Package net.shibboleth.idp.authn.spnego.impl

Class GSSContextAcceptor

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

      • spnegoOid

        @Nonnull
private final Oid spnegoOid
        The OID representing the SPNEGO pseudo-mechanism.

      • kerberosSettings

        @Nonnull
private KerberosSettings kerberosSettings
        The Kerberos settings.

      • krbLoginModule

        @Nullable
private GSSAcceptorLoginModule krbLoginModule
        The Kerberos login module and server login state.

      • serverCreds

        @Nullable
private GSSCredential serverCreds
        Server credentials used during context establishment.

      • context

        @Nullable
private GSSContext context
        The GSSContext being established, or that was established.

    • Constructor Detail

      • GSSContextAcceptor

        public GSSContextAcceptor​(@Nonnull
                          KerberosSettings settings)
                   throws GSSException
        Constructor.
        Parameters:
        settings - the KerberosSettings to use
        Throws:
        GSSException - if an error occurs establishing server credentials

    • Method Detail

      • getContext

        @Nullable
public GSSContext getContext()
        Return the GSS security context.
        Returns:
        the context

      • acceptSecContext

        @Nullable
public byte[] acceptSecContext​(@Nonnull
                               byte[] inToken,
                               int offset,
                               int len)
                        throws Exception
        Process the inbound GSS token.

        During the first (and likely only) token step, we will also establish the server's credentials in the process. If additional round trips occur, this will be detected and the previous partial context will be used.

        Parameters:
        inToken - token generated by the peer
        offset - the offset within the inToken where the token begins
        len - the length of the token
        Returns:
        a byte[] containing the token to be sent to the peer, or null if no output token is needed
        Throws:
        Exception - if an error occurs
        See Also:
        RFC 4121: Kerberos for GSSAPI.

      • logout

        public void logout()
        Dispose of the context and the server's credentials, and do a logout of the Kerberos login module.

      • acceptFirstToken

        @Nullable
private byte[] acceptFirstToken​(@Nonnull
                                byte[] inToken,
                                int offset,
                                int len)
                         throws Exception
        Process the first inbound GSS token.
        Parameters:
        inToken - token generated by the peer
        offset - the offset within the inToken where the token begins
        len - the length of the token
        Returns:
        a byte[] containing the token to be sent to the peer, or null if no output token is needed
        Throws:
        Exception - if an error occurs

      • getServerCredential

        @Nonnull
private GSSCredential getServerCredential​(@Nonnull
                                          Subject subject)
                                   throws PrivilegedActionException
        Create the credential for the GSS-API.
        Parameters:
        subject - Kerberos subject to create the credentials from
        Returns:
        the created GSS credentials
        Throws:
        PrivilegedActionException - thrown if server credentials could not be created