|
Java example source code file (KeyTab.java)
The KeyTab.java Java example source code/* * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package javax.security.auth.kerberos; import java.io.File; import java.security.AccessControlException; import java.util.Objects; import sun.security.krb5.EncryptionKey; import sun.security.krb5.KerberosSecrets; import sun.security.krb5.PrincipalName; import sun.security.krb5.RealmException; /** * This class encapsulates a keytab file. * <p> * A Kerberos JAAS login module that obtains long term secret keys from a * keytab file should use this class. The login module will store * an instance of this class in the private credential set of a * {@link javax.security.auth.Subject Subject} during the commit phase of the * authentication process. * <p> * If a {@code KeyTab} object is obtained from {@link #getUnboundInstance()} * or {@link #getUnboundInstance(java.io.File)}, it is unbound and thus can be * used by any service principal. Otherwise, if it's obtained from * {@link #getInstance(KerberosPrincipal)} or * {@link #getInstance(KerberosPrincipal, java.io.File)}, it is bound to the * specific service principal and can only be used by it. * <p> * Please note the constructors {@link #getInstance()} and * {@link #getInstance(java.io.File)} were created when there was no support * for unbound keytabs. These methods should not be used anymore. An object * created with either of these methods are considered to be bound to an * unknown principal, which means, its {@link #isBound()} returns true and * {@link #getPrincipal()} returns null. * <p> * It might be necessary for the application to be granted a * {@link javax.security.auth.PrivateCredentialPermission * PrivateCredentialPermission} if it needs to access the KeyTab * instance from a Subject. This permission is not needed when the * application depends on the default JGSS Kerberos mechanism to access the * KeyTab. In that case, however, the application will need an appropriate * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. * <p> * The keytab file format is described at * <a href="http://www.ioplex.com/utilities/keytab.txt"> * http://www.ioplex.com/utilities/keytab.txt</a>. * <p> * @since 1.7 */ public final class KeyTab { /* * Impl notes: * * This class is only a name, a permanent link to the keytab source * (can be missing). Itself has no content. In order to read content, * take a snapshot and read from it. * * The snapshot is of type sun.security.krb5.internal.ktab.KeyTab, which * contains the content of the keytab file when the snapshot is taken. * Itself has no refresh function and mostly an immutable class (except * for the create/add/save methods only used by the ktab command). */ // Source, null if using the default one. Note that the default name // is maintained in snapshot, this field is never "resolved". private final File file; // Bound user: normally from the "principal" value in a JAAS krb5 // login conf. Will be null if it's "*". private final KerberosPrincipal princ; private final boolean bound; // Set up JavaxSecurityAuthKerberosAccess in KerberosSecrets static { KerberosSecrets.setJavaxSecurityAuthKerberosAccess( new JavaxSecurityAuthKerberosAccessImpl()); } private KeyTab(KerberosPrincipal princ, File file, boolean bound) { this.princ = princ; this.file = file; this.bound = bound; } /** * Returns a {@code KeyTab} instance from a {@code File} object * that is bound to an unknown service principal. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the file and does not read it. * <p> * Developers should call {@link #getInstance(KerberosPrincipal,File)} * when the bound service principal is known. * @param file the keytab {@code File} object, must not be null * @return the keytab instance * @throws NullPointerException if the {@code file} argument is null */ public static KeyTab getInstance(File file) { if (file == null) { throw new NullPointerException("file must be non null"); } return new KeyTab(null, file, true); } /** * Returns an unbound {@code KeyTab} instance from a {@code File} * object. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the file and does not read it. * @param file the keytab {@code File} object, must not be null * @return the keytab instance * @throws NullPointerException if the file argument is null * @since 1.8 */ public static KeyTab getUnboundInstance(File file) { if (file == null) { throw new NullPointerException("file must be non null"); } return new KeyTab(null, file, false); } /** * Returns a {@code KeyTab} instance from a {@code File} object * that is bound to the specified service principal. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the file and does not read it. * @param princ the bound service principal, must not be null * @param file the keytab {@code File} object, must not be null * @return the keytab instance * @throws NullPointerException if either of the arguments is null * @since 1.8 */ public static KeyTab getInstance(KerberosPrincipal princ, File file) { if (princ == null) { throw new NullPointerException("princ must be non null"); } if (file == null) { throw new NullPointerException("file must be non null"); } return new KeyTab(princ, file, true); } /** * Returns the default {@code KeyTab} instance that is bound * to an unknown service principal. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the default keytab file and * does not read it. * <p> * Developers should call {@link #getInstance(KerberosPrincipal)} * when the bound service principal is known. * @return the default keytab instance. */ public static KeyTab getInstance() { return new KeyTab(null, null, true); } /** * Returns the default unbound {@code KeyTab} instance. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the default keytab file and * does not read it. * @return the default keytab instance * @since 1.8 */ public static KeyTab getUnboundInstance() { return new KeyTab(null, null, false); } /** * Returns the default {@code KeyTab} instance that is bound * to the specified service principal. * <p> * The result of this method is never null. This method only associates * the returned {@code KeyTab} object with the default keytab file and * does not read it. * @param princ the bound service principal, must not be null * @return the default keytab instance * @throws NullPointerException if {@code princ} is null * @since 1.8 */ public static KeyTab getInstance(KerberosPrincipal princ) { if (princ == null) { throw new NullPointerException("princ must be non null"); } return new KeyTab(princ, null, true); } // Takes a snapshot of the keytab content. This method is called by // JavaxSecurityAuthKerberosAccessImpl so no more private sun.security.krb5.internal.ktab.KeyTab takeSnapshot() { try { return sun.security.krb5.internal.ktab.KeyTab.getInstance(file); } catch (AccessControlException ace) { if (file != null) { // It's OK to show the name if caller specified it throw ace; } else { AccessControlException ace2 = new AccessControlException( "Access to default keytab denied (modified exception)"); ace2.setStackTrace(ace.getStackTrace()); throw ace2; } } } /** * Returns fresh keys for the given Kerberos principal. * <p> * Implementation of this method should make sure the returned keys match * the latest content of the keytab file. The result is a newly created * copy that can be modified by the caller without modifying the keytab * object. The caller should {@link KerberosKey#destroy() destroy} the * result keys after they are used. * <p> * Please note that the keytab file can be created after the * {@code KeyTab} object is instantiated and its content may change over * time. Therefore, an application should call this method only when it * needs to use the keys. Any previous result from an earlier invocation * could potentially be expired. * <p> * If there is any error (say, I/O error or format error) * during the reading process of the KeyTab file, a saved result should be * returned. If there is no saved result (say, this is the first time this * method is called, or, all previous read attempts failed), an empty array * should be returned. This can make sure the result is not drastically * changed during the (probably slow) update of the keytab file. * <p> * Each time this method is called and the reading of the file succeeds * with no exception (say, I/O error or file format error), * the result should be saved for {@code principal}. The implementation can * also save keys for other principals having keys in the same keytab object * if convenient. * <p> * Any unsupported key read from the keytab is ignored and not included * in the result. * <p> * If this keytab is bound to a specific principal, calling this method on * another principal will return an empty array. * * @param principal the Kerberos principal, must not be null. * @return the keys (never null, may be empty) * @throws NullPointerException if the {@code principal} * argument is null * @throws SecurityException if a security manager exists and the read * access to the keytab file is not permitted */ public KerberosKey[] getKeys(KerberosPrincipal principal) { try { if (princ != null && !principal.equals(princ)) { return new KerberosKey[0]; } PrincipalName pn = new PrincipalName(principal.getName()); EncryptionKey[] keys = takeSnapshot().readServiceKeys(pn); KerberosKey[] kks = new KerberosKey[keys.length]; for (int i=0; i<kks.length; i++) { Integer tmp = keys[i].getKeyVersionNumber(); kks[i] = new KerberosKey( principal, keys[i].getBytes(), keys[i].getEType(), tmp == null ? 0 : tmp.intValue()); keys[i].destroy(); } return kks; } catch (RealmException re) { return new KerberosKey[0]; } } EncryptionKey[] getEncryptionKeys(PrincipalName principal) { return takeSnapshot().readServiceKeys(principal); } /** * Checks if the keytab file exists. Implementation of this method * should make sure that the result matches the latest status of the * keytab file. * <p> * The caller can use the result to determine if it should fallback to * another mechanism to read the keys. * @return true if the keytab file exists; false otherwise. * @throws SecurityException if a security manager exists and the read * access to the keytab file is not permitted */ public boolean exists() { return !takeSnapshot().isMissing(); } public String toString() { String s = (file == null) ? "Default keytab" : file.toString(); if (!bound) return s; else if (princ == null) return s + " for someone"; else return s + " for " + princ; } /** * Returns a hashcode for this KeyTab. * * @return a hashCode() for the {@code KeyTab} */ public int hashCode() { return Objects.hash(file, princ, bound); } /** * Compares the specified Object with this KeyTab for equality. * Returns true if the given object is also a * {@code KeyTab} and the two * {@code KeyTab} instances are equivalent. * * @param other the Object to compare to * @return true if the specified object is equal to this KeyTab */ public boolean equals(Object other) { if (other == this) return true; if (! (other instanceof KeyTab)) { return false; } KeyTab otherKtab = (KeyTab) other; return Objects.equals(otherKtab.princ, princ) && Objects.equals(otherKtab.file, file) && bound == otherKtab.bound; } /** * Returns the service principal this {@code KeyTab} object * is bound to. Returns {@code null} if it's not bound. * <p> * Please note the deprecated constructors create a KeyTab object bound for * some unknown principal. In this case, this method also returns null. * User can call {@link #isBound()} to verify this case. * @return the service principal * @since 1.8 */ public KerberosPrincipal getPrincipal() { return princ; } /** * Returns if the keytab is bound to a principal * @return if the keytab is bound to a principal * @since 1.8 */ public boolean isBound() { return bound; } } Other Java examples (source code examples)Here is a short list of links related to this Java KeyTab.java source code file: |
... this post is sponsored by my books ... | |
#1 New Release! |
FP Best Seller |
Copyright 1998-2024 Alvin Alexander, alvinalexander.com
All Rights Reserved.
A percentage of advertising revenue from
pages under the /java/jwarehouse
URI on this website is
paid back to open source projects.