kerberosticket.java

来自「java jdk 1.4的源码」· Java 代码 · 共 626 行 · 第 1/2 页

JAVA
626
字号
/* * @(#)KerberosTicket.java	1.13 03/01/23 * * Copyright 2003 Sun Microsystems, Inc. All rights reserved. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. */  package javax.security.auth.kerberos;import java.io.*;import java.util.Date;import java.util.Arrays;import java.net.InetAddress;import javax.crypto.SecretKey;import javax.security.auth.Refreshable;import javax.security.auth.Destroyable;import javax.security.auth.RefreshFailedException;import javax.security.auth.DestroyFailedException;import sun.misc.HexDumpEncoder;import sun.security.krb5.EncryptionKey;import sun.security.krb5.Asn1Exception;import sun.security.util.*;/** * This class encapsulates a Kerberos ticket and associated * information as viewed from the client's point of view. It captures all * information that the Key Distribution Center (KDC) sends to the client * in the reply message KDC-REP defined in the Kerberos Protocol * Specification (<a href=http://www.ietf.org/rfc/rfc1510.txt>RFC 1510</a>). * <p> * All Kerberos JAAS login modules that authenticate a user to a KDC should * use this class. Where available, the login module might even read this  * information from a ticket cache in the operating system instead of * directly communicating with the KDC. During the commit phase of the JAAS * authentication process, the JAAS login module should instantiate this * class and store the instance in the private credential set of a * {@link javax.security.auth.Subject Subject}.<p> * * It might be necessary for the application to be granted a * {@link javax.security.auth.PrivateCredentialPermission  * PrivateCredentialPermission} if it needs to access a KerberosTicket * instance from a Subject. This permission is not needed when the * application depends on the default JGSS Kerberos mechanism to access the * KerberosTicket. In that case, however, the application will need an * appropriate * {@link javax.security.auth.kerberos.ServicePermission ServicePermission}. * <p> * Note that this class is applicable to both ticket granting tickets and * other regular service tickets. A ticket granting ticket is just a * special case of a more generalized service ticket. * * @see javax.security.auth.Subject * @see javax.security.auth.PrivateCredentialPermission * @see javax.security.auth.login.LoginContext * @see org.ietf.jgss.GSSCredential * @see org.ietf.jgss.GSSManager *  * @author Mayank Upadhyay * @version 1.13, 01/23/03 * @since 1.4 */public class KerberosTicket implements Destroyable, Refreshable,	 java.io.Serializable {    // TBD: Make these flag indices public    private static int FORWARDABLE_TICKET_FLAG = 1;    private static int FORWARDED_TICKET_FLAG   = 2;    private static int PROXIABLE_TICKET_FLAG   = 3;    private static int PROXY_TICKET_FLAG       = 4;    private static int POSTDATED_TICKET_FLAG   = 6;    private static int RENEWABLE_TICKET_FLAG   = 8;    private static int INITIAL_TICKET_FLAG     = 9;    private static int NUM_FLAGS = 32;    /**     *      * ASN.1 DER Encoding of the Ticket as defined in the      * Kerberos Protocol Specification RFC1510.     *     * @serial     */    private byte[] asn1Encoding;   /**    *<code>KeyImpl</code> is serialized by writing out the ASN1 Encoded bytes     * of the encryption key. The ASN1 encoding is defined in RFC1510 and as    * follows:    * <pre>		    *			EncryptionKey ::=   SEQUENCE {    *				keytype[0]    INTEGER,    *				keyvalue[1]   OCTET STRING    	    *				}    * </pre>    *    * @serial    */    private KeyImpl sessionKey;    /**     *      * Ticket Flags as defined in the Kerberos Protocol Specification RFC1510.     * @serial     */    private boolean[] flags;    /**     *      * Time of initial authentication      *     * @serial     */    private Date authTime;    /**     *      * Time after which the ticket is valid.     * @serial     */    private Date startTime;    /**     *      * Time after which the ticket will not be honored. (its expiration time).     *     * @serial     */    private Date endTime;    /**     *      * For renewable Tickets it indicates the maximum endtime that may be      * included in a renewal. It can be thought of as the absolute expiration      * time for the ticket, including all renewals. This field may be null     * for tickets that are not renewable.     *     * @serial     */    private Date renewTill;    /**     *      * Client that owns the service ticket     *      * @serial     */    private KerberosPrincipal client;    /**     *      * The service for which the ticket was issued.     *      * @serial     */    private KerberosPrincipal server;	    /**     *      * The addresses from where the ticket may be used by the client.      * This field may be null when the ticket is usable from any address.     *     * @serial     */    private InetAddress[] clientAddresses;    private transient boolean destroyed = false;    /**     * Constructs a KerberosTicket using credentials information that a     * client either receives from a KDC or reads from a cache.     *     * @param asn1Encoding the ASN.1 encoding of the ticket as defined by     * the Kerberos protocol specification.     * @param client the client that owns this service     * ticket     * @param server the service that this ticket is for     * @param sessionKey the raw bytes for the session key that must be     * used to encrypt the authenticator that will be sent to the server     * @param keyType the key type for the session key as defined by the     * Kerberos protocol specification.     * @param flags the ticket flags. Each element in this array indicates     * the value for the corresponding bit in the ASN.1 BitString that     * represents the ticket flags. If the number of elements in this array      * is less than the number of flags used by the Kerberos protocol,     * then the missing flags will be filled in with false.     * @param authTime the time of initial authentication for the client     * @param startTime the time after which the ticket will be valid. This      * may be null in which case the value of authTime is treated as the     * startTime.     * @param endTime the time after which the ticket will no longer be     * valid     * @param renewTill an absolute expiration time for the ticket,     * including all renewal that might be possible. This field may be null      * for tickets that are not renewable.     * @param clientAddresses the addresses from where the ticket may be     * used by the client. This field may be null when the ticket is usable      * from any address.     */   public KerberosTicket(byte[] asn1Encoding, 			 KerberosPrincipal client,			 KerberosPrincipal server,			 byte[] sessionKey,			 int keyType,			 boolean[] flags,			 Date authTime,			 Date startTime,			 Date endTime,			 Date renewTill,			 InetAddress[] clientAddresses) {              init(asn1Encoding, client, server, sessionKey, keyType, flags,	    authTime, startTime, endTime, renewTill, clientAddresses);   }        private void init(byte[] asn1Encoding, 			 KerberosPrincipal client,			 KerberosPrincipal server,			 byte[] sessionKey,			 int keyType,			 boolean[] flags,			 Date authTime,			 Date startTime,			 Date endTime,			 Date renewTill,			 InetAddress[] clientAddresses) {       if (asn1Encoding == null)	   throw new IllegalArgumentException("ASN.1 encoding of ticket"					      + " cannot be null");       this.asn1Encoding = asn1Encoding;       if (client == null)	   throw new IllegalArgumentException("Client name in ticket"					      + " cannot be null");       this.client = client;       if (server == null)	   throw new IllegalArgumentException("Server name in ticket"					      + " cannot be null");       this.server = server;       if (sessionKey == null)	   throw new IllegalArgumentException("Session key for ticket"					      + " cannot be null");       this.sessionKey = new KeyImpl(sessionKey, keyType);       if (flags != null) {	   if (flags.length >= NUM_FLAGS)	       this.flags = (boolean[]) flags.clone();	   else {	       this.flags = new boolean[NUM_FLAGS];	       // Fill in whatever we have	       for (int i = 0; i < flags.length; i++)		   this.flags[i] = flags[i];	   }       } else	   this.flags = new boolean[NUM_FLAGS];       if (flags[RENEWABLE_TICKET_FLAG]) {	   if (renewTill == null)	       throw new IllegalArgumentException("The renewable period "		       + "end time cannot be null for renewable tickets.");	   this.renewTill = renewTill;       }       if (authTime == null)	   throw new IllegalArgumentException("Authentication time of ticket"					      + " cannot be null");       this.authTime = authTime;       this.startTime = (startTime != null? startTime: authTime);       if (endTime == null)	   throw new IllegalArgumentException("End time for ticket validity"					      + " cannot be null");       this.endTime = endTime;       if (clientAddresses != null)	   this.clientAddresses = (InetAddress[]) clientAddresses.clone();   }    /**     * Returns the client principal associated with this ticket.     *     * @return the client principal.     */    public final KerberosPrincipal getClient() {	return client;    }        /**     * Returns the service principal associated with this ticket.     *     * @return the service principal.     */    public final KerberosPrincipal getServer() {	return server;    }        /**     * Returns the session key associated with this ticket.

⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?