org.ietf.jgss
Interface GSSCredential

All Superinterfaces:
java.lang.Cloneable

public interface GSSCredential
extends java.lang.Cloneable

This interface encapsulates the GSS-API credentials for an entity. A credential contains all the necessary cryptographic information to enable the creation of a context on behalf of the entity that it represents. It may contain multiple, distinct, mechanism specific credential elements, each containing information for a specific security mechanism, but all referring to the same entity.

A credential may be used to perform context initiation, acceptance, or both.

GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. GSS-API credential creation is not intended to provide a "login to the network" function, as such a function would involve the creation of new credentials rather than merely acquiring a handle to existing credentials. Such functions, if required, should be defined in implementation-specific extensions to the API.

If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required (e.g. by GSSContext). Such mechanism- specific implementation decisions should be invisible to the calling application; thus the query methods immediately following the creation of a credential object must return valid credential data, and may therefore incur the overhead of a deferred credential acquisition.

Applications will create a credential object passing the desired parameters. The application can then use the query methods to obtain specific information about the instantiated credential object (equivalent* to the gss_inquire routines). When the credential is no longer needed, the application should call the dispose (equivalent to gss_release_cred) method to release any resources held by the credential object and to destroy any cryptographically sensitive information.

Classes implementing this interface also implement the Cloneable interface. This indicates the the class will support the clone() method that will allow the creation of duplicate credentials. This is useful when called just before the add() call to retain a copy of the original credential.

Based on the IETF RFC-2853.

Version:
%I% %G%
Author:
Thomas Owusu

Field Summary
static int ACCEPT_ONLY
          Credential usage flag requesting that it be able to be used for context acceptance only.
static int DEFAULT_LIFETIME
          A lifetime constant representing the default credential lifetime.
static int INDEFINITE_LIFETIME
          A lifetime constant representing indefinite credential lifetime.
static int INITIATE_AND_ACCEPT
          Credential usage flag requesting that it be able to be used for both context initiation and acceptance.
static int INITIATE_ONLY
          Credential usage flag requesting that it be able to be used for context initiation only.
 
Method Summary
 void add(GSSName aName, int initLifetime, int acceptLifetime, Oid mech, int usage)
          Adds a mechanism specific credential-element to an existing credential.
 void dispose()
          Releases any sensitive information that the GSSCredential object may be containing.
 boolean equals(java.lang.Object other)
          Tests if this GSSCredential refers to the same entity as the supplied object.
 Oid[] getMechs()
          Returns an array of mechanisms supported by this credential.
 GSSName getName()
          Retrieves the name of the entity that the credential asserts.
 GSSName getName(Oid mech)
          Retrieves a mechanism name of the entity that the credential asserts.
 int getRemainingAcceptLifetime(Oid mech)
          Returns the remaining lifetime is seconds for the credential to remain capable of accepting security contexts under the specified mechanism.
 int getRemainingInitLifetime(Oid mech)
          Returns the remaining lifetime is seconds for the credential to remain capable of initiating security contexts under the specified mechanism.
 int getRemainingLifetime()
          Returns the remaining lifetime in seconds for a credential.
 int getUsage()
          Returns the credential usage flag.
 int getUsage(Oid mech)
          Returns the credential usage flag for the specified credential mechanism.
 int hashCode()
          Returns a hashcode value for this GSSCredential.
 

Field Detail

INITIATE_AND_ACCEPT

public static final int INITIATE_AND_ACCEPT
Credential usage flag requesting that it be able to be used for both context initiation and acceptance.

INITIATE_ONLY

public static final int INITIATE_ONLY
Credential usage flag requesting that it be able to be used for context initiation only.

ACCEPT_ONLY

public static final int ACCEPT_ONLY
Credential usage flag requesting that it be able to be used for context acceptance only.

DEFAULT_LIFETIME

public static final int DEFAULT_LIFETIME
A lifetime constant representing the default credential lifetime.

INDEFINITE_LIFETIME

public static final int INDEFINITE_LIFETIME
A lifetime constant representing indefinite credential lifetime. Its value is Integer.MAX_VALUE.
Method Detail

dispose

public void dispose()
             throws GSSException
Releases any sensitive information that the GSSCredential object may be containing. Applications should call this method as soon as the credential is no longer needed to minimize the time any sensitive information is maintained.
Throws:
GSSException -  

getName

public GSSName getName()
                throws GSSException
Retrieves the name of the entity that the credential asserts.
Returns:
The name of the principal that owns this credential.
Throws:
GSSException -  

getName

public GSSName getName(Oid mech)
                throws GSSException
Retrieves a mechanism name of the entity that the credential asserts. Equivalent to calling canonicalize() on the name returned by 7.3.3.
Parameters:
mech - The mechanism for which information should be returned.
Returns:
The name of the principal that owns this credential.
Throws:
GSSException -  

getRemainingLifetime

public int getRemainingLifetime()
                         throws GSSException
Returns the remaining lifetime in seconds for a credential. The remaining lifetime is the minimum lifetime for any of the underlying credential mechanisms. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire. A return value of 0 indicates that the credential is already expired.
Throws:
GSSException -  

getRemainingInitLifetime

public int getRemainingInitLifetime(Oid mech)
                             throws GSSException
Returns the remaining lifetime is seconds for the credential to remain capable of initiating security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context initiation. A return value of 0 indicates that the credential is already expired.
Parameters:
mechOID - The mechanism for which information should be returned.
Returns:
The time for which this credential remains valid for context initiation.
Throws:
GSSException -  

getRemainingAcceptLifetime

public int getRemainingAcceptLifetime(Oid mech)
                               throws GSSException
Returns the remaining lifetime is seconds for the credential to remain capable of accepting security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context acceptance. A return value of 0 indicates that the credential is already expired.
Parameters:
mech - The mechanism for which information should be returned.
Returns:
The time for which this credential remains valid for context acceptance.
Throws:
GSSException -  

getUsage

public int getUsage()
             throws GSSException
Returns the credential usage flag. The return value will be one of GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or GSSCredential.INITIATE_AND_ACCEPT.
Returns:
How this credential is to be used: INITIATE_ONLY, ACCEPT_ONLY or INITIATE_AND_ACCEPT.
Throws:
GSSException -  

getUsage

public int getUsage(Oid mech)
             throws GSSException
Returns the credential usage flag for the specified credential mechanism. The return value will be one of GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or GSSCredential.INITIATE_AND_ACCEPT.
Parameters:
mech - The mechanism for which information should be returned.
Returns:
How this credential is to be used for the given mechanism: INITIATE_ONLY, ACCEPT_ONLY or INITIATE_AND_ACCEPT.
Throws:
GSSException -  

getMechs

public Oid[] getMechs()
               throws GSSException
Returns an array of mechanisms supported by this credential.
Returns:
A list of mechanisms supported by this credential.
Throws:
GSSException -  

add

public void add(GSSName aName,
                int initLifetime,
                int acceptLifetime,
                Oid mech,
                int usage)
         throws GSSException
Adds a mechanism specific credential-element to an existing credential. This method allows the construction of credentials one mechanism at a time.

This routine is envisioned to be used mainly by context acceptors during the creation of acceptance credentials which are to be used with a variety of clients using different security mechanisms. This routine adds the new credential element "in-place". To add the element in a new credential, first call clone() to obtain a copy of this credential, then call its add() method.

Parameters:
aName - Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
initLifetime - The number of seconds that credentials should remain valid for initiating of security contexts. GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
acceptLifetime - The number of seconds that credentials should remain valid for accepting of security contexts. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
mech - The mechanisms over which the credential is to be acquired.
usage - The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
Throws:
GSSException -  

equals

public boolean equals(java.lang.Object other)
Tests if this GSSCredential refers to the same entity as the supplied object. The two credentials must be acquired over the same mechanisms and must refer to the same principal. Returns "true" if the two GSSCredentials refer to the same entity; "false" otherwise.
Overrides:
equals in class java.lang.Object
Parameters:
another - Another GSSCredential object for comparison.
Returns:
"true" if the two credentials are the same, "false" otherwise.

hashCode

public int hashCode()
Returns a hashcode value for this GSSCredential.
Overrides:
hashCode in class java.lang.Object
Returns:
a hashCode value