javax.security.auth.kerberos.KerberosPrincipal.java Source code

Java tutorial

Introduction

Here is the source code for javax.security.auth.kerberos.KerberosPrincipal.java

Source

/*
 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package javax.security.auth.kerberos;

import java.io.*;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.Realm;
import sun.security.util.*;

/**
 * This class encapsulates a Kerberos principal.
 *
 * @author Mayank Upadhyay
 * @since 1.4
 */

public final class KerberosPrincipal implements java.security.Principal, java.io.Serializable {

    private static final long serialVersionUID = -7374788026156829911L;

    //name types

    /**
     * unknown name type.
     */

    public static final int KRB_NT_UNKNOWN = 0;

    /**
     * user principal name type.
     */

    public static final int KRB_NT_PRINCIPAL = 1;

    /**
     * service and other unique instance (krbtgt) name type.
     */
    public static final int KRB_NT_SRV_INST = 2;

    /**
     * service with host name as instance (telnet, rcommands) name type.
     */

    public static final int KRB_NT_SRV_HST = 3;

    /**
     * service with host as remaining components name type.
     */

    public static final int KRB_NT_SRV_XHST = 4;

    /**
     * unique ID name type.
     */

    public static final int KRB_NT_UID = 5;

    /**
     * Enterprise name (alias)
     */
    public static final int KRB_NT_ENTERPRISE = 10;

    private transient String fullName;

    private transient String realm;

    private transient int nameType;

    /**
     * Constructs a {@code KerberosPrincipal} from the provided string input.
     * The name type for this principal defaults to
     * {@link #KRB_NT_PRINCIPAL KRB_NT_PRINCIPAL}
     * This string is assumed to contain a name in the format
     * that is specified in Section 2.1.1. (Kerberos Principal Name Form) of
     * <a href=http://www.ietf.org/rfc/rfc1964.txt> RFC 1964 </a>
     * (for example, <i>duke@FOO.COM</i>, where <i>duke</i>
     * represents a principal, and <i>FOO.COM</i> represents a realm).
     *
     * <p>If the input name does not contain a realm, the default realm
     * is used. The default realm can be specified either in a Kerberos
     * configuration file or via the java.security.krb5.realm
     * system property. For more information, see the
     * {@extLink security_guide_jgss_tutorial Kerberos Requirements}.
     * Additionally, if a security manager is
     * installed, a {@link ServicePermission} must be granted and the service
     * principal of the permission must minimally be inside the
     * {@code KerberosPrincipal}'s realm. For example, if the result of
     * {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM},
     * then a {@code ServicePermission} with service principal
     * {@code host/www.example.com@EXAMPLE.COM} (and any action)
     * must be granted.
     *
     * @param name the principal name
     * @throws IllegalArgumentException if name is improperly
     * formatted, if name is null, or if name does not contain
     * the realm to use and the default realm is not specified
     * in either a Kerberos configuration file or via the
     * java.security.krb5.realm system property.
     * @throws SecurityException if a security manager is installed and
     * {@code name} does not contain the realm to use, and a proper
     * {@link ServicePermission} as described above is not granted.
     */
    public KerberosPrincipal(String name) {
        this(name, KRB_NT_PRINCIPAL);
    }

    /**
     * Constructs a {@code KerberosPrincipal} from the provided string and
     * name type input.  The string is assumed to contain a name in the
     * format that is specified in Section 2.1 (Mandatory Name Forms) of
     * <a href=http://www.ietf.org/rfc/rfc1964.txt>RFC 1964</a>.
     * Valid name types are specified in Section 6.2 (Principal Names) of
     * <a href=http://www.ietf.org/rfc/rfc4120.txt>RFC 4120</a>.
     * The input name must be consistent with the provided name type.
     * (for example, <i>duke@FOO.COM</i>, is a valid input string for the
     * name type, KRB_NT_PRINCIPAL where <i>duke</i>
     * represents a principal, and <i>FOO.COM</i> represents a realm).
     *
     * <p>If the input name does not contain a realm, the default realm
     * is used. The default realm can be specified either in a Kerberos
     * configuration file or via the java.security.krb5.realm
     * system property. For more information, see the
     * {@extLink security_guide_jgss_tutorial Kerberos Requirements}.
     * Additionally, if a security manager is
     * installed, a {@link ServicePermission} must be granted and the service
     * principal of the permission must minimally be inside the
     * {@code KerberosPrincipal}'s realm. For example, if the result of
     * {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM},
     * then a {@code ServicePermission} with service principal
     * {@code host/www.example.com@EXAMPLE.COM} (and any action)
     * must be granted.
     *
     * @param name the principal name
     * @param nameType the name type of the principal
     * @throws IllegalArgumentException if name is improperly
     * formatted, if name is null, if the nameType is not supported,
     * or if name does not contain the realm to use and the default
     * realm is not specified in either a Kerberos configuration
     * file or via the java.security.krb5.realm system property.
     * @throws SecurityException if a security manager is installed and
     * {@code name} does not contain the realm to use, and a proper
     * {@link ServicePermission} as described above is not granted.
     */

    public KerberosPrincipal(String name, int nameType) {

        PrincipalName krb5Principal = null;

        try {
            // Appends the default realm if it is missing
            krb5Principal = new PrincipalName(name, nameType);
        } catch (KrbException e) {
            throw new IllegalArgumentException(e.getMessage());
        }

        if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
            SecurityManager sm = System.getSecurityManager();
            if (sm != null) {
                try {
                    sm.checkPermission(new ServicePermission("@" + krb5Principal.getRealmAsString(), "-"));
                } catch (SecurityException se) {
                    // Swallow the actual exception to hide info
                    throw new SecurityException("Cannot read realm info");
                }
            }
        }
        this.nameType = nameType;
        fullName = krb5Principal.toString();
        realm = krb5Principal.getRealmString();
    }

    /**
     * Returns the realm component of this Kerberos principal.
     *
     * @return the realm component of this Kerberos principal.
     */
    public String getRealm() {
        return realm;
    }

    /**
     * Returns a hash code for this {@code KerberosPrincipal}. The hash code
     * is defined to be the result of the following calculation:
     * <pre>{@code
     *  hashCode = getName().hashCode();
     * }</pre>
     *
     * @return a hash code for this {@code KerberosPrincipal}.
     */
    public int hashCode() {
        return getName().hashCode();
    }

    /**
     * Compares the specified object with this principal for equality.
     * Returns true if the given object is also a
     * {@code KerberosPrincipal} and the two
     * {@code KerberosPrincipal} instances are equivalent.
     * More formally two {@code KerberosPrincipal} instances are equal
     * if the values returned by {@code getName()} are equal.
     *
     * @param other the object to compare to
     * @return true if the object passed in represents the same principal
     * as this one, false otherwise.
     */
    public boolean equals(Object other) {

        if (other == this)
            return true;

        if (!(other instanceof KerberosPrincipal)) {
            return false;
        }
        String myFullName = getName();
        String otherFullName = ((KerberosPrincipal) other).getName();
        return myFullName.equals(otherFullName);
    }

    /**
     * Save the {@code KerberosPrincipal} object to a stream
     *
     * @serialData this {@code KerberosPrincipal} is serialized
     *          by writing out the PrincipalName and the
     *          Realm in their DER-encoded form as specified in Section 5.2.2 of
     *          <a href=http://www.ietf.org/rfc/rfc4120.txt> RFC4120</a>.
     */
    private void writeObject(ObjectOutputStream oos) throws IOException {

        PrincipalName krb5Principal;
        try {
            krb5Principal = new PrincipalName(fullName, nameType);
            oos.writeObject(krb5Principal.asn1Encode());
            oos.writeObject(krb5Principal.getRealm().asn1Encode());
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    /**
     * Reads this object from a stream (i.e., deserializes it)
     */
    private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        byte[] asn1EncPrincipal = (byte[]) ois.readObject();
        byte[] encRealm = (byte[]) ois.readObject();
        try {
            Realm realmObject = new Realm(new DerValue(encRealm));
            PrincipalName krb5Principal = new PrincipalName(new DerValue(asn1EncPrincipal), realmObject);
            realm = realmObject.toString();
            fullName = krb5Principal.toString();
            nameType = krb5Principal.getNameType();
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    /**
     * The returned string corresponds to the single-string
     * representation of a Kerberos Principal name as specified in
     * Section 2.1 of <a href=http://www.ietf.org/rfc/rfc1964.txt>RFC 1964</a>.
     *
     * @return the principal name.
     */
    public String getName() {
        return fullName;
    }

    /**
     * Returns the name type of the {@code KerberosPrincipal}. Valid name types
     * are specified in Section 6.2 of
     * <a href=http://www.ietf.org/rfc/rfc4120.txt> RFC4120</a>.
     *
     * @return the name type.
     */
    public int getNameType() {
        return nameType;
    }

    /**
     * Returns an informative textual representation of this {@code KerberosPrincipal}.
     *
     * @return an informative textual representation of this {@code KerberosPrincipal}.
     */
    public String toString() {
        return getName();
    }
}