--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/NegotiatorImpl.java Sat Dec 01 00:00:00 2007 +0000
@@ -0,0 +1,161 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.net.www.protocol.http;
+
+import java.io.IOException;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+import sun.security.jgss.GSSManagerImpl;
+import sun.security.jgss.GSSUtil;
+
+/**
+ * This class encapsulates all JAAS and JGSS API calls in a seperate class
+ * outside NegotiateAuthentication.java so that J2SE build can go smoothly
+ * without the presence of it.
+ *
+ * @author weijun.wang@sun.com
+ * @since 1.6
+ */
+public class NegotiatorImpl extends Negotiator {
+
+ private static final boolean DEBUG =
+ java.security.AccessController.doPrivileged(
+ new sun.security.action.GetBooleanAction("sun.security.krb5.debug"));
+
+ private GSSContext context;
+ private byte[] oneToken;
+
+ /**
+ * Initialize the object, which includes:<ul>
+ * <li>Find out what GSS mechanism to use from <code>http.negotiate.mechanism.oid</code>,
+ * defaults SPNEGO
+ * <li>Creating the GSSName for the target host, "HTTP/"+hostname
+ * <li>Creating GSSContext
+ * <li>A first call to initSecContext</ul>
+ * @param hostname name of peer server
+ * @param scheme auth scheme requested, Negotiate ot Kerberos
+ * @throws GSSException if any JGSS-API call fails
+ */
+ private void init(final String hostname, String scheme) throws GSSException {
+ // "1.2.840.113554.1.2.2" Kerberos
+ // "1.3.6.1.5.5.2" SPNEGO
+ final Oid oid;
+
+ if (scheme.equalsIgnoreCase("Kerberos")) {
+ // we can only use Kerberos mech when the scheme is kerberos
+ oid = GSSUtil.GSS_KRB5_MECH_OID;
+ } else {
+ String pref = java.security.AccessController.doPrivileged(
+ new java.security.PrivilegedAction<String>() {
+ public String run() {
+ return System.getProperty(
+ "http.auth.preference",
+ "spnego");
+ }
+ });
+ if (pref.equalsIgnoreCase("kerberos")) {
+ oid = GSSUtil.GSS_KRB5_MECH_OID;
+ } else {
+ // currently there is no 3rd mech we can use
+ oid = GSSUtil.GSS_SPNEGO_MECH_OID;
+ }
+ }
+
+ GSSManagerImpl manager = new GSSManagerImpl(
+ GSSUtil.CALLER_HTTP_NEGOTIATE);
+
+ String peerName = "HTTP/" + hostname;
+
+ GSSName serverName = manager.createName(peerName, null);
+ context = manager.createContext(serverName,
+ oid,
+ null,
+ GSSContext.DEFAULT_LIFETIME);
+
+ // In order to support credential delegation in HTTP/SPNEGO,
+ // we always request it before initSecContext. The current
+ // implementation will check the OK-AS-DELEGATE flag inside
+ // the service ticket of the web server, and only enable
+ // delegation when this flag is set. This check is only
+ // performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
+ // so all other normal GSS-API calls are not affected.
+
+ context.requestCredDeleg(true);
+ oneToken = context.initSecContext(new byte[0], 0, 0);
+ }
+
+ /**
+ * Constructor
+ * @param hostname name of peer server
+ * @param scheme auth scheme requested, Negotiate ot Kerberos
+ * @throws java.io.IOException If negotiator cannot be constructed
+ */
+ public NegotiatorImpl(String hostname, String scheme) throws IOException {
+ try {
+ init(hostname, scheme);
+ } catch (GSSException e) {
+ if (DEBUG) {
+ System.out.println("Negotiate support not initiated, will fallback to other scheme if allowed. Reason:");
+ e.printStackTrace();
+ }
+ IOException ioe = new IOException("Negotiate support not initiated");
+ ioe.initCause(e);
+ throw ioe;
+ }
+ }
+
+ /**
+ * Return the first token of GSS, in SPNEGO, it's called NegTokenInit
+ * @return the first token
+ */
+ public byte[] firstToken() {
+ return oneToken;
+ }
+
+ /**
+ * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg
+ * @param token the token received from server
+ * @return the next token
+ * @throws java.io.IOException if the token cannot be created successfully
+ */
+ public byte[] nextToken(byte[] token) throws IOException {
+ try {
+ return context.initSecContext(token, 0, token.length);
+ } catch (GSSException e) {
+ if (DEBUG) {
+ System.out.println("Negotiate support cannot continue. Reason:");
+ e.printStackTrace();
+ }
+ IOException ioe = new IOException("Negotiate support cannot continue");
+ ioe.initCause(e);
+ throw ioe;
+ }
+ }
+}