Interface ExtendedGSSContext

All Superinterfaces:

GSSContext

public interface ExtendedGSSContext
extends GSSContext

The extended GSSContext interface for supporting additional functionalities not defined by org.ietf.jgss.GSSContext, such as querying context-specific attributes.

Since:

1.7

Field Summary

Fields declared in interface GSSContext

DEFAULT_LIFETIME, INDEFINITE_LIFETIME

Modifier and Type	Field	Description
static final int	DEFAULT_LIFETIME	A lifetime constant representing the default context lifetime.
static final int	INDEFINITE_LIFETIME	A lifetime constant representing indefinite context lifetime.

Method Summary

Modifier and Type	Method	Description
boolean	getDelegPolicyState()	Returns the delegation policy response.
Object	inquireSecContext(InquireType type)	Return the mechanism-specific attribute associated with type.
void	requestDelegPolicy(boolean state)	Requests that the delegation policy be respected.

Methods declared in interface GSSContext

acceptSecContext, acceptSecContext, dispose, export, getAnonymityState, getConfState, getCredDelegState, getDelegCred, getIntegState, getLifetime, getMech, getMIC, getMIC, getMutualAuthState, getReplayDetState, getSequenceDetState, getSrcName, getTargName, getWrapSizeLimit, initSecContext, initSecContext, isEstablished, isInitiator, isProtReady, isTransferable, requestAnonymity, requestConf, requestCredDeleg, requestInteg, requestLifetime, requestMutualAuth, requestReplayDet, requestSequenceDet, setChannelBinding, unwrap, unwrap, verifyMIC, verifyMIC, wrap, wrap

Modifier and Type	Method	Description
byte[]	acceptSecContext(byte[] inToken, int offset, int len)	Called by the context acceptor upon receiving a token from the peer.
void	acceptSecContext(InputStream inStream, OutputStream outStream)	Deprecated. The stream-based methods have been removed from RFC 8353.
void	dispose()	Releases any system resources and cryptographic information stored in the context object and invalidates the context.
byte[]	export()	Exports this context so that another process may import it.
boolean	getAnonymityState()	Determines if the context initiator is anonymously authenticated to the context acceptor.
boolean	getConfState()	Determines if data confidentiality is available over the context.
boolean	getCredDelegState()	Determines if credential delegation is enabled on this context.
GSSCredential	getDelegCred()	Obtains the credentials delegated by the context initiator to the context acceptor.
boolean	getIntegState()	Determines if data integrity is available over the context.
int	getLifetime()	Determines what the remaining lifetime for this context is.
Oid	getMech()	Determines what mechanism is being used for this context.
byte[]	getMIC(byte[] inMsg, int offset, int len, MessageProp msgProp)	Returns a token containing a cryptographic Message Integrity Code (MIC) for the supplied message, for transfer to the peer application.
void	getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp)	Deprecated. The stream-based methods have been removed from RFC 8353.
boolean	getMutualAuthState()	Determines if mutual authentication is enabled on this context.
boolean	getReplayDetState()	Determines if replay detection is enabled for the per-message security services from this context.
boolean	getSequenceDetState()	Determines if sequence checking is enabled for the per-message security services from this context.
GSSName	getSrcName()	Returns the name of the context initiator.
GSSName	getTargName()	Returns the name of the context acceptor.
int	getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize)	Used to determine limits on the size of the message that can be passed to wrap.
byte[]	initSecContext(byte[] inputBuf, int offset, int len)	Called by the context initiator to start the context creation phase and process any tokens generated by the peer's acceptSecContext method.
int	initSecContext(InputStream inStream, OutputStream outStream)	Deprecated. The stream-based methods have been removed from RFC 8353.
boolean	isEstablished()	Used during context establishment to determine the state of the context.
boolean	isInitiator()	Determines if this is the context initiator.
boolean	isProtReady()	Determines if the context is ready for per message operations to be used over it.
boolean	isTransferable()	Determines if the context is transferable to other processes through the use of the export method.
void	requestAnonymity(boolean state)	Requests that the initiator's identity not be disclosed to the acceptor.
void	requestConf(boolean state)	Requests that data confidentiality be enabled for the wrap method.
void	requestCredDeleg(boolean state)	Requests that the initiator's credentials be delegated to the acceptor during context establishment.
void	requestInteg(boolean state)	Requests that data integrity be enabled for the wrap and getMICmethods.
void	requestLifetime(int lifetime)	Requests a lifetime in seconds for the context.
void	requestMutualAuth(boolean state)	Requests that mutual authentication be done during context establishment.
void	requestReplayDet(boolean state)	Requests that replay detection be enabled for the per-message security services after context establishment.
void	requestSequenceDet(boolean state)	Requests that sequence checking be enabled for the per-message security services after context establishment.
void	setChannelBinding(ChannelBinding cb)	Sets the channel bindings to be used during context establishment.
byte[]	unwrap(byte[] inBuf, int offset, int len, MessageProp msgProp)	Used to process tokens generated by the wrap method on the other side of the context.
void	unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)	Deprecated. The stream-based methods have been removed from RFC 8353.
void	verifyMIC(byte[] inToken, int tokOffset, int tokLen, byte[] inMsg, int msgOffset, int msgLen, MessageProp msgProp)	Verifies the cryptographic MIC, contained in the token parameter, over the supplied message.
void	verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp)	Deprecated. The stream-based methods have been removed from RFC 8353.
byte[]	wrap(byte[] inBuf, int offset, int len, MessageProp msgProp)	Applies per-message security services over the established security context.
void	wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp)	Deprecated. The stream-based methods have been removed from RFC 8353.

Method Details

inquireSecContext

Object inquireSecContext(InquireType type)
                  throws GSSException

Return the mechanism-specific attribute associated with type.

Example:

     GSSContext ctxt = m.createContext(...)
     // Establishing the context
     if (ctxt instanceof ExtendedGSSContext) {
         ExtendedGSSContext ex = (ExtendedGSSContext)ctxt;
         try {
             Key key = (key)ex.inquireSecContext(
                     InquireType.KRB5_GET_SESSION_KEY);
             // read key info
         } catch (GSSException gsse) {
             // deal with exception
         }
     }

Parameters:

type - the type of the attribute requested

Returns:

the attribute, see the method documentation for details.

Throws:

GSSException - containing the following major error codes: GSSException.BAD_MECH if the mechanism does not support this method, GSSException.UNAVAILABLE if the type specified is not supported, GSSException.NO_CONTEXT if the security context is invalid, GSSException.FAILURE for other unspecified failures.

See Also:

• InquireType

requestDelegPolicy

void requestDelegPolicy(boolean state)
                 throws GSSException

Requests that the delegation policy be respected. When a true value is requested, the underlying context would use the delegation policy defined by the environment as a hint to determine whether credentials delegation should be performed. This request can only be made on the context initiator's side and it has to be done prior to the first call to initSecContext.

When this flag is false, delegation will only be tried when the credentials delegation flag is true.

When this flag is true but the credentials delegation flag is false, delegation will be only tried if the delegation policy permits delegation.

When both this flag and the credentials delegation flag are true, delegation will be always tried. However, if the delegation policy does not permit delegation, the value of getDelegPolicyState() will be false, even if delegation is performed successfully.

In any case, if the delegation is not successful, the value returned by GSSContext.getCredDelegState() is false, and the value returned by getDelegPolicyState() is also false.

Not all mechanisms support delegation policy. Therefore, the application should check to see if the request was honored with the getDelegPolicyState method. When delegation policy is not supported, requestDelegPolicy should return silently without throwing an exception.

Note: for the Kerberos 5 mechanism, the delegation policy is expressed through the OK-AS-DELEGATE flag in the service ticket. When it's true, the KDC permits delegation to the target server. In a cross-realm environment, in order for delegation be permitted, all cross-realm TGTs on the authentication path must also have the OK-AS-DELAGATE flags set.

Parameters:

state - true if the policy should be respected

Throws:

GSSException - containing the following major error codes: GSSException.FAILURE

getDelegPolicyState

boolean getDelegPolicyState()

Returns the delegation policy response. Called after a security context is established. This method can be only called on the initiator's side. See requestDelegPolicy(boolean).

Returns:

the delegation policy response