Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 319a3b994703aac84df7bcde272adfcb3cdbbbf0 / . / jdk / src / share / classes / sun / net / www / protocol / http / NegotiatorImpl.java
blob: 1ecf6a28c2997d7ae319ab9d0761c6afce9fa57e [file] [log] [blame]
J. Duke319a3b92007-12-01 00:00:00 +0000[diff] [blame^]1/*
2 * Copyright 2005 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26package sun.net.www.protocol.http;
27
28import java.io.IOException;
29
30import org.ietf.jgss.GSSContext;
31import org.ietf.jgss.GSSException;
32import org.ietf.jgss.GSSName;
33import org.ietf.jgss.Oid;
34
35import sun.security.jgss.GSSManagerImpl;
36import sun.security.jgss.GSSUtil;
37
38/**
39 * This class encapsulates all JAAS and JGSS API calls in a seperate class
40 * outside NegotiateAuthentication.java so that J2SE build can go smoothly
41 * without the presence of it.
42 *
43 * @author weijun.wang@sun.com
44 * @since 1.6
45 */
46public class NegotiatorImpl extends Negotiator {
47
48 private static final boolean DEBUG =
49 java.security.AccessController.doPrivileged(
50 new sun.security.action.GetBooleanAction("sun.security.krb5.debug"));
51
52 private GSSContext context;
53 private byte[] oneToken;
54
55 /**
56 * Initialize the object, which includes:<ul>
57 * <li>Find out what GSS mechanism to use from <code>http.negotiate.mechanism.oid</code>,
58 * defaults SPNEGO
59 * <li>Creating the GSSName for the target host, "HTTP/"+hostname
60 * <li>Creating GSSContext
61 * <li>A first call to initSecContext</ul>
62 * @param hostname name of peer server
63 * @param scheme auth scheme requested, Negotiate ot Kerberos
64 * @throws GSSException if any JGSS-API call fails
65 */
66 private void init(final String hostname, String scheme) throws GSSException {
67 // "1.2.840.113554.1.2.2" Kerberos
68 // "1.3.6.1.5.5.2" SPNEGO
69 final Oid oid;
70
71 if (scheme.equalsIgnoreCase("Kerberos")) {
72 // we can only use Kerberos mech when the scheme is kerberos
73 oid = GSSUtil.GSS_KRB5_MECH_OID;
74 } else {
75 String pref = java.security.AccessController.doPrivileged(
76 new java.security.PrivilegedAction<String>() {
77 public String run() {
78 return System.getProperty(
79 "http.auth.preference",
80 "spnego");
81 }
82 });
83 if (pref.equalsIgnoreCase("kerberos")) {
84 oid = GSSUtil.GSS_KRB5_MECH_OID;
85 } else {
86 // currently there is no 3rd mech we can use
87 oid = GSSUtil.GSS_SPNEGO_MECH_OID;
88 }
89 }
90
91 GSSManagerImpl manager = new GSSManagerImpl(
92 GSSUtil.CALLER_HTTP_NEGOTIATE);
93
94 String peerName = "HTTP/" + hostname;
95
96 GSSName serverName = manager.createName(peerName, null);
97 context = manager.createContext(serverName,
98 oid,
99 null,
100 GSSContext.DEFAULT_LIFETIME);
101
102 // In order to support credential delegation in HTTP/SPNEGO,
103 // we always request it before initSecContext. The current
104 // implementation will check the OK-AS-DELEGATE flag inside
105 // the service ticket of the web server, and only enable
106 // delegation when this flag is set. This check is only
107 // performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
108 // so all other normal GSS-API calls are not affected.
109
110 context.requestCredDeleg(true);
111 oneToken = context.initSecContext(new byte[0], 0, 0);
112 }
113
114 /**
115 * Constructor
116 * @param hostname name of peer server
117 * @param scheme auth scheme requested, Negotiate ot Kerberos
118 * @throws java.io.IOException If negotiator cannot be constructed
119 */
120 public NegotiatorImpl(String hostname, String scheme) throws IOException {
121 try {
122 init(hostname, scheme);
123 } catch (GSSException e) {
124 if (DEBUG) {
125 System.out.println("Negotiate support not initiated, will fallback to other scheme if allowed. Reason:");
126 e.printStackTrace();
127 }
128 IOException ioe = new IOException("Negotiate support not initiated");
129 ioe.initCause(e);
130 throw ioe;
131 }
132 }
133
134 /**
135 * Return the first token of GSS, in SPNEGO, it's called NegTokenInit
136 * @return the first token
137 */
138 public byte[] firstToken() {
139 return oneToken;
140 }
141
142 /**
143 * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg
144 * @param token the token received from server
145 * @return the next token
146 * @throws java.io.IOException if the token cannot be created successfully
147 */
148 public byte[] nextToken(byte[] token) throws IOException {
149 try {
150 return context.initSecContext(token, 0, token.length);
151 } catch (GSSException e) {
152 if (DEBUG) {
153 System.out.println("Negotiate support cannot continue. Reason:");
154 e.printStackTrace();
155 }
156 IOException ioe = new IOException("Negotiate support cannot continue");
157 ioe.initCause(e);
158 throw ioe;
159 }
160 }
161}