97 * {@link InquireSecContextPermission} is not granted. |
97 * {@link InquireSecContextPermission} is not granted. |
98 * @see InquireSecContextPermission |
98 * @see InquireSecContextPermission |
99 */ |
99 */ |
100 public Object inquireSecContext(InquireType type) |
100 public Object inquireSecContext(InquireType type) |
101 throws GSSException; |
101 throws GSSException; |
|
102 |
|
103 /** |
|
104 * Requests that the delegation policy be respected. When a true value is |
|
105 * requested, the underlying context would use the delegation policy |
|
106 * defined by the environment as a hint to determine whether credentials |
|
107 * delegation should be performed. This request can only be made on the |
|
108 * context initiator's side and it has to be done prior to the first |
|
109 * call to <code>initSecContext</code>. |
|
110 * <p> |
|
111 * When this flag is false, delegation will only be tried when the |
|
112 * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} |
|
113 * is true. |
|
114 * <p> |
|
115 * When this flag is true but the |
|
116 * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} |
|
117 * is false, delegation will be only tried if the delegation policy permits |
|
118 * delegation. |
|
119 * <p> |
|
120 * When both this flag and the |
|
121 * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} |
|
122 * are true, delegation will be always tried. However, if the delegation |
|
123 * policy does not permit delegation, the value of |
|
124 * {@link #getDelegPolicyState} will be false, even |
|
125 * if delegation is performed successfully. |
|
126 * <p> |
|
127 * In any case, if the delegation is not successful, the value returned |
|
128 * by {@link GSSContext#getCredDelegState()} is false, and the value |
|
129 * returned by {@link #getDelegPolicyState()} is also false. |
|
130 * <p> |
|
131 * Not all mechanisms support delegation policy. Therefore, the |
|
132 * application should check to see if the request was honored with the |
|
133 * {@link #getDelegPolicyState() getDelegPolicyState} method. When |
|
134 * delegation policy is not supported, <code>requestDelegPolicy</code> |
|
135 * should return silently without throwing an exception. |
|
136 * <p> |
|
137 * Note: for the Kerberos 5 mechanism, the delegation policy is expressed |
|
138 * through the OK-AS-DELEGATE flag in the service ticket. When it's true, |
|
139 * the KDC permits delegation to the target server. In a cross-realm |
|
140 * environment, in order for delegation be permitted, all cross-realm TGTs |
|
141 * on the authentication path must also have the OK-AS-DELAGATE flags set. |
|
142 * @param state true if the policy should be respected |
|
143 * @throws GSSException containing the following |
|
144 * major error codes: |
|
145 * {@link GSSException#FAILURE GSSException.FAILURE} |
|
146 */ |
|
147 public void requestDelegPolicy(boolean state) throws GSSException; |
|
148 |
|
149 /** |
|
150 * Returns the delegation policy response. Called after a security context |
|
151 * is established. This method can be only called on the initiator's side. |
|
152 * See {@link ExtendedGSSContext#requestDelegPolicy}. |
|
153 * @return the delegation policy response |
|
154 */ |
|
155 public boolean getDelegPolicyState(); |
102 } |
156 } |