Package net.shibboleth.idp.authn.spnego.impl

Class GSSContextAcceptor

java.lang.Object
net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor
public class GSSContextAcceptor
extends Object
Helper class that manages context establishment for the SPNEGO GSS-API mechanism.
See Also:
RFC 2853 - Generic Security Service API Version 2 : Java Bindings, RFC 4178 - The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • spnegoOid

      @Nonnull private final Oid spnegoOid
      The OID representing the SPNEGO pseudo-mechanism.

    • kerberosSettings

      @Nonnull private KerberosSettings kerberosSettings
      The Kerberos settings.

    • realmSettings

      @Nullable private KerberosRealmSettings realmSettings
      The realm in use.

    • krbLoginModule

      @Nullable private GSSAcceptorLoginModule krbLoginModule
      The Kerberos login module and server login state.

    • serverCreds

      @Nullable private GSSCredential serverCreds
      Server credentials used during context establishment.

    • context

      @Nullable private GSSContext context
      The GSSContext being established, or that was established.

  • Constructor Details

    • GSSContextAcceptor

      public GSSContextAcceptor​(@Nonnull KerberosSettings settings) throws GSSException
      Constructor.
      Parameters:
      settings - the KerberosSettings to use
      Throws:
      GSSException - if an error occurs establishing server credentials

  • Method Details

    • getContext

      @Nullable public GSSContext getContext()
      Return the GSS security context.
      Returns:
      the context

    • acceptSecContext

      @Nullable public byte[] acceptSecContext​(@Nonnull byte[] inToken, int offset, int len) throws Exception
      Process the inbound GSS token.

      During the first (and likely only) token step, we will also establish the server's credentials in the process. If additional round trips occur, this will be detected and the previous partial context will be used.

      Parameters:
      inToken - token generated by the peer
      offset - the offset within the inToken where the token begins
      len - the length of the token
      Returns:
      a byte[] containing the token to be sent to the peer, or null if no output token is needed
      Throws:
      Exception - if an error occurs
      See Also:
      RFC 4121: Kerberos for GSSAPI.

    • logout

      public void logout()
      Dispose of the context and the server's credentials, and do a logout of the Kerberos login module.

    • acceptFirstToken

      @Nullable private byte[] acceptFirstToken​(@Nonnull byte[] inToken, int offset, int len) throws Exception
      Process the first inbound GSS token.
      Parameters:
      inToken - token generated by the peer
      offset - the offset within the inToken where the token begins
      len - the length of the token
      Returns:
      a byte[] containing the token to be sent to the peer, or null if no output token is needed
      Throws:
      Exception - if an error occurs

    • createGSSContext

      private void createGSSContext​(@Nonnull KerberosRealmSettings realm) throws GSSException, LoginException, PrivilegedActionException
      Establish initial server credentials and create a GSS acceptor context based on then.
      Parameters:
      realm - realm settings to use
      Throws:
      GSSException - thrown if GSS context could not be created
      LoginException - thrown if login failed
      PrivilegedActionException - thrown if GSS credentials could not be created

    • getServerCredential

      @Nonnull private GSSCredential getServerCredential​(@Nonnull Subject subject) throws PrivilegedActionException
      Create the credential for the GSS-API.
      Parameters:
      subject - Kerberos subject to create the credentials from
      Returns:
      the created GSS credentials
      Throws:
      PrivilegedActionException - thrown if server credentials could not be created