Back to index... 
/*
 
 * Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
 
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 
 *
 
 * This code is free software; you can redistribute it and/or modify it
 
 * under the terms of the GNU General Public License version 2 only, as
 
 * published by the Free Software Foundation.  Oracle designates this
 
 * particular file as subject to the "Classpath" exception as provided
 
 * by Oracle in the LICENSE file that accompanied this code.
 
 *
 
 * This code is distributed in the hope that it will be useful, but WITHOUT
 
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 
 * version 2 for more details (a copy is included in the LICENSE file that
 
 * accompanied this code).
 
 *
 
 * You should have received a copy of the GNU General Public License version
 
 * 2 along with this work; if not, write to the Free Software Foundation,
 
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 
 *
 
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 
 * or visit www.oracle.com if you need additional information or have any
 
 * questions.
 
 */
 







package sun.security.jgss.krb5;














import org.ietf.jgss.*;







import sun.security.jgss.GSSCaller;







import sun.security.jgss.spi.*;














import java.io.IOException;














import sun.security.krb5.Credentials;







import sun.security.krb5.KrbException;







import sun.security.krb5.internal.Ticket;














import javax.security.auth.kerberos.KerberosTicket;














/**







 * Implements the krb5 proxy credential element used in constrained







 * delegation. It is used in both impersonation (where there is no Kerberos 5







 * communication between the middle server and the client) and normal







 * constrained delegation (where there is, but client has not called







 * requestCredDeleg(true)).







 * @since 1.8







 */














public class Krb5ProxyCredential







    implements Krb5CredElement {














    public final Krb5InitCredential self;   // the middle server







    private final Krb5NameElement client;     // the client














    // The ticket with cname=client and sname=self. This can be a normal







    // service ticket or an S4U2self ticket.







    public final Ticket tkt;














    Krb5ProxyCredential(Krb5InitCredential self, Krb5NameElement client,







            Ticket tkt) {







        this.self = self;







        this.tkt = tkt;







        this.client = client;







    }














    // The client name behind the proxy







    @Override







    public final Krb5NameElement getName() throws GSSException {







        return client;







    }














    @Override







    public int getInitLifetime() throws GSSException {







        // endTime of tkt is not used by KDC, and it's also not







        // available in the case of kerberos constr deleg







        return self.getInitLifetime();







    }














    @Override







    public int getAcceptLifetime() throws GSSException {







        return 0;







    }














    @Override







    public boolean isInitiatorCredential() throws GSSException {







        return true;







    }














    @Override







    public boolean isAcceptorCredential() throws GSSException {







        return false;







    }














    @Override







    public final Oid getMechanism() {







        return Krb5MechFactory.GSS_KRB5_MECH_OID;







    }














    @Override







    public final java.security.Provider getProvider() {







        return Krb5MechFactory.PROVIDER;







    }














    @Override







    public void dispose() throws GSSException {







        try {







            self.destroy();







        } catch (javax.security.auth.DestroyFailedException e) {







            GSSException gssException =







                new GSSException(GSSException.FAILURE, -1,







                 "Could not destroy credentials - " + e.getMessage());







            gssException.initCause(e);







        }







    }














    @Override







    public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {







        // Cannot impersonate multiple levels without the impersonatee's TGT.







        throw new GSSException(GSSException.FAILURE, -1,







                "Only an initiate credentials can impersonate");







    }














    // Try to see if a default credential should act as an impersonator.







    static Krb5CredElement tryImpersonation(GSSCaller caller,







            Krb5InitCredential initiator) throws GSSException {














        try {







            KerberosTicket proxy = initiator.proxyTicket;







            if (proxy != null) {







                Credentials proxyCreds = Krb5Util.ticketToCreds(proxy);







                return new Krb5ProxyCredential(initiator,







                        Krb5NameElement.getInstance(proxyCreds.getClient()),







                        proxyCreds.getTicket());







            } else {







                return initiator;







            }







        } catch (KrbException | IOException e) {







            throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, -1,







                    "Cannot create proxy credential");







        }







    }







}






Back to index...