GssApiCredential (ecmsdk-api 3.4.0 API)

java.lang.Object
- oracle.ifs.common.GssApiCredential

All Implemented Interfaces:

Serializable, Credential
```
public class GssApiCredential
extends Object
implements Credential
```
GssApiCredential class is used to support the GSS-API based authentication mechanism. The intended use of this class is to support any authentication mechanism that the JGSS api supports.
GSS-API is a language independent standard to support various authentication mechanisms. It is defined in RFC 2743. GSS-API has the goal of hiding all the mechanism specific details from the application developer. It defers all mechanism specific actions to a pluggable security service provider.
JGSS is the java bindings for the GSS-API. JGSS is detailed in RFC 2853. Starting with JDK 1.4.1, java supports GSS-API based authentication. In JDK 1.4.1, Kerberos V5 is the only supported authentication mechanism.
In a typical GSS based authentication, client sends an authentication token to the server. The server gets the token and feeds it to a method defined by the GSS-API. By doing so, it invokes the security provider. The security provider validates the input token, and if it finds the token to be valid, it establishes a GSS context. The output of the GSS api method is a reponse token. The server has to send this token back to the client. Sometimes, establishment of a context requires further token exchanges between the client and the server. The number of token exchanges is determined by the underlying authentication mechanism.
Kerberos V5 mechanism requires only one roundtrip exchange of tokens. The client sends the input token. The server feeds it to security provider and generates a response token. Based on the validity of the token the GSS context also gets established. Then the server sends the response token back to the client.
How do IFS protocol server or applications do Kerberos authentication ?
IFS protocol servers and applications that wish to do Kerberos authentication should first get the input token. Creation of input token may be done either by prompting the client for it or by obtaining interactively. Once the input token is available, the protocol server or application will use the LibraryService method getGssApiCredential to get a credential. The code to do so is as show below.
GssApiCredential cred = myService.getGssApiCredential(inputTicket, null);
At this point the service constructs the GssApiCredential, sets up the inputTicket member and calls the validate() method. Calling validate() causes the acceptSecContext() method on the GSSContext to be called. It results in validation of the authentication data and generation of a response token. If the input token was not valid, then the validate() method throws an exception. Protocols/Applications should handle this exception and indicate an authentication failure to the client. If the GssApiCredential object was successfully constructed, then it means that the authentication data has been already validated. This credential object can now be used to create a iFS session.

See Also:

Serialized Form

Field Summary

Fields
Modifier and Type	Field and Description
`protected byte[]`	`m_InputTicket` Input ticket provided by the protocol or application.
`protected byte[]`	`m_OutputTicket` Output ticket to be sent back to the protocol or application.
`protected String`	`m_UserName` Name of the user that is trying to authenticate.

Constructor Summary

Constructors
Constructor and Description

GssApiCredential()
Constructs a GssApiCredential.

GssApiCredential(byte[] inputTicket)
Constructs a GssApiCredential.

Constructors
Constructor and Description
`GssApiCredential()` Constructs a GssApiCredential.
`GssApiCredential(byte[] inputTicket)` Constructs a GssApiCredential.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`GSSContext`	`getContext()` Returns the GSS context if one exists.
`byte[]`	`getInputTicket()` Returns the input ticket.
`String`	`getName()` Returns the user name.
`byte[]`	`getOutputTicket()` Returns the output ticket.
`boolean`	`isValid()` Returns true if the input ticket has been validated.
`void`	`setInputTicket(byte[] inputTicket)` Sets up the input ticket.
`void`	`setName(String userName)` Sets the user name for this credential.
`void`	`setServerPrincipalName(String serverPrincipalName)` Sets the name of the principal that is acting as the acceptor of the credentials.
`void`	`validate()` Attempts to validate the inputTicket.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - m_InputTicket
```
protected byte[] m_InputTicket
```
    Input ticket provided by the protocol or application.
    
    (Unpublished)
  - m_OutputTicket
```
protected byte[] m_OutputTicket
```
    Output ticket to be sent back to the protocol or application. Value of this ticket cannot be set by users of this class. It has to be set using the validate() method.
    
    (Unpublished)
  - m_UserName
```
protected String m_UserName
```
    Name of the user that is trying to authenticate.
    
    (Unpublished)
- Constructor Detail
  - GssApiCredential
```
public GssApiCredential()
                 throws IfsException
```
    Constructs a GssApiCredential.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - GssApiCredential
```
public GssApiCredential(byte[] inputTicket)
                 throws IfsException
```
    Constructs a GssApiCredential.
    
    Parameters:
    
    inputTicket - byte array conatining authentication data
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
- Method Detail
  - getInputTicket
```
public byte[] getInputTicket()
                      throws IfsException
```
    Returns the input ticket.
    
    Returns:
    
    byte array containing the input ticket.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - setInputTicket
```
public void setInputTicket(byte[] inputTicket)
                    throws IfsException
```
    Sets up the input ticket. This method can be used to setup the authentication data for GSS-API authentication.
    
    Parameters:
    
    inputTicket - byte array containing the authentication data
    
    Throws:
    
    IfsException - if the operation fails
  - getOutputTicket
```
public byte[] getOutputTicket()
                       throws IfsException
```
    Returns the output ticket. If validate() method has not been called prior to calling this, then this returns a null.
    
    Returns:
    
    byte array containing the output ticket.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - getName
```
public String getName()
               throws IfsException
```
    Returns the user name. If validate() method has not been called prior to calling this, then this returns a null.
    
    Specified by:
    
    getName in interface Credential
    
    Returns:
    
    String representation of the user name.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - setName
```
public void setName(String userName)
             throws IfsException
```
    Sets the user name for this credential. If the underlying mechanism has no such concept, this this method throws an exception.
    
    Specified by:
    
    setName in interface Credential
    
    Parameters:
    
    userName - the name of the user
    
    Throws:
    
    IfsException - name cannot be set
    
    (Published)
  - getContext
```
public GSSContext getContext()
                      throws IfsException
```
    Returns the GSS context if one exists. The returned GSSContext could be in any state. If validate() method has not been called prior to calling this, then this returns a null.
    
    Returns:
    
    String representation of the user name.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - setServerPrincipalName
```
public void setServerPrincipalName(String serverPrincipalName)
                            throws IfsException
```
    Sets the name of the principal that is acting as the acceptor of the credentials. This method is used by the credential manager before calling validate() for the first time on a GssApiCredential object.
    
    Parameters:
    
    serverPrincipalName - name of the accepting principal
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - isValid
```
public boolean isValid()
                throws IfsException
```
    Returns true if the input ticket has been validated. To validate and inputTicket, at least one call to the validate() method is required.
    
    Returns:
    
    true if the GSS context has been established
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)
  - validate
```
public void validate()
              throws IfsException
```
    Attempts to validate the inputTicket. This method calls the GSS-API method acceptSecContext(). If that method returns a responseToken, then that is setup in the outputTicket field. Once the GSS context is established, it also sets up the username field in the credential. Parsing mechanism for a given name into username & domain name are yet to be determined.
    
    Throws:
    
    IfsException - if the operation fails
    
    (Published)

Class GssApiCredential

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

m_InputTicket

m_OutputTicket

m_UserName

Constructor Detail

GssApiCredential

GssApiCredential

Method Detail

getInputTicket

setInputTicket

getOutputTicket

getName

setName

getContext

setServerPrincipalName

isValid

validate