author | weijun |
Thu, 04 Jul 2019 07:25:47 +0800 | |
changeset 55599 | e6c430d4d217 |
parent 55255 | d49b72808414 |
permissions | -rw-r--r-- |
52997
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
1 |
/* |
55255
d49b72808414
8225304: Tiny HTML error (bad heading) in org.ietf.jgss package-info.java
weijun
parents:
52997
diff
changeset
|
2 |
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. |
52997
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
4 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
7 |
* published by the Free Software Foundation. Oracle designates this |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
10 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
15 |
* accompanied this code). |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
16 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
20 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
22 |
* or visit www.oracle.com if you need additional information or have any |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
23 |
* questions. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
24 |
*/ |
2 | 25 |
|
52997
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
26 |
/** |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
27 |
* This package presents a framework that allows application developers to |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
28 |
* make use of security services like authentication, data integrity and |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
29 |
* data confidentiality from a variety of underlying security mechanisms |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
30 |
* like Kerberos, using a unified API. The security mechanisms that an |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
31 |
* application can |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
32 |
* chose to use are identified with unique object identifiers. One example |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
33 |
* of such a mechanism is the Kerberos v5 GSS-API mechanism (object |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
34 |
* identifier 1.2.840.113554.1.2.2). This mechanism is available through |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
35 |
* the default instance of the GSSManager class.<p> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
36 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
37 |
* The GSS-API is defined in a language independent way in |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
38 |
* <a href=http://www.ietf.org/rfc/rfc2743.txt>RFC 2743</a>. The Java |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
39 |
* language bindings are defined in |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
40 |
* <a href=http://www.ietf.org/rfc/rfc2853.txt>RFC 2853</a><p> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
41 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
42 |
* An application starts out by instantiating a {@code GSSManager} |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
43 |
* which then serves as a factory for a security context. An application |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
44 |
* can use specific principal names and credentials that are also created |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
45 |
* using the GSSManager; or it can instantiate a |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
46 |
* context with system defaults. It then goes through a context |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
47 |
* establishment loop. Once a context is established with the |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
48 |
* peer, authentication is complete. Data protection such as integrity |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
49 |
* and confidentiality can then be obtained from this context.<p> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
50 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
51 |
* The GSS-API does not perform any communication with the peer. It merely |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
52 |
* produces tokens that the application must somehow transport to the |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
53 |
* other end. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
54 |
* |
55255
d49b72808414
8225304: Tiny HTML error (bad heading) in org.ietf.jgss package-info.java
weijun
parents:
52997
diff
changeset
|
55 |
* <h2 id="useSubjectCredsOnly">Credential Acquisition</h2> |
52997
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
56 |
* The GSS-API itself does not dictate how an underlying mechanism |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
57 |
* obtains the credentials that are needed for authentication. It is |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
58 |
* assumed that prior to calling the GSS-API, these credentials are |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
59 |
* obtained and stored in a location that the mechanism provider is |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
60 |
* aware of. However, the default model in the Java platform will be |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
61 |
* that mechanism providers must obtain credentials only from the private |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
62 |
* or public credential sets associated with the |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
63 |
* {@link javax.security.auth.Subject Subject} in the |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
64 |
* current access control context. The Kerberos v5 |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
65 |
* mechanism will search for the required INITIATE and ACCEPT credentials |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
66 |
* ({@link javax.security.auth.kerberos.KerberosTicket KerberosTicket} and |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
67 |
* {@link javax.security.auth.kerberos.KerberosKey KerberosKey}) in |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
68 |
* the private credential set where as some other mechanism might look |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
69 |
* in the public set or in both. If the desired credential is not |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
70 |
* present in the appropriate sets of the current Subject, the GSS-API |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
71 |
* call must fail.<p> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
72 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
73 |
* This model has the advantage that credential management |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
74 |
* is simple and predictable from the applications point of view. An |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
75 |
* application, given the right permissions, can purge the credentials in |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
76 |
* the Subject or renew them using standard Java API's. If it purged |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
77 |
* the credentials, it would be sure that the JGSS mechanism would fail, |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
78 |
* or if it renewed a time based credential it would be sure that a JGSS |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
79 |
* mechanism would succeed.<p> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
80 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
81 |
* This model does require that a {@link |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
82 |
* javax.security.auth.login JAAS login} be performed in order to |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
83 |
* authenticate and populate a Subject that the JGSS mechanism can later |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
84 |
* utilize. However, applications have the ability to relax this |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
85 |
* restriction by means of a system property: |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
86 |
* {@systemProperty javax.security.auth.useSubjectCredsOnly}. By default |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
87 |
* this system property will be assumed to be {@code true} (even when |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
88 |
* it is unset) indicating that providers must only use the credentials |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
89 |
* that are present in the current Subject. However, if this property is |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
90 |
* explicitly set to false by the application, then it indicates that |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
91 |
* the provider is free to use any credentials cache of its choice. Such |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
92 |
* a credential cache might be a disk cache, an in-memory cache, or even |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
93 |
* just the current Subject itself. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
94 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
95 |
* <h2>Related Documentation</h2> |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
96 |
* For an online tutorial on using Java GSS-API, please see |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
97 |
* {@extLink security_guide_jgss_tutorial |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
98 |
* Introduction to JAAS and Java GSS-API}. |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
99 |
* |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
100 |
* @since 1.4 |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
101 |
* */ |
85ade44f351a
8214568: Use {@systemProperty} for definitions of system properties
weijun
parents:
47216
diff
changeset
|
102 |
package org.ietf.jgss; |