net.shibboleth.idp.authn.spnego.impl

Class GSSContextAcceptor

java.lang.Object

net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor

public class GSSContextAcceptor
extends Object

Helper class that manages context establishment for the SPNEGO GSS-API mechanism.

See Also:

RFC 2853 - Generic Security Service API Version 2 : Java Bindings, RFC 4178 - The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism

Field Summary

Fields

Modifier and Type	Field and Description
private GSSContext	context The GSSContext being established, or that was established.
private KerberosSettings	kerberosSettings The Kerberos settings.
private GSSAcceptorLoginModule	krbLoginModule The Kerberos login module and server login state.
private org.slf4j.Logger	log Class logger.
private KerberosRealmSettings	realmSettings The realm in use.
private GSSCredential	serverCreds Server credentials used during context establishment.
private Oid	spnegoOid The OID representing the SPNEGO pseudo-mechanism.

Constructor Summary

Constructors

Constructor and Description
GSSContextAcceptor(KerberosSettings settings) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
private byte[]	acceptFirstToken(byte[] inToken, int offset, int len) Process the first inbound GSS token.
byte[]	acceptSecContext(byte[] inToken, int offset, int len) Process the inbound GSS token.
private void	createGSSContext(KerberosRealmSettings realm) Establish initial server credentials and create a GSS acceptor context based on then.
GSSContext	getContext() Return the GSS security context.
private GSSCredential	getServerCredential(Subject subject) Create the credential for the GSS-API.
void	logout() Dispose of the context and the server's credentials, and do a logout of the Kerberos login module.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

spnegoOid

@Nonnull
private final Oid spnegoOid

The OID representing the SPNEGO pseudo-mechanism.

kerberosSettings

@Nonnull
private KerberosSettings kerberosSettings

The Kerberos settings.

realmSettings

@Nullable
private KerberosRealmSettings realmSettings

The realm in use.

krbLoginModule

@Nullable
private GSSAcceptorLoginModule krbLoginModule

The Kerberos login module and server login state.

serverCreds

@Nullable
private GSSCredential serverCreds

Server credentials used during context establishment.

context

@Nullable
private GSSContext context

The GSSContext being established, or that was established.

Constructor Detail

GSSContextAcceptor

public GSSContextAcceptor(@Nonnull
                  KerberosSettings settings)
                   throws GSSException

Constructor.

Parameters:

settings - the KerberosSettings to use

Throws:

GSSException - if an error occurs establishing server credentials

Method Detail

getContext

@Nullable
public GSSContext getContext()

Return the GSS security context.

Returns:

the context

acceptSecContext

@Nullable
public byte[] acceptSecContext(@Nonnull
                               byte[] inToken,
                               int offset,
                               int len)
                        throws Exception

Process the inbound GSS token.

During the first (and likely only) token step, we will also establish the server's credentials in the process. If additional round trips occur, this will be detected and the previous partial context will be used.

Parameters:

inToken - token generated by the peer

offset - the offset within the inToken where the token begins

len - the length of the token

Returns:

a byte[] containing the token to be sent to the peer, or null if no output token is needed

Throws:

Exception - if an error occurs

See Also:

RFC 4121: Kerberos for GSSAPI.

logout

public void logout()

Dispose of the context and the server's credentials, and do a logout of the Kerberos login module.

acceptFirstToken

@Nullable
private byte[] acceptFirstToken(@Nonnull
                               byte[] inToken,
                               int offset,
                               int len)
                         throws Exception

Process the first inbound GSS token.

Parameters:

inToken - token generated by the peer

offset - the offset within the inToken where the token begins

len - the length of the token

Returns:

a byte[] containing the token to be sent to the peer, or null if no output token is needed

Throws:

Exception - if an error occurs

createGSSContext

private void createGSSContext(@Nonnull
                    KerberosRealmSettings realm)
                       throws GSSException,
                              LoginException,
                              PrivilegedActionException

Establish initial server credentials and create a GSS acceptor context based on then.

Parameters:

realm - realm settings to use

Throws:

GSSException - thrown if GSS context could not be created

LoginException - thrown if login failed

PrivilegedActionException - thrown if GSS credentials could not be created

getServerCredential

@Nonnull
private GSSCredential getServerCredential(@Nonnull
                                        Subject subject)
                                   throws PrivilegedActionException

Create the credential for the GSS-API.

Parameters:

subject - Kerberos subject to create the credentials from

Returns:

the created GSS credentials

Throws:

PrivilegedActionException - thrown if server credentials could not be created