compact3

com.sun.security.jgss

Interface ExtendedGSSContext

All Superinterfaces:

GSSContext

@Exported
public interface ExtendedGSSContext
extends GSSContext

The extended GSSContext interface for supporting additional functionalities not defined by org.ietf.jgss.GSSContext, such as querying context-specific attributes.

Field Summary

Fields inherited from interface org.ietf.jgss.GSSContext

DEFAULT_LIFETIME, INDEFINITE_LIFETIME

Method Summary

Modifier and Type	Method and Description
boolean	getDelegPolicyState() Returns the delegation policy response.
Object	inquireSecContext(InquireType type) Return the mechanism-specific attribute associated with type.
void	requestDelegPolicy(boolean state) Requests that the delegation policy be respected.

Methods inherited from interface org.ietf.jgss.GSSContext

acceptSecContext, acceptSecContext, dispose, export, getAnonymityState, getConfState, getCredDelegState, getDelegCred, getIntegState, getLifetime, getMech, getMIC, getMIC, getMutualAuthState, getReplayDetState, getSequenceDetState, getSrcName, getTargName, getWrapSizeLimit, initSecContext, initSecContext, isEstablished, isInitiator, isProtReady, isTransferable, requestAnonymity, requestConf, requestCredDeleg, requestInteg, requestLifetime, requestMutualAuth, requestReplayDet, requestSequenceDet, setChannelBinding, unwrap, unwrap, verifyMIC, verifyMIC, wrap, wrap

Method Detail

inquireSecContext

Object inquireSecContext(InquireType type)
                  throws GSSException

Return the mechanism-specific attribute associated with type.

For each supported attribute type, the type for the output are defined below.

1. KRB5_GET_TKT_FLAGS: the returned object is a boolean array for the service ticket flags, which is long enough to contain all true bits. This means if the user wants to get the n'th bit but the length of the returned array is less than n, it is regarded as false.
2. KRB5_GET_SESSION_KEY: the returned object is an instance of Key, which has the following properties:
   • Algorithm: enctype as a string, where enctype is defined in RFC 3961, section 8.
   • Format: "RAW"
   • Encoded form: the raw key bytes, not in any ASN.1 encoding
3. KRB5_GET_AUTHZ_DATA: the returned object is an array of AuthorizationDataEntry, or null if the optional field is missing in the service ticket.
4. KRB5_GET_AUTHTIME: the returned object is a String object in the standard KerberosTime format defined in RFC 4120 5.2.3

If there is a security manager, an InquireSecContextPermission with the name type.mech must be granted. Otherwise, this could result in a SecurityException.

Example:

      GSSContext ctxt = m.createContext(...)
      // Establishing the context
      if (ctxt instanceof ExtendedGSSContext) {
          ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
          try {
              Key key = (key)ex.inquireSecContext(
                      InquireType.KRB5_GET_SESSION_KEY);
              // read key info
          } catch (GSSException gsse) {
              // deal with exception
          }
      }
 

Parameters:

type - the type of the attribute requested

Returns:

the attribute, see the method documentation for details.

Throws:

GSSException - containing the following major error codes: GSSException.BAD_MECH if the mechanism does not support this method, GSSException.UNAVAILABLE if the type specified is not supported, GSSException.NO_CONTEXT if the security context is invalid, GSSException.FAILURE for other unspecified failures.

SecurityException - if a security manager exists and a proper InquireSecContextPermission is not granted.

See Also:

InquireSecContextPermission

requestDelegPolicy

void requestDelegPolicy(boolean state)
                 throws GSSException

Requests that the delegation policy be respected. When a true value is requested, the underlying context would use the delegation policy defined by the environment as a hint to determine whether credentials delegation should be performed. This request can only be made on the context initiator's side and it has to be done prior to the first call to initSecContext.

When this flag is false, delegation will only be tried when the credentials delegation flag is true.

When this flag is true but the credentials delegation flag is false, delegation will be only tried if the delegation policy permits delegation.

When both this flag and the credentials delegation flag are true, delegation will be always tried. However, if the delegation policy does not permit delegation, the value of getDelegPolicyState() will be false, even if delegation is performed successfully.

In any case, if the delegation is not successful, the value returned by GSSContext.getCredDelegState() is false, and the value returned by getDelegPolicyState() is also false.

Not all mechanisms support delegation policy. Therefore, the application should check to see if the request was honored with the getDelegPolicyState method. When delegation policy is not supported, requestDelegPolicy should return silently without throwing an exception.

Note: for the Kerberos 5 mechanism, the delegation policy is expressed through the OK-AS-DELEGATE flag in the service ticket. When it's true, the KDC permits delegation to the target server. In a cross-realm environment, in order for delegation be permitted, all cross-realm TGTs on the authentication path must also have the OK-AS-DELAGATE flags set.

Parameters:

state - true if the policy should be respected

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getDelegPolicyState

boolean getDelegPolicyState()

Returns the delegation policy response. Called after a security context is established. This method can be only called on the initiator's side. See requestDelegPolicy(boolean).

Returns:

the delegation policy response