss_accept_sec_context calls have been made simpler by only taking
* required parameters. The context can have its properties set before
* the first call to initSecContext. The supplementary status codes for the
* per-message operations are returned in an instance of the MessageProp
* class, which is used as an argument in these calls.</dl>
*/
private final boolean initiator;
// private flags for the context state
// instance variables
private boolean reqConfState = true;
private boolean reqIntegState = true;
private boolean reqMutualAuthState = true;
private boolean reqReplayDetState = true;
private boolean reqSequenceDetState = true;
private boolean reqCredDelegState = false;
private boolean reqAnonState = false;
private boolean reqDelegPolicyState = false;
/**
* Creates a GSSContextImp on the context initiator's side.
*/
throws GSSException {
}
this.gssManager = gssManager;
initiator = true;
}
/**
* Creates a GSSContextImpl on the context acceptor's side.
*/
throws GSSException {
this.gssManager = gssManager;
initiator = false;
}
/**
* Creates a GSSContextImpl out of a previously exported
* GSSContext.
*
* @see #isTransferable
*/
throws GSSException {
this.gssManager = gssManager;
}
throws GSSException {
/*
* Size of ByteArrayOutputStream will double each time that extra
* bytes are to be written. Usually, without delegation, a GSS
* initial token containing the Kerberos AP-REQ is between 400 and
* 600 bytes.
*/
}
"Illegal call to initSecContext");
}
int inTokenLen = -1;
boolean firstToken = false;
try {
try {
} catch (GSSException ge) {
} else {
throw ge;
}
}
}
mechOid);
firstToken = true;
} else {
// do not parse GSS header for native provider or SPNEGO
// mech
} else {
// parse GSS header
throw new GSSExceptionImpl
"Mechanism not equal to " +
" in initSecContext token");
}
}
int retVal = 0;
// do not add GSS header for native provider or SPNEGO
// except for the first SPNEGO token
} else {
// add GSS header
}
}
if (mechCtxt.isEstablished())
return retVal;
} catch (IOException e) {
e.getMessage());
}
}
throws GSSException {
/*
* Usually initial GSS token containing a Kerberos AP-REP is less
* than 100 bytes.
*/
bos);
}
"Illegal call to acceptSecContext");
}
int inTokenLen = -1;
try {
// mechOid will be null for an acceptor's context
/*
* Convert ObjectIdentifier to Oid
*/
// System.out.println("Entered GSSContextImpl.acceptSecContext"
// + " with mechanism = " + mechOid);
}
mechOid);
} else {
// do not parse GSS header for native provider and SPNEGO
} else {
// parse GSS Header
throw new GSSExceptionImpl
"Mechanism not equal to " +
" in acceptSecContext token");
}
}
// do not add GSS header for native provider and SPNEGO
} else {
// add GSS header
}
}
if (mechCtxt.isEstablished()) {
}
} catch (IOException e) {
e.getMessage());
}
}
public boolean isEstablished() {
return false;
else
return (currentState == READY);
}
int maxTokenSize) throws GSSException {
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
else
"No mechanism context yet!");
}
// Defaults to null to match old behavior
// Only allow context export from native provider since JGSS
// still has not defined its own interprocess token format
if (mechCtxt.isTransferable() &&
}
return result;
}
}
}
}
}
}
}
}
}
throws GSSException {
this.channelBindings = channelBindings;
}
public boolean getCredDelegState() {
return mechCtxt.getCredDelegState();
else
return reqCredDelegState;
}
public boolean getMutualAuthState() {
return mechCtxt.getMutualAuthState();
else
return reqMutualAuthState;
}
public boolean getReplayDetState() {
return mechCtxt.getReplayDetState();
else
return reqReplayDetState;
}
public boolean getSequenceDetState() {
return mechCtxt.getSequenceDetState();
else
return reqSequenceDetState;
}
public boolean getAnonymityState() {
return mechCtxt.getAnonymityState();
else
return reqAnonState;
}
return mechCtxt.isTransferable();
else
return false;
}
public boolean isProtReady() {
return mechCtxt.isProtReady();
else
return false;
}
public boolean getConfState() {
return mechCtxt.getConfState();
else
return reqConfState;
}
public boolean getIntegState() {
return mechCtxt.getIntegState();
else
return reqIntegState;
}
public int getLifetime() {
return mechCtxt.getLifetime();
else
return reqLifetime;
}
}
return srcName;
}
}
return targName;
}
}
return mechOid;
}
"No mechanism context yet!");
return (delCredElement == null ?
}
return initiator;
}
}
}
// ExtendedGSSContext methods:
}
}
}
}
public boolean getDelegPolicyState() {
return mechCtxt.getDelegPolicyState();
else
return reqDelegPolicyState;
}
}