Frames | No Frames |
1: /* GSSCredential.java -- GSS credential interface. 2: Copyright (C) 2004 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. 37: 38: The documentation comments of this class are derived from the text 39: of RFC 2853: Generic Security Service API Version 2: Java Bindings. 40: That document is covered under the following license notice: 41: 42: Copyright (C) The Internet Society (2000). All Rights Reserved. 43: 44: This document and translations of it may be copied and furnished to 45: others, and derivative works that comment on or otherwise explain it 46: or assist in its implementation may be prepared, copied, published and 47: distributed, in whole or in part, without restriction of any kind, 48: provided that the above copyright notice and this paragraph are 49: included on all such copies and derivative works. However, this 50: document itself may not be modified in any way, such as by removing 51: the copyright notice or references to the Internet Society or other 52: Internet organizations, except as needed for the purpose of developing 53: Internet standards in which case the procedures for copyrights defined 54: in the Internet Standards process must be followed, or as required to 55: translate it into languages other than English. 56: 57: The limited permissions granted above are perpetual and will not be 58: revoked by the Internet Society or its successors or assigns. 59: 60: This document and the information contained herein is provided on an 61: "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 62: TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT 63: NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN 64: WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 65: MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. */ 66: 67: 68: package org.ietf.jgss; 69: 70: /** 71: * <p>This interface encapsulates the GSS-API credentials for an entity. 72: * A credential contains all the necessary cryptographic information to 73: * enable the creation of a context on behalf of the entity that it 74: * represents. It may contain multiple, distinct, mechanism specific 75: * credential elements, each containing information for a specific 76: * security mechanism, but all referring to the same entity.</p> 77: * 78: * <p>A credential may be used to perform context initiation, acceptance, 79: * or both.</p> 80: * 81: * <p>GSS-API implementations must impose a local access-control policy on 82: * callers to prevent unauthorized callers from acquiring credentials to 83: * which they are not entitled. GSS-API credential creation is not 84: * intended to provide a "login to the network" function, as such a 85: * function would involve the creation of new credentials rather than 86: * merely acquiring a handle to existing credentials. Such functions, 87: * if required, should be defined in implementation-specific extensions 88: * to the API.</p> 89: * 90: * <p>If credential acquisition is time-consuming for a mechanism, the 91: * mechanism may choose to delay the actual acquisition until the 92: * credential is required (e.g. by {@link GSSContext}). Such mechanism- 93: * specific implementation decisions should be invisible to the calling 94: * application; thus the query methods immediately following the 95: * creation of a credential object must return valid credential data, 96: * and may therefore incur the overhead of a deferred credential 97: * acquisition.</p> 98: * 99: * <p>Applications will create a credential object passing the desired 100: * parameters. The application can then use the query methods to obtain 101: * specific information about the instantiated credential object 102: * (equivalent to the gss_inquire routines). When the credential is no 103: * longer needed, the application should call the dispose (equivalent to 104: * gss_release_cred) method to release any resources held by the 105: * credential object and to destroy any cryptographically sensitive 106: * information.</p> 107: * 108: * <p>Classes implementing this interface also implement the {@link Cloneable} 109: * interface. This indicates the the class will support the {@link 110: * Cloneable#clone()} method that will allow the creation of duplicate 111: * credentials. This is useful when called just before the {@link 112: * #add(org.ietf.jgss.GSSName,int,int,org.ietf.jgss.Oid,int)} call to retain 113: * a copy of the original credential.</p> 114: * 115: * <h3>Example Code</h3> 116: * 117: * <pre> 118: GSSManager mgr = GSSManager.getInstance(); 119: 120: // start by creating a name object for the entity 121: GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME); 122: 123: // now acquire credentials for the entity 124: GSSCredential cred = mgr.createCredential(name, 125: GSSCredential.ACCEPT_ONLY); 126: 127: // display credential information - name, remaining lifetime, 128: // and the mechanisms it has been acquired over 129: print(cred.getName().toString()); 130: print(cred.getRemainingLifetime()); 131: 132: Oid [] mechs = cred.getMechs(); 133: if (mechs != null) 134: { 135: for (int i = 0; i < mechs.length; i++) 136: print(mechs[i].toString()); 137: } 138: 139: // release system resources held by the credential 140: cred.dispose(); 141: * </pre> 142: */ 143: public interface GSSCredential extends Cloneable 144: { 145: 146: // Constants. 147: // ------------------------------------------------------------------------- 148: 149: /** 150: * Credential usage flag requesting that it be able to be used for both 151: * context initiation and acceptance. 152: */ 153: int INITIATE_AND_ACCEPT = 0; 154: 155: /** 156: * Credential usage flag requesting that it be able to be used for 157: * context initiation only. 158: */ 159: int INITIATE_ONLY = 1; 160: 161: /** 162: * Credential usage flag requesting that it be able to be used for 163: * context acceptance only. 164: */ 165: int ACCEPT_ONLY = 2; 166: 167: /** 168: * A lifetime constant representing the default credential lifetime. 169: */ 170: int DEFAULT_LIFETIME = 0; 171: 172: /** 173: * A lifetime constant representing indefinite credential lifetime. 174: */ 175: int INDEFINITE_LIFETIME = Integer.MAX_VALUE; 176: 177: // Methods. 178: // ------------------------------------------------------------------------- 179: 180: /** 181: * Releases any sensitive information that the GSSCredential object may 182: * be containing. Applications should call this method as soon as the 183: * credential is no longer needed to minimize the time any sensitive 184: * information is maintained. 185: * 186: * @throws GSSException If this operation fails. 187: */ 188: void dispose() throws GSSException; 189: 190: /** 191: * Retrieves the name of the entity that the credential asserts. 192: * 193: * @return The name. 194: * @throws GSSException If this operation fails. 195: */ 196: GSSName getName() throws GSSException; 197: 198: /** 199: * Retrieves a mechanism name of the entity that the credential asserts. 200: * Equivalent to calling {@link GSSName#canonicalize(org.ietf.jgss.Oid)} 201: * on the name returned by {@link #getName()}. 202: * 203: * @param mechOID The mechanism for which information should be returned. 204: * @return The name. 205: * @throws GSSException If this operation fails. 206: */ 207: GSSName getName(Oid mechOID) throws GSSException; 208: 209: /** 210: * Returns the remaining lifetime in seconds for a credential. The 211: * remaining lifetime is the minimum lifetime for any of the underlying 212: * credential mechanisms. A return value of {@link 213: * GSSCredential#INDEFINITE_LIFETIME} indicates that the credential does 214: * not expire. A return value of 0 indicates that the credential is 215: * already expired. 216: * 217: * @return The remaining lifetime. 218: * @throws GSSException If this operation fails. 219: */ 220: int getRemainingLifetime() throws GSSException; 221: 222: /** 223: * Returns the remaining lifetime is seconds for the credential to 224: * remain capable of initiating security contexts under the specified 225: * mechanism. A return value of {@link GSSCredential#INDEFINITE_LIFETIME} 226: * indicates that the credential does not expire for context initiation. 227: * A return value of 0 indicates that the credential is already expired. 228: * 229: * @param mech The mechanism for which information should be returned. 230: * @return The remaining lifetime. 231: * @throws GSSException If this operation fails. 232: */ 233: int getRemainingInitLifetime(Oid mech) throws GSSException; 234: 235: /** 236: * Returns the remaining lifetime is seconds for the credential to 237: * remain capable of accepting security contexts under the specified 238: * mechanism. A return value of {@link GSSCredential#INDEFINITE_LIFETIME} 239: * indicates that the credential does not expire for context acceptance. 240: * A return value of 0 indicates that the credential is already expired. 241: * 242: * @param mech The mechanism for which information should be returned. 243: * @return The remaining lifetime. 244: * @throws GSSException If this operation fails. 245: */ 246: int getRemainingAcceptLifetime(Oid mech) throws GSSException; 247: 248: /** 249: * Returns the credential usage flag. The return value will be one of 250: * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY}, 251: * or {@link GSSCredential#INITIATE_AND_ACCEPT}. 252: * 253: * @return The credential usage flag. 254: * @throws GSSException If this operation fails. 255: */ 256: int getUsage() throws GSSException; 257: 258: /** 259: * Returns the credential usage flag for the specified credential 260: * mechanism. The return value will be one of 261: * {@link GSSCredential#INITIATE_ONLY}, {@link GSSCredential#ACCEPT_ONLY}, 262: * or {@link GSSCredential#INITIATE_AND_ACCEPT}. 263: * 264: * @param mechOID The mechanism for which information should be returned. 265: * @return The credential usage flag. 266: * @throws GSSException If this operation fails. 267: */ 268: int getUsage(Oid mechOID) throws GSSException; 269: 270: /** 271: * Returns an array of mechanisms supported by this credential. 272: * 273: * @return The supported mechanism. 274: * @throws GSSException If this operation fails. 275: */ 276: Oid[] getMechs() throws GSSException; 277: 278: /** 279: * <p>Adds a mechanism specific credential-element to an existing 280: * credential. This method allows the construction of credentials one 281: * mechanism at a time.</p> 282: * 283: * <p>This routine is envisioned to be used mainly by context acceptors 284: * during the creation of acceptance credentials which are to be used 285: * with a variety of clients using different security mechanisms.</p> 286: * 287: * <p>This routine adds the new credential element "in-place". To add the 288: * element in a new credential, first call {@link Cloneable#clone()} to 289: * obtain a copy of this credential, then call its <code>add()</code> 290: * method.</p> 291: * 292: * @param aName Name of the principal for whom this credential 293: * is to be acquired. Use <code>null</code> to 294: * specify the default principal. 295: * @param initLifetime The number of seconds that credentials should 296: * remain valid for initiating of security contexts. 297: * Use {@link #INDEFINITE_LIFETIME} to request that 298: * the credentials have the maximum permitted lifetime. 299: * Use {@link GSSCredential#DEFAULT_LIFETIME} to 300: * request the default credential lifetime. 301: * @param acceptLifetime The number of seconds that credentials should 302: * remain valid for accepting of security contexts. 303: * Use {@link GSSCredential#INDEFINITE_LIFETIME} to 304: * request that the credentials have the maximum 305: * permitted lifetime. Use {@link 306: * GSSCredential#DEFAULT_LIFETIME} to request 307: * the default credential lifetime. 308: * @param mech The mechanisms over which the credential is to be 309: * acquired. 310: * @param usage The intended usage for this credential object. The 311: * value of this parameter must be one of: 312: * {@link GSSCredential#ACCEPT_AND_INITIATE}, 313: * {@link GSSCredential#ACCEPT_ONLY}, 314: * {@link GSSCredential#INITIATE_ONLY}. 315: * @throws GSSException If this operation fails. 316: */ 317: void add(GSSName aName, int initLifetime, int acceptLifetime, 318: Oid mech, int usage) throws GSSException; 319: 320: /** 321: * Tests if this GSSCredential refers to the same entity as the supplied 322: * object. The two credentials must be acquired over the same 323: * mechanisms and must refer to the same principal. Returns <code>true</code> 324: * if the two GSSCredentials refer to the same entity; <code>false</code> 325: * otherwise. (Note that the Java language specification requires that two 326: * objects that are equal according to the {@link 327: * Object#equals(java.lang.Object)} method must return the same integer 328: * result when the {@link Object#hashCode()} method is called on them.) 329: * 330: * @param another Another GSSCredential object for comparison. 331: * @return True if this object equals the other. 332: */ 333: boolean equals(Object another); 334: 335: /** 336: * Return the hash code of this credential. When overriding {@link #equals}, 337: * it is necessary to override hashCode() as well. 338: * 339: * @return the hash code that must be the same for two credentials if 340: * {@link #equals} returns true. 341: */ 342: int hashCode(); 343: 344: }