Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/jgss/krb5/Krb5AcceptCredential.java
38922 views
/*1* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.jgss.krb5;2627import java.io.IOException;28import org.ietf.jgss.*;29import sun.security.jgss.GSSCaller;30import sun.security.jgss.spi.*;31import sun.security.krb5.*;32import java.security.PrivilegedActionException;33import java.security.PrivilegedExceptionAction;34import java.security.AccessController;35import java.security.AccessControlContext;36import javax.security.auth.DestroyFailedException;3738/**39* Implements the krb5 acceptor credential element.40*41* @author Mayank Upadhyay42* @since 1.443*/44public class Krb5AcceptCredential45implements Krb5CredElement {4647private final Krb5NameElement name;48private final ServiceCreds screds;4950private Krb5AcceptCredential(Krb5NameElement name, ServiceCreds creds) {51/*52* Initialize this instance with the data from the acquired53* KerberosKey. This class needs to be a KerberosKey too54* hence we can't just store a reference.55*/5657this.name = name;58this.screds = creds;59}6061static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name)62throws GSSException {6364final String serverPrinc = (name == null? null:65name.getKrb5PrincipalName().getName());66final AccessControlContext acc = AccessController.getContext();6768ServiceCreds creds = null;69try {70creds = AccessController.doPrivileged(71new PrivilegedExceptionAction<ServiceCreds>() {72public ServiceCreds run() throws Exception {73return Krb5Util.getServiceCreds(74caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,75serverPrinc, acc);76}});77} catch (PrivilegedActionException e) {78GSSException ge =79new GSSException(GSSException.NO_CRED, -1,80"Attempt to obtain new ACCEPT credentials failed!");81ge.initCause(e.getException());82throw ge;83}8485if (creds == null)86throw new GSSException(GSSException.NO_CRED, -1,87"Failed to find any Kerberos credentails");8889if (name == null) {90String fullName = creds.getName();91if (fullName != null) {92name = Krb5NameElement.getInstance(fullName,93Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);94}95}9697return new Krb5AcceptCredential(name, creds);98}99100/**101* Returns the principal name for this credential. The name102* is in mechanism specific format.103*104* @return GSSNameSpi representing principal name of this credential105* @exception GSSException may be thrown106*/107public final GSSNameSpi getName() throws GSSException {108return name;109}110111/**112* Returns the init lifetime remaining.113*114* @return the init lifetime remaining in seconds115* @exception GSSException may be thrown116*/117public int getInitLifetime() throws GSSException {118return 0;119}120121/**122* Returns the accept lifetime remaining.123*124* @return the accept lifetime remaining in seconds125* @exception GSSException may be thrown126*/127public int getAcceptLifetime() throws GSSException {128return GSSCredential.INDEFINITE_LIFETIME;129}130131public boolean isInitiatorCredential() throws GSSException {132return false;133}134135public boolean isAcceptorCredential() throws GSSException {136return true;137}138139/**140* Returns the oid representing the underlying credential141* mechanism oid.142*143* @return the Oid for this credential mechanism144* @exception GSSException may be thrown145*/146public final Oid getMechanism() {147return Krb5MechFactory.GSS_KRB5_MECH_OID;148}149150public final java.security.Provider getProvider() {151return Krb5MechFactory.PROVIDER;152}153154public EncryptionKey[] getKrb5EncryptionKeys(PrincipalName princ) {155return screds.getEKeys(princ);156}157158/**159* Called to invalidate this credential element.160*/161public void dispose() throws GSSException {162try {163destroy();164} catch (DestroyFailedException e) {165GSSException gssException =166new GSSException(GSSException.FAILURE, -1,167"Could not destroy credentials - " + e.getMessage());168gssException.initCause(e);169}170}171172/**173* Destroys the locally cached EncryptionKey value and then calls174* destroy in the base class.175*/176public void destroy() throws DestroyFailedException {177screds.destroy();178}179180/**181* Impersonation is only available on the initiator side. The182* service must starts as an initiator to get an initial TGT to complete183* the S4U2self protocol.184*/185@Override186public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {187Credentials cred = screds.getInitCred();188if (cred != null) {189return Krb5InitCredential.getInstance(this.name, cred)190.impersonate(name);191} else {192throw new GSSException(GSSException.FAILURE, -1,193"Only an initiate credentials can impersonate");194}195}196}197198199