Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/org/ietf/jgss/GSSManager.java
38829 views
/*1* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package org.ietf.jgss;2627import java.security.Provider;2829/**30* This class serves as a factory for other important31* GSS-API classes and also provides information about the mechanisms that32* are supported. It can create instances of classes33* implementing the following three GSS-API interfaces: {@link34* GSSName GSSName}, {@link GSSCredential GSSCredential}, and {@link35* GSSContext GSSContext}. It also has methods to query for the list36* of available mechanisms and the nametypes that each mechanism37* supports.<p>38*39* An instance of the default <code>GSSManager</code> subclass40* may be obtained through the static method {@link #getInstance()41* getInstance}, but applications are free to instantiate other subclasses42* of <code>GSSManager</code>. The default <code>GSSManager</code> instance43* will support the Kerberos v5 GSS-API mechanism in addition to any44* others. This mechanism is identified by the Oid "1.2.840.113554.1.2.2"45* and is defined in RFC 1964.<p>46*47* A subclass extending the <code>GSSManager</code> abstract class may be48* implemented as a modular provider based layer that utilizes some well49* known service provider specification. The <code>GSSManager</code> API50* allows the application to set provider preferences on51* such an implementation. These methods also allow the implementation to52* throw a well-defined exception in case provider based configuration is53* not supported. Applications that expect to be portable should be aware54* of this and recover cleanly by catching the exception.<p>55*56* It is envisioned that there will be three most common ways in which57* providers will be used:<p>58* <ol>59* <li> The application does not care about what provider is used (the60* default case).61* <li> The application wants a particular provider to be used62* preferentially, either for a particular mechanism or all the63* time, irrespective of mechanism.64* <li> The application wants to use the locally configured providers65* as far as possible but if support is missing for one or more66* mechanisms then it wants to fall back on its own provider.67*</ol><p>68*69* The <code>GSSManager</code> class has two methods that enable these modes of70* usage: {@link #addProviderAtFront(Provider, Oid) addProviderAtFront} and71* {@link #addProviderAtEnd(Provider, Oid) addProviderAtEnd}. These methods72* have the effect of creating an ordered list of <i><provider,73* oid></i> pairs where each pair indicates a preference of provider74* for a given oid.<p>75*76* It is important to note that there are certain interactions77* between the different GSS-API objects that are created by a78* GSSManager, where the provider that is used for a particular mechanism79* might need to be consistent across all objects. For instance, if a80* GSSCredential contains elements from a provider <i>p</i> for a mechanism81* <i>m</i>, it should generally be passed in to a GSSContext that will use82* provider <i>p</i> for the mechanism <i>m</i>. A simple rule of thumb83* that will maximize portability is that objects created from different84* GSSManager's should not be mixed, and if possible, a different85* GSSManager instance should be created if the application wants to invoke86* the <code>addProviderAtFront</code> method on a GSSManager that has87* already created an object.<p>88*89* Here is some sample code showing how the GSSManager might be used: <p>90* <pre>91* GSSManager manager = GSSManager.getInstance();92*93* Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");94* Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");95*96* // Identify who the client wishes to be97* GSSName userName = manager.createName("duke", GSSName.NT_USER_NAME);98*99* // Identify the name of the server. This uses a Kerberos specific100* // name format.101* GSSName serverName = manager.createName("nfs/foo.sun.com",102* krb5PrincipalNameType);103*104* // Acquire credentials for the user105* GSSCredential userCreds = manager.createCredential(userName,106* GSSCredential.DEFAULT_LIFETIME,107* krb5Mechanism,108* GSSCredential.INITIATE_ONLY);109*110* // Instantiate and initialize a security context that will be111* // established with the server112* GSSContext context = manager.createContext(serverName,113* krb5Mechanism,114* userCreds,115* GSSContext.DEFAULT_LIFETIME);116* </pre><p>117*118* The server side might use the following variation of this source:<p>119*120* <pre>121* // Acquire credentials for the server122* GSSCredential serverCreds = manager.createCredential(serverName,123* GSSCredential.DEFAULT_LIFETIME,124* krb5Mechanism,125* GSSCredential.ACCEPT_ONLY);126*127* // Instantiate and initialize a security context that will128* // wait for an establishment request token from the client129* GSSContext context = manager.createContext(serverCreds);130* </pre>131*132* @author Mayank Upadhyay133* @see GSSName134* @see GSSCredential135* @see GSSContext136* @since 1.4137*/138public abstract class GSSManager {139140/**141* Returns the default GSSManager implementation.142*143* @return a GSSManager implementation144*/145public static GSSManager getInstance() {146return new sun.security.jgss.GSSManagerImpl();147}148149/**150* Returns a list of mechanisms that are available to GSS-API callers151* through this GSSManager. The default GSSManager obtained from the152* {@link #getInstance() getInstance()} method includes the Oid153* "1.2.840.113554.1.2.2" in its list. This Oid identifies the Kerberos154* v5 GSS-API mechanism that is defined in RFC 1964.155*156* @return an array of Oid objects corresponding to the mechanisms that157* are available. A <code>null</code> value is returned when no158* mechanism are available (an example of this would be when mechanism159* are dynamically configured, and currently no mechanisms are160* installed).161*/162public abstract Oid[] getMechs();163164/**165* Returns then name types supported by the indicated mechanism.<p>166*167* The default GSSManager instance includes support for the Kerberos v5168* mechanism. When this mechanism ("1.2.840.113554.1.2.2") is indicated,169* the returned list will contain at least the following nametypes:170* {@link GSSName#NT_HOSTBASED_SERVICE GSSName.NT_HOSTBASED_SERVICE},171* {@link GSSName#NT_EXPORT_NAME GSSName.NT_EXPORT_NAME}, and the172* Kerberos v5 specific Oid "1.2.840.113554.1.2.2.1". The namespace for173* the Oid "1.2.840.113554.1.2.2.1" is defined in RFC 1964.174*175* @return an array of Oid objects corresponding to the name types that176* the mechanism supports.177* @param mech the Oid of the mechanism to query178*179* @see #getMechsForName(Oid)180*181* @throws GSSException containing the following182* major error codes:183* {@link GSSException#BAD_MECH GSSException.BAD_MECH}184* {@link GSSException#FAILURE GSSException.FAILURE}185*/186public abstract Oid[] getNamesForMech(Oid mech)187throws GSSException;188189/**190* Returns a list of mechanisms that support the indicated name type.<p>191*192* The Kerberos v5 mechanism ("1.2.840.113554.1.2.2") will always be193* returned in this list when the indicated nametype is one of194* {@link GSSName#NT_HOSTBASED_SERVICE GSSName.NT_HOSTBASED_SERVICE},195* {@link GSSName#NT_EXPORT_NAME GSSName.NT_EXPORT_NAME}, or196* "1.2.840.113554.1.2.2.1".197*198* @return an array of Oid objects corresponding to the mechanisms that199* support the specified name type. <code>null</code> is returned when no200* mechanisms are found to support the specified name type.201* @param nameType the Oid of the name type to look for202*203* @see #getNamesForMech(Oid)204*/205public abstract Oid[] getMechsForName(Oid nameType);206207/**208* Factory method to convert a string name from the209* specified namespace to a GSSName object. In general, the210* <code>GSSName</code> object created will contain multiple211* representations of the name, one for each mechanism that is212* supported; two examples that are exceptions to this are when213* the namespace type parameter indicates NT_EXPORT_NAME or when the214* GSS-API implementation is not multi-mechanism. It is215* not recommended to use this method with a NT_EXPORT_NAME type because216* representing a previously exported name consisting of arbitrary bytes217* as a String might cause problems with character encoding schemes. In218* such cases it is recommended that the bytes be passed in directly to219* the overloaded form of this method {@link #createName(byte[],220* Oid) createName}.221*222* @param nameStr the string representing a printable form of the name to223* create.224* @param nameType the Oid specifying the namespace of the printable name225* supplied. <code>null</code> can be used to specify226* that a mechanism specific default printable syntax should227* be assumed by each mechanism that examines nameStr.228* It is not advisable to use the nametype NT_EXPORT_NAME with this229* method.230* @return a GSSName representing the indicated principal231*232* @see GSSName233* @see GSSName#NT_EXPORT_NAME234*235* @throws GSSException containing the following236* major error codes:237* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},238* {@link GSSException#BAD_NAME GSSException.BAD_NAME},239* {@link GSSException#BAD_MECH GSSException.BAD_MECH},240* {@link GSSException#FAILURE GSSException.FAILURE}241*/242public abstract GSSName createName(String nameStr, Oid nameType)243throws GSSException;244245/**246* Factory method to convert a byte array containing a247* name from the specified namespace to a GSSName object. In general,248* the <code>GSSName</code> object created will contain multiple249* representations of the name, one for each mechanism that is250* supported; two examples that are exceptions to this are when the251* namespace type parameter indicates NT_EXPORT_NAME or when the252* GSS-API implementation is not multi-mechanism. The bytes that are253* passed in are interpreted by each underlying mechanism according to254* some encoding scheme of its choice for the given nametype.255*256* @param name the byte array containing the name to create257* @param nameType the Oid specifying the namespace of the name supplied258* in the byte array. <code>null</code> can be used to specify that a259* mechanism specific default syntax should be assumed by each mechanism260* that examines the byte array.261* @return a GSSName representing the indicated principal262*263* @see GSSName264* @see GSSName#NT_EXPORT_NAME265*266* @throws GSSException containing the following267* major error codes:268* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},269* {@link GSSException#BAD_NAME GSSException.BAD_NAME},270* {@link GSSException#BAD_MECH GSSException.BAD_MECH},271* {@link GSSException#FAILURE GSSException.FAILURE}272*/273public abstract GSSName createName(byte name[], Oid nameType)274throws GSSException;275276/**277* Factory method to convert a string name from the278* specified namespace to a GSSName object and canonicalize it at the279* same time for a mechanism. In other words, this method is280* a utility that does the equivalent of two steps: the {@link281* #createName(String, Oid) createName} and then also the {@link282* GSSName#canonicalize(Oid) GSSName.canonicalize}.283*284* @param nameStr the string representing a printable form of the name to285* create.286* @param nameType the Oid specifying the namespace of the printable name287* supplied. <code>null</code> can be used to specify288* that a mechanism specific default printable syntax should289* be assumed by each mechanism that examines nameStr.290* It is not advisable to use the nametype NT_EXPORT_NAME with this291* method.292* @param mech Oid specifying the mechanism for which the name should be293* canonicalized294* @return a GSSName representing the indicated principal295*296* @see GSSName#canonicalize(Oid)297* @see GSSName#NT_EXPORT_NAME298*299* @throws GSSException containing the following300* major error codes:301* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},302* {@link GSSException#BAD_NAME GSSException.BAD_NAME},303* {@link GSSException#BAD_MECH GSSException.BAD_MECH},304* {@link GSSException#FAILURE GSSException.FAILURE}305*/306public abstract GSSName createName(String nameStr, Oid nameType,307Oid mech) throws GSSException;308309/**310* Factory method to convert a byte array containing a311* name from the specified namespace to a GSSName object and canonicalize312* it at the same time for a mechanism. In other words, this method is a313* utility that does the equivalent of two steps: the {@link314* #createName(byte[], Oid) createName} and then also {@link315* GSSName#canonicalize(Oid) GSSName.canonicalize}.316*317* @param name the byte array containing the name to create318* @param nameType the Oid specifying the namespace of the name supplied319* in the byte array. <code>null</code> can be used to specify that a320* mechanism specific default syntax should be assumed by each mechanism321* that examines the byte array.322* @param mech Oid specifying the mechanism for which the name should be323* canonicalized324* @return a GSSName representing the indicated principal325*326* @see GSSName#canonicalize(Oid)327* @see GSSName#NT_EXPORT_NAME328*329* @throws GSSException containing the following330* major error codes:331* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},332* {@link GSSException#BAD_NAME GSSException.BAD_NAME},333* {@link GSSException#BAD_MECH GSSException.BAD_MECH},334* {@link GSSException#FAILURE GSSException.FAILURE}335*/336public abstract GSSName createName(byte name[], Oid nameType, Oid mech)337throws GSSException;338339/**340* Factory method for acquiring default credentials. This will cause341* the GSS-API to use system specific defaults for the set of mechanisms,342* name, and lifetime.<p>343*344* GSS-API mechanism providers must impose a local access-control345* policy on callers to prevent unauthorized callers from acquiring346* credentials to which they are not entitled. The kinds of permissions347* needed by different mechanism providers will be documented on a348* per-mechanism basis. A failed permission check might cause a {@link349* java.lang.SecurityException SecurityException} to be thrown from350* this method.351*352* @param usage The intended usage for this credential object. The value353* of this parameter must be one of:354* {@link GSSCredential#INITIATE_AND_ACCEPT355* GSSCredential.INITIATE_AND_ACCEPT},356* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and357* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.358* @return a GSSCredential of the requested type.359*360* @see GSSCredential361*362* @throws GSSException containing the following363* major error codes:364* {@link GSSException#BAD_MECH GSSException.BAD_MECH},365* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},366* {@link GSSException#BAD_NAME GSSException.BAD_NAME},367* {@link GSSException#CREDENTIALS_EXPIRED368* GSSException.CREDENTIALS_EXPIRED},369* {@link GSSException#NO_CRED GSSException.NO_CRED},370* {@link GSSException#FAILURE GSSException.FAILURE}371*/372public abstract GSSCredential createCredential (int usage)373throws GSSException;374375/**376* Factory method for acquiring a single mechanism credential.<p>377*378* GSS-API mechanism providers must impose a local access-control379* policy on callers to prevent unauthorized callers from acquiring380* credentials to which they are not entitled. The kinds of permissions381* needed by different mechanism providers will be documented on a382* per-mechanism basis. A failed permission check might cause a {@link383* java.lang.SecurityException SecurityException} to be thrown from384* this method. <p>385*386* Non-default values for lifetime cannot always be honored by the387* underlying mechanisms, thus applications should be prepared to call388* {@link GSSCredential#getRemainingLifetime() getRemainingLifetime}389* on the returned credential.<p>390*391* @param name the name of the principal for whom this credential is to be392* acquired. Use <code>null</code> to specify the default principal.393* @param lifetime The number of seconds that credentials should remain394* valid. Use {@link GSSCredential#INDEFINITE_LIFETIME395* GSSCredential.INDEFINITE_LIFETIME} to request that the credentials396* have the maximum permitted lifetime. Use {@link397* GSSCredential#DEFAULT_LIFETIME GSSCredential.DEFAULT_LIFETIME} to398* request default credential lifetime.399* @param mech the Oid of the desired mechanism. Use <code>(Oid) null400* </code> to request the default mechanism.401* @param usage The intended usage for this credential object. The value402* of this parameter must be one of:403* {@link GSSCredential#INITIATE_AND_ACCEPT404* GSSCredential.INITIATE_AND_ACCEPT},405* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and406* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.407* @return a GSSCredential of the requested type.408*409* @see GSSCredential410*411* @throws GSSException containing the following412* major error codes:413* {@link GSSException#BAD_MECH GSSException.BAD_MECH},414* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},415* {@link GSSException#BAD_NAME GSSException.BAD_NAME},416* {@link GSSException#CREDENTIALS_EXPIRED417* GSSException.CREDENTIALS_EXPIRED},418* {@link GSSException#NO_CRED GSSException.NO_CRED},419* {@link GSSException#FAILURE GSSException.FAILURE}420*/421public abstract GSSCredential createCredential (GSSName name,422int lifetime, Oid mech, int usage)423throws GSSException;424425/**426* Factory method for acquiring credentials over a set of427* mechanisms. This method attempts to acquire credentials for428* each of the mechanisms specified in the array called mechs. To429* determine the list of mechanisms for which the acquisition of430* credentials succeeded, the caller should use the {@link431* GSSCredential#getMechs() GSSCredential.getMechs} method.<p>432*433* GSS-API mechanism providers must impose a local access-control434* policy on callers to prevent unauthorized callers from acquiring435* credentials to which they are not entitled. The kinds of permissions436* needed by different mechanism providers will be documented on a437* per-mechanism basis. A failed permission check might cause a {@link438* java.lang.SecurityException SecurityException} to be thrown from439* this method.<p>440*441* Non-default values for lifetime cannot always be honored by the442* underlying mechanisms, thus applications should be prepared to call443* {@link GSSCredential#getRemainingLifetime() getRemainingLifetime}444* on the returned credential.<p>445*446* @param name the name of the principal for whom this credential is to447* be acquired. Use <code>null</code> to specify the default448* principal.449* @param lifetime The number of seconds that credentials should remain450* valid. Use {@link GSSCredential#INDEFINITE_LIFETIME451* GSSCredential.INDEFINITE_LIFETIME} to request that the credentials452* have the maximum permitted lifetime. Use {@link453* GSSCredential#DEFAULT_LIFETIME GSSCredential.DEFAULT_LIFETIME} to454* request default credential lifetime.455* @param mechs an array of Oid's indicating the mechanisms over which456* the credential is to be acquired. Use <code>(Oid[]) null</code> for457* requesting a system specific default set of mechanisms.458* @param usage The intended usage for this credential object. The value459* of this parameter must be one of:460* {@link GSSCredential#INITIATE_AND_ACCEPT461* GSSCredential.INITIATE_AND_ACCEPT},462* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and463* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.464* @return a GSSCredential of the requested type.465*466* @see GSSCredential467*468* @throws GSSException containing the following469* major error codes:470* {@link GSSException#BAD_MECH GSSException.BAD_MECH},471* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},472* {@link GSSException#BAD_NAME GSSException.BAD_NAME},473* {@link GSSException#CREDENTIALS_EXPIRED474* GSSException.CREDENTIALS_EXPIRED},475* {@link GSSException#NO_CRED GSSException.NO_CRED},476* {@link GSSException#FAILURE GSSException.FAILURE}477*/478public abstract GSSCredential createCredential(GSSName name,479int lifetime, Oid mechs[], int usage)480throws GSSException;481482/**483* Factory method for creating a context on the initiator's484* side.485*486* Some mechanism providers might require that the caller be granted487* permission to initiate a security context. A failed permission check488* might cause a {@link java.lang.SecurityException SecurityException}489* to be thrown from this method.<p>490*491* Non-default values for lifetime cannot always be honored by the492* underlying mechanism, thus applications should be prepared to call493* {@link GSSContext#getLifetime() getLifetime} on the returned494* context.<p>495*496* @param peer the name of the target peer.497* @param mech the Oid of the desired mechanism. Use <code>null</code>498* to request the default mechanism.499* @param myCred the credentials of the initiator. Use500* <code>null</code> to act as the default initiator principal.501* @param lifetime the lifetime, in seconds, requested for the502* context. Use {@link GSSContext#INDEFINITE_LIFETIME503* GSSContext.INDEFINITE_LIFETIME} to request that the context have the504* maximum permitted lifetime. Use {@link GSSContext#DEFAULT_LIFETIME505* GSSContext.DEFAULT_LIFETIME} to request a default lifetime for the506* context.507* @return an unestablished GSSContext508*509* @see GSSContext510*511* @throws GSSException containing the following512* major error codes:513* {@link GSSException#NO_CRED GSSException.NO_CRED}514* {@link GSSException#CREDENTIALS_EXPIRED515* GSSException.CREDENTIALS_EXPIRED}516* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE}517* {@link GSSException#BAD_MECH GSSException.BAD_MECH}518* {@link GSSException#FAILURE GSSException.FAILURE}519*/520public abstract GSSContext createContext(GSSName peer, Oid mech,521GSSCredential myCred, int lifetime)522throws GSSException;523524/**525* Factory method for creating a context on the acceptor' side. The526* context's properties will be determined from the input token supplied527* to the accept method.528*529* Some mechanism providers might require that the caller be granted530* permission to accept a security context. A failed permission check531* might cause a {@link java.lang.SecurityException SecurityException}532* to be thrown from this method.533*534* @param myCred the credentials for the acceptor. Use535* <code>null</code> to act as a default acceptor principal.536* @return an unestablished GSSContext537*538* @see GSSContext539*540* @throws GSSException containing the following541* major error codes:542* {@link GSSException#NO_CRED GSSException.NO_CRED}543* {@link GSSException#CREDENTIALS_EXPIRED544* GSSException.CREDENTIALS_EXPIRED}545* {@link GSSException#BAD_MECH GSSException.BAD_MECH}546* {@link GSSException#FAILURE GSSException.FAILURE}547*/548public abstract GSSContext createContext(GSSCredential myCred)549throws GSSException;550551/**552* Factory method for creating a previously exported context. The553* context properties will be determined from the input token and554* cannot be modified through the set methods.<p>555*556* Implementations are not required to support the inter-process557* transfer of security contexts. Before exporting a context, calling558* the {@link GSSContext#isTransferable() GSSContext.isTransferable}559* will indicate if the context is transferable. Calling this method in560* an implementation that does not support it will result in a561* <code>GSSException</code> with the error562* code {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE}.563*564* Some mechanism providers might require that the caller be granted565* permission to initiate or accept a security context. A failed566* permission check might cause a {@link java.lang.SecurityException567* SecurityException} to be thrown from this method.568*569* @param interProcessToken the token previously emitted from the570* export method.571* @return the previously established GSSContext572*573* @see GSSContext574*575* @throws GSSException containing the following576* major error codes:577* {@link GSSException#NO_CONTEXT GSSException.NO_CONTEXT},578* {@link GSSException#DEFECTIVE_TOKEN GSSException.DEFECTIVE_TOKEN},579* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},580* {@link GSSException#UNAUTHORIZED GSSException.UNAUTHORIZED},581* {@link GSSException#FAILURE GSSException.FAILURE}582*/583public abstract GSSContext createContext(byte [] interProcessToken)584throws GSSException;585586/**587* This method is used to indicate to the GSSManager that the588* application would like a particular provider to be used ahead of all589* others when support is desired for the given mechanism. When a value590* of null is used instead of an <code>Oid</code> for the mechanism,591* the GSSManager must use the indicated provider ahead of all others592* no matter what the mechanism is. Only when the indicated provider593* does not support the needed mechanism should the GSSManager move on594* to a different provider.<p>595*596* Calling this method repeatedly preserves the older settings but597* lowers them in preference thus forming an ordered list of provider598* and <code>Oid</code> pairs that grows at the top.<p>599*600* Calling addProviderAtFront with a null <code>Oid</code> will remove601* all previous preferences that were set for this provider in the602* GSSManager instance. Calling addProviderAtFront with a non-null603* <code>Oid</code> will remove any previous preference that was set604* using this mechanism and this provider together.<p>605*606* If the GSSManager implementation does not support an SPI with a607* pluggable provider architecture it should throw a GSSException with608* the status code GSSException.UNAVAILABLE to indicate that the609* operation is unavailable.<p>610*611* Suppose an application desired that the provider A always be checked612* first when any mechanism is needed, it would call:<p>613* <pre>614* GSSManager mgr = GSSManager.getInstance();615* // mgr may at this point have its own pre-configured list616* // of provider preferences. The following will prepend to617* // any such list:618*619* mgr.addProviderAtFront(A, null);620* </pre>621* Now if it also desired that the mechanism of Oid m1 always be622* obtained from the provider B before the previously set A was checked,623* it would call:<p>624* <pre>625* mgr.addProviderAtFront(B, m1);626* </pre>627* The GSSManager would then first check with B if m1 was needed. In628* case B did not provide support for m1, the GSSManager would continue629* on to check with A. If any mechanism m2 is needed where m2 is630* different from m1 then the GSSManager would skip B and check with A631* directly.<p>632*633* Suppose at a later time the following call is made to the same634* GSSManager instance:<p>635* <pre>636* mgr.addProviderAtFront(B, null)637* </pre>638* then the previous setting with the pair (B, m1) is subsumed by this639* and should be removed. Effectively the list of preferences now640* becomes {(B, null), (A, null),641* ... //followed by the pre-configured list.<p>642*643* Please note, however, that the following call:644* <pre>645* mgr.addProviderAtFront(A, m3)646* </pre>647* does not subsume the previous setting of (A, null) and the list will648* effectively become {(A, m3), (B, null), (A, null), ...}649*650* @param p the provider instance that should be used whenever support651* is needed for mech.652* @param mech the mechanism for which the provider is being set653*654* @throws GSSException containing the following655* major error codes:656* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},657* {@link GSSException#FAILURE GSSException.FAILURE}658*/659public abstract void addProviderAtFront(Provider p, Oid mech)660throws GSSException;661662/**663* This method is used to indicate to the GSSManager that the664* application would like a particular provider to be used if no other665* provider can be found that supports the given mechanism. When a value666* of null is used instead of an Oid for the mechanism, the GSSManager667* must use the indicated provider for any mechanism.<p>668*669* Calling this method repeatedly preserves the older settings but670* raises them above newer ones in preference thus forming an ordered671* list of providers and Oid pairs that grows at the bottom. Thus the672* older provider settings will be utilized first before this one is.<p>673*674* If there are any previously existing preferences that conflict with675* the preference being set here, then the GSSManager should ignore this676* request.<p>677*678* If the GSSManager implementation does not support an SPI with a679* pluggable provider architecture it should throw a GSSException with680* the status code GSSException.UNAVAILABLE to indicate that the681* operation is unavailable.<p>682*683* Suppose an application desired that when a mechanism of Oid m1 is684* needed the system default providers always be checked first, and only685* when they do not support m1 should a provider A be checked. It would686* then make the call:<p>687* <pre>688* GSSManager mgr = GSSManager.getInstance();689* mgr.addProviderAtEnd(A, m1);690* </pre>691* Now, if it also desired that for all mechanisms the provider B be692* checked after all configured providers have been checked, it would693* then call:<p>694* <pre>695* mgr.addProviderAtEnd(B, null);696* </pre>697* Effectively the list of preferences now becomes {..., (A, m1), (B,698* null)}.<p>699*700* Suppose at a later time the following call is made to the same701* GSSManager instance:<p>702* <pre>703* mgr.addProviderAtEnd(B, m2)704* </pre>705* then the previous setting with the pair (B, null) subsumes this and706* therefore this request should be ignored. The same would happen if a707* request is made for the already existing pairs of (A, m1) or (B,708* null).<p>709*710* Please note, however, that the following call:<p>711* <pre>712* mgr.addProviderAtEnd(A, null)713* </pre>714* is not subsumed by the previous setting of (A, m1) and the list will715* effectively become {..., (A, m1), (B, null), (A, null)}716*717* @param p the provider instance that should be used whenever support718* is needed for mech.719* @param mech the mechanism for which the provider is being set720*721* @throws GSSException containing the following722* major error codes:723* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},724* {@link GSSException#FAILURE GSSException.FAILURE}725*/726public abstract void addProviderAtEnd(Provider p, Oid mech)727throws GSSException;728}729730731