From 554fd8c5195424bdbcabf5de30fdc183aba391bd Mon Sep 17 00:00:00 2001 From: upstream source tree Date: Sun, 15 Mar 2015 20:14:05 -0400 Subject: obtained gcc-4.6.4.tar.bz2 from upstream website; verified gcc-4.6.4.tar.bz2.sig; imported gcc-4.6.4 source tree from verified upstream tarball. downloading a git-generated archive based on the 'upstream' tag should provide you with a source tree that is binary identical to the one extracted from the above tarball. if you have obtained the source via the command 'git clone', however, do note that line-endings of files in your working directory might differ from line-endings of the respective files in the upstream repository. --- .../security/sasl/AuthenticationException.java | 107 ++++ .../javax/security/sasl/AuthorizeCallback.java | 175 ++++++ .../javax/security/sasl/RealmCallback.java | 77 +++ .../javax/security/sasl/RealmChoiceCallback.java | 73 +++ libjava/classpath/javax/security/sasl/Sasl.java | 694 +++++++++++++++++++++ .../classpath/javax/security/sasl/SaslClient.java | 232 +++++++ .../javax/security/sasl/SaslClientFactory.java | 118 ++++ .../javax/security/sasl/SaslException.java | 189 ++++++ .../classpath/javax/security/sasl/SaslServer.java | 227 +++++++ .../javax/security/sasl/SaslServerFactory.java | 116 ++++ libjava/classpath/javax/security/sasl/package.html | 46 ++ 11 files changed, 2054 insertions(+) create mode 100644 libjava/classpath/javax/security/sasl/AuthenticationException.java create mode 100644 libjava/classpath/javax/security/sasl/AuthorizeCallback.java create mode 100644 libjava/classpath/javax/security/sasl/RealmCallback.java create mode 100644 libjava/classpath/javax/security/sasl/RealmChoiceCallback.java create mode 100644 libjava/classpath/javax/security/sasl/Sasl.java create mode 100644 libjava/classpath/javax/security/sasl/SaslClient.java create mode 100644 libjava/classpath/javax/security/sasl/SaslClientFactory.java create mode 100644 libjava/classpath/javax/security/sasl/SaslException.java create mode 100644 libjava/classpath/javax/security/sasl/SaslServer.java create mode 100644 libjava/classpath/javax/security/sasl/SaslServerFactory.java create mode 100644 libjava/classpath/javax/security/sasl/package.html (limited to 'libjava/classpath/javax/security/sasl') diff --git a/libjava/classpath/javax/security/sasl/AuthenticationException.java b/libjava/classpath/javax/security/sasl/AuthenticationException.java new file mode 100644 index 000000000..0f674645d --- /dev/null +++ b/libjava/classpath/javax/security/sasl/AuthenticationException.java @@ -0,0 +1,107 @@ +/* AuthenticationException.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +/** + *

This exception is thrown by a SASL mechanism implementation to indicate + * that the SASL exchange has failed due to reasons related to authentication, + * such as an invalid identity, passphrase, or key.

+ * + *

Note that the lack of an AuthenticationException does not + * mean that the failure was not due to an authentication error. A SASL + * mechanism implementation might throw the more general {@link SaslException} + * instead of AuthenticationException if it is unable to determine + * the nature of the failure, or if does not want to disclose the nature of the + * failure, for example, due to security reasons.

+ * + * @since 1.5 + */ +public class AuthenticationException extends SaslException +{ + + // Constants and variables + // ------------------------------------------------------------------------- + + // Constructor(s) + // ------------------------------------------------------------------------- + + /** + * Constructs a new instance of AuthenticationException. The + * root exception and the detailed message are null. + */ + public AuthenticationException() + { + super(); + } + + /** + * Constructs a new instance of AuthenticationException with a + * detailed message. The root exception is null. + * + * @param detail a possibly null string containing details of + * the exception. + * @see Throwable#getMessage() + */ + public AuthenticationException(String detail) + { + super(detail); + } + + /** + * Constructs a new instance of AuthenticationException with a + * detailed message and a root exception. + * + * @param detail a possibly null string containing details of + * the exception. + * @param ex a possibly null root exception that caused this + * exception. + * @see Throwable#getMessage() + * @see SaslException#getCause() + */ + public AuthenticationException(String detail, Throwable ex) + { + super(detail, ex); + } + + // Class methods + // ------------------------------------------------------------------------- + + // Instance methods + // ------------------------------------------------------------------------- +} diff --git a/libjava/classpath/javax/security/sasl/AuthorizeCallback.java b/libjava/classpath/javax/security/sasl/AuthorizeCallback.java new file mode 100644 index 000000000..fa3b29a3d --- /dev/null +++ b/libjava/classpath/javax/security/sasl/AuthorizeCallback.java @@ -0,0 +1,175 @@ +/* AuthorizeCallback.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import java.io.Serializable; +import javax.security.auth.callback.Callback; + +/** + * This callback is used by {@link SaslServer} to determine whether one entity + * (identified by an authenticated authentication ID) can act on behalf of + * another entity (identified by an authorization ID). + * + * @since 1.5 + */ +public class AuthorizeCallback implements Callback, Serializable +{ + // Constants and variables + // ------------------------------------------------------------------------- + + private static final long serialVersionUID = -2353344186490470805L; + + /** @serial The (authenticated) authentication id to check. */ + private String authenticationID = null; + + /** @serial The authorization id to check. */ + private String authorizationID = null; + + /** + * @serial The id of the authorized entity. If null, the id of the authorized + * entity is authorizationID. + */ + private String authorizedID = null; + + /** + * @serial A flag indicating whether the authentication id is allowed to act + * on behalf of the authorization id. + */ + private boolean authorized = false; + + // Constructor(s) + // ------------------------------------------------------------------------- + + /** + * Constructs an instance of AuthorizeCallback. + * + * @param authnID the (authenticated) authentication ID. + * @param authzID the authorization ID. + */ + public AuthorizeCallback(String authnID, String authzID) + { + super(); + + this.authenticationID = authnID; + this.authorizationID = authzID; + } + + // Class methods + // ------------------------------------------------------------------------- + + // Instance methods + // ------------------------------------------------------------------------- + + /** + * Returns the authentication ID to check. + * + * @return the authentication ID to check + */ + public String getAuthenticationID() + { + return authenticationID; + } + + /** + * Returns the authorization ID to check. + * + * @return the authorization ID to check. + */ + public String getAuthorizationID() + { + return authorizationID; + } + + /** + * Determines if the identity represented by authentication ID is allowed to + * act on behalf of the authorization ID. + * + * @return true if authorization is allowed; false + * otherwise. + * @see #setAuthorized(boolean) + * @see #getAuthorizedID() + */ + public boolean isAuthorized() + { + return authorized; + } + + /** + * Sets if authorization is allowed or not. + * + * @param authorized true if authorization is allowed; + * false otherwise. + * @see #isAuthorized() + * @see #setAuthorizedID(String) + */ + public void setAuthorized(boolean authorized) + { + this.authorized = authorized; + } + + /** + * Returns the ID of the authorized user. + * + * @return the ID of the authorized user. null means the + * authorization failed. + * @see #setAuthorized(boolean) + * @see #setAuthorizedID(String) + */ + public String getAuthorizedID() + { + if (!authorized) + { + return null; + } + return (authorizedID != null ? authorizedID : authorizationID); + } + + /** + * Sets the ID of the authorized entity. Called by handler only when the ID + * is different from {@link #getAuthorizationID()}. For example, the ID might + * need to be canonicalized for the environment in which it will be used. + * + * @see #setAuthorized(boolean) + * @see #getAuthorizedID() + */ + public void setAuthorizedID(String id) + { + this.authorizedID = id; + } +} diff --git a/libjava/classpath/javax/security/sasl/RealmCallback.java b/libjava/classpath/javax/security/sasl/RealmCallback.java new file mode 100644 index 000000000..7cb36433f --- /dev/null +++ b/libjava/classpath/javax/security/sasl/RealmCallback.java @@ -0,0 +1,77 @@ +/* RealmCallback.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import javax.security.auth.callback.TextInputCallback; + +/** + * This callback is used by {@link SaslClient} and {@link SaslServer} to + * retrieve realm information. + * + * @since 1.5 + */ +public class RealmCallback extends TextInputCallback +{ + + /** + * Constructs a RealmCallback with a prompt. + * + * @param prompt the non-null prompt to use to request the realm information. + * @throws IllegalArgumentException if prompt is null + * or empty. + */ + public RealmCallback(String prompt) + { + super(prompt); + } + + /** + * Constructs a RealmCallback with a prompt and default realm + * information. + * + * @param prompt the non-null prompt to use to request the realm information. + * @param defaultRealmInfo the non-null default realm information to use. + * @throws IllegalArgumentException if prompt is null + * or empty, or if defaultRealm is empty or null. + */ + public RealmCallback(String prompt, String defaultRealmInfo) + { + super(prompt, defaultRealmInfo); + } +} diff --git a/libjava/classpath/javax/security/sasl/RealmChoiceCallback.java b/libjava/classpath/javax/security/sasl/RealmChoiceCallback.java new file mode 100644 index 000000000..7068a504b --- /dev/null +++ b/libjava/classpath/javax/security/sasl/RealmChoiceCallback.java @@ -0,0 +1,73 @@ +/* RealmChoiceCallback.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import javax.security.auth.callback.ChoiceCallback; + +/** + * This callback is used by {@link SaslClient} and {@link SaslServer} to obtain + * a realm given a list of realm choices. + * + * @since 1.5 + */ +public class RealmChoiceCallback extends ChoiceCallback +{ + + /** + * Constructs a RealmChoiceCallback with a prompt, a list of + * choices and a default choice. + * + * @param prompt the non-null prompt to use to request the realm. + * @param choices the non-null list of realms to choose from. + * @param defaultChoice the choice to be used as the default when the list of + * choices is displayed. It is an index into the choices array. + * @param multiple true if multiple choices allowed; + * false otherwise. + * @throws IllegalArgumentException if prompt is null + * or empty, if choices has a length of 0, if any + * element from choices is null or empty, or if + * defaultChoice does not fall within the array boundary of + * choices. + */ + public RealmChoiceCallback(String prompt, String[] choices, int defaultChoice, + boolean multiple) + { + super(prompt, choices, defaultChoice, multiple); + } +} diff --git a/libjava/classpath/javax/security/sasl/Sasl.java b/libjava/classpath/javax/security/sasl/Sasl.java new file mode 100644 index 000000000..402ad6ede --- /dev/null +++ b/libjava/classpath/javax/security/sasl/Sasl.java @@ -0,0 +1,694 @@ +/* Sasl.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import java.security.Provider; +import java.security.Security; +import java.util.Enumeration; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Map; +import java.util.Vector; + +import javax.security.auth.callback.CallbackHandler; + +/** + *

A static class for creating SASL clients and servers.

+ * + *

This class defines the policy of how to locate, load, and instantiate SASL + * clients and servers.

+ * + *

For example, an application or library gets a SASL client instance by + * doing something like:

+ * + *
+ *SaslClient sc =
+ *      Sasl.createSaslClient(mechanisms, authorizationID, protocol,
+ *                            serverName, props, callbackHandler);
+ * 
+ * + *

It can then proceed to use the instance to create an authenticated + * connection.

+ * + *

Similarly, a server gets a SASL server instance by using code that looks + * as follows:

+ * + *
+ *SaslServer ss =
+ *      Sasl.createSaslServer(mechanism, protocol, serverName, props,
+ *                            callbackHandler);
+ * 
+ * + * @since 1.5 + */ +public class Sasl +{ + + // Constants and variables + // ------------------------------------------------------------------------- + + /** + *

The name of a property that specifies the quality-of-protection to use. + * The property contains a comma-separated, ordered list of quality-of- + * protection values that the client or server is willing to support. A qop + * value is one of:

+ * + * + * + *

The order of the list specifies the preference order of the client or + * server.

+ * + *

If this property is absent, the default qop is "auth".

+ * + *

The value of this constant is "javax.security.sasl.qop".

+ */ + public static final String QOP = "javax.security.sasl.qop"; + + /** + *

The name of a property that specifies the cipher strength to use. The + * property contains a comma-separated, ordered list of cipher strength + * values that the client or server is willing to support. A strength value + * is one of:

+ * + * + * + *

The order of the list specifies the preference order of the client or + * server. An implementation should allow configuration of the meaning of + * these values. An application may use the Java Cryptography Extension (JCE) + * with JCE-aware mechanisms to control the selection of cipher suites that + * match the strength values.

+ * + *

If this property is absent, the default strength is + * "high,medium,low".

+ * + *

The value of this constant is "javax.security.sasl.strength". + *

+ */ + public static final String STRENGTH = "javax.security.sasl.strength"; + + /** + *

The name of a property that specifies whether the server must authenticate + * to the client. The property contains "true" if the server + * must authenticate the to client; "false" otherwise. The + * default is "false".

+ * + *

The value of this constant is + * "javax.security.sasl.server.authentication".

+ */ + public static final String SERVER_AUTH = "javax.security.sasl.server.authentication"; + + /** + *

The name of a property that specifies the maximum size of the receive + * buffer in bytes of {@link SaslClient}/{@link SaslServer}. The property + * contains the string representation of an integer.

+ * + *

If this property is absent, the default size is defined by the + * mechanism.

+ * + *

The value of this constant is "javax.security.sasl.maxbuffer". + *

+ */ + public static final String MAX_BUFFER = "javax.security.sasl.maxbuffer"; + + /** + *

The name of a property that specifies the maximum size of the raw send + * buffer in bytes of {@link SaslClient}/{@link SaslServer}. The property + * contains the string representation of an integer. The value of this + * property is negotiated between the client and server during the + * authentication exchange.

+ * + *

The value of this constant is "javax.security.sasl.rawsendsize". + *

+ */ + public static final String RAW_SEND_SIZE = "javax.security.sasl.rawsendsize"; + + /** + *

The name of a property that specifies whether mechanisms susceptible + * to simple plain passive attacks (e.g., "PLAIN") are not permitted. The + * property contains "true" if such mechanisms are not + * permitted; "false" if such mechanisms are permitted. The + * default is "false".

+ * + *

The value of this constant is "javax.security.sasl.policy.noplaintext". + *

+ */ + public static final String POLICY_NOPLAINTEXT = "javax.security.sasl.policy.noplaintext"; + + /** + *

The name of a property that specifies whether mechanisms susceptible to + * active (non-dictionary) attacks are not permitted. The property contains + * "true" if mechanisms susceptible to active attacks are not + * permitted; "false" if such mechanisms are permitted. The + * default is "false".

+ * + *

The value of this constant is "javax.security.sasl.policy.noactive". + *

+ */ + public static final String POLICY_NOACTIVE = "javax.security.sasl.policy.noactive"; + + /** + *

The name of a property that specifies whether mechanisms susceptible to + * passive dictionary attacks are not permitted. The property contains + * "true" if mechanisms susceptible to dictionary attacks are + * not permitted; "false" if such mechanisms are permitted. The + * default is "false".

+ * + *

The value of this constant is "javax.security.sasl.policy.nodictionary". + *

+ */ + public static final String POLICY_NODICTIONARY = "javax.security.sasl.policy.nodictionary"; + + /** + *

The name of a property that specifies whether mechanisms that accept + * anonymous login are not permitted. The property contains "true" + * if mechanisms that accept anonymous login are not permitted; "false" + * if such mechanisms are permitted. The default is "false". + *

+ * + *

The value of this constant is "javax.security.sasl.policy.noanonymous". + *

+ */ + public static final String POLICY_NOANONYMOUS = "javax.security.sasl.policy.noanonymous"; + + /** + * The name of a property that specifies whether mechanisms that implement + * forward secrecy between sessions are required. Forward secrecy means that + * breaking into one session will not automatically provide information for + * breaking into future sessions. The property contains "true" + * if mechanisms that implement forward secrecy between sessions are + * required; "false" if such mechanisms are not required. The + * default is "false". + * + *

The value of this constant is "javax.security.sasl.policy.forward". + *

+ */ + public static final String POLICY_FORWARD_SECRECY = "javax.security.sasl.policy.forward"; + + /** + * The name of a property that specifies whether mechanisms that pass client + * credentials are required. The property contains "true" if + * mechanisms that pass client credentials are required; "false" + * if such mechanisms are not required. The default is "false". + * + *

The value of this constant is "javax.security.sasl.policy.credentials". + *

+ */ + public static final String POLICY_PASS_CREDENTIALS = "javax.security.sasl.policy.credentials"; + + /** + *

The name of a property that specifies whether to reuse previously + * authenticated session information. The property contains "true" + * if the mechanism implementation may attempt to reuse previously + * authenticated session information; it contains "false" if the + * implementation must not reuse previously authenticated session information. + * A setting of "true" serves only as a hint; it does not + * necessarily entail actual reuse because reuse might not be possible due to + * a number of reasons, including, but not limited to, lack of mechanism + * support for reuse, expiration of reusable information, and the peer's + * refusal to support reuse. The property's default value is "false". + *

+ * + *

The value of this constant is "javax.security.sasl.reuse". + * Note that all other parameters and properties required to create a SASL + * client/server instance must be provided regardless of whether this + * property has been supplied. That is, you cannot supply any less + * information in anticipation of reuse. Mechanism implementations that + * support reuse might allow customization of its implementation for factors + * such as cache size, timeouts, and criteria for reuseability. Such + * customizations are implementation-dependent.

+ */ + public static final String REUSE = "javax.security.sasl.reuse"; + + private static final String CLIENT_FACTORY_SVC = "SaslClientFactory."; + private static final String SERVER_FACTORY_SVC = "SaslServerFactory."; + private static final String ALIAS = "Alg.Alias."; + + // Constructor(s) + // ------------------------------------------------------------------------- + + private Sasl() + { + super(); + } + + // Class methods + // ------------------------------------------------------------------------- + + /** + * Creates a {@link SaslClient} for the specified mechanism. + * + *

This method uses the JCA Security Provider Framework, described in the + * "Java Cryptography Architecture API Specification & Reference", for + * locating and selecting a {@link SaslClient} implementation.

+ * + *

First, it obtains an ordered list of {@link SaslClientFactory} + * instances from the registered security providers for the + * "SaslClientFactory" service and the specified mechanism. It + * then invokes createSaslClient() on each factory instance on + * the list until one produces a non-null {@link SaslClient} instance. It + * returns the non-null {@link SaslClient} instance, or null if + * the search fails to produce a non-null {@link SaslClient} instance.

+ * + *

A security provider for SaslClientFactory registers with + * the JCA Security Provider Framework keys of the form:

+ * + *
+   *    SaslClientFactory.mechanism_name
+   * 
+ * + *

and values that are class names of implementations of {@link + * SaslClientFactory}.

+ * + *

For example, a provider that contains a factory class, + * com.wiz.sasl.digest.ClientFactory, that supports the + * "DIGEST-MD5" mechanism would register the following entry + * with the JCA:

+ * + *
+   *    SaslClientFactory.DIGEST-MD5     com.wiz.sasl.digest.ClientFactory
+   * 
+ * + *

See the "Java Cryptography Architecture API Specification & + * Reference" for information about how to install and configure security + * service providers.

+ * + * @param mechanisms the non-null list of mechanism names to try. Each is the + * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). + * @param authorizationID the possibly null protocol-dependent + * identification to be used for authorization. If null or + * empty, the server derives an authorization ID from the client's + * authentication credentials. When the SASL authentication completes + * successfully, the specified entity is granted access. + * @param protocol the non-null string name of the protocol for which the + * authentication is being performed (e.g. "ldap"). + * @param serverName the non-null fully-qualified host name of the server to + * authenticate to. + * @param props the possibly null set of properties used to select the SASL + * mechanism and to configure the authentication exchange of the selected + * mechanism. For example, if props contains the {@link Sasl#POLICY_NOPLAINTEXT} + * property with the value "true", then the selected SASL + * mechanism must not be susceptible to simple plain passive attacks. In + * addition to the standard properties declared in this class, other, + * possibly mechanism-specific, properties can be included. Properties not + * relevant to the selected mechanism are ignored. + * @param cbh the possibly null callback handler to used by the + * SASL mechanisms to get further information from the application/library to + * complete the authentication. For example, a SASL mechanism might require + * the authentication ID, password and realm from the caller. The + * authentication ID is requested by using a + * {@link javax.security.auth.callback.NameCallback}. The password is + * requested by using a {@link javax.security.auth.callback.PasswordCallback}. + * The realm is requested by using a {@link RealmChoiceCallback} if there is + * a list of realms to choose from, and by using a {@link RealmCallback} if + * the realm must be entered. + * @return a possibly null {@link SaslClient} created using the + * parameters supplied. If null, the method could not find a + * {@link SaslClientFactory} that will produce one. + * @throws SaslException if a {@link SaslClient} cannot be created because + * of an error. + */ + public static SaslClient createSaslClient(String[] mechanisms, + String authorizationID, + String protocol, + String serverName, + Map props, + CallbackHandler cbh) + throws SaslException + { + if (mechanisms == null) + { + return null; + } + Provider[] providers = Security.getProviders(); + if (providers == null || providers.length == 0) + { + return null; + } + + SaslClient result = null; + SaslClientFactory factory = null; + String m, clazz = null, upper, alias; + int j; + Provider p; + for (int i = 0; i < mechanisms.length; i++) + { + m = mechanisms[i]; + if (m == null) + continue; + for (j = 0; j < providers.length; j++) + { + p = providers[j]; + if (p != null) + { + // try the name as is + clazz = p.getProperty(CLIENT_FACTORY_SVC + m); + if (clazz == null) // try all uppercase + { + upper = m.toUpperCase(); + clazz = p.getProperty(CLIENT_FACTORY_SVC + upper); + if (clazz == null) // try if it's an alias + { + alias = p.getProperty(ALIAS + CLIENT_FACTORY_SVC + m); + if (alias == null) // try all-uppercase alias name + { + alias = p.getProperty(ALIAS + CLIENT_FACTORY_SVC + upper); + if (alias == null) // spit the dummy + continue; + } + clazz = p.getProperty(CLIENT_FACTORY_SVC + alias); + } + } + if (clazz == null) + continue; + else + clazz = clazz.trim(); + } + + try + { + result = null; + factory = (SaslClientFactory) Class.forName(clazz).newInstance(); + result = factory.createSaslClient(mechanisms, authorizationID, + protocol, serverName, props, cbh); + } + catch (ClassCastException ignored) // ignore instantiation exceptions + { + } + catch (ClassNotFoundException ignored) + { + } + catch (InstantiationException ignored) + { + } + catch (IllegalAccessException ignored) + { + } + if (result != null) + return result; + } + } + return null; + } + + /** + * Gets an enumeration of known factories for producing a {@link SaslClient} + * instance. This method uses the same sources for locating factories as + * createSaslClient(). + * + * @return a non-null {@link Enumeration} of known factories for producing a + * {@link SaslClient} instance. + * @see #createSaslClient(String[],String,String,String,Map,CallbackHandler) + */ + public static Enumeration getSaslClientFactories() + { + Vector result = new Vector(); + HashSet names = new HashSet(); + Provider[] providers = Security.getProviders(); + Iterator it; + if (providers != null) + { + Provider p; + String key; + for (int i = 0; i < providers.length; i++) + { + p = providers[i]; + for (it = p.keySet().iterator(); it.hasNext(); ) + { + key = (String) it.next(); + // add key's binding (a) it is a class of a client factory, + // and (b) the key does not include blanks + if (key.startsWith(CLIENT_FACTORY_SVC) && key.indexOf(" ") == -1) + { + names.add(p.getProperty(key)); + break; + } + } + } + } + // we have the factory class names in names; instantiate and enumerate + String c; + for (it = names.iterator(); it.hasNext(); ) + { + c = (String) it.next(); + try + { + SaslClientFactory f = (SaslClientFactory) Class.forName(c).newInstance(); + if (f != null) + result.add(f); + } catch (ClassCastException ignored) { // ignore instantiation exceptions + } catch (ClassNotFoundException ignored) { + } catch (InstantiationException ignored) { + } catch (IllegalAccessException ignored) { + } + } + + return result.elements(); + } + + /** + * Creates a {@link SaslServer} for the specified mechanism. + * + *

This method uses the JCA Security Provider Framework, described in the + * "Java Cryptography Architecture API Specification & Reference", for + * locating and selecting a SaslServer implementation.

+ * + *

First, it obtains an ordered list of {@link SaslServerFactory} + * instances from the registered security providers for the + * "SaslServerFactory" service and the specified mechanism. It + * then invokes createSaslServer() on each factory instance on + * the list until one produces a non-null {@link SaslServer} instance. It + * returns the non-null {@link SaslServer} instance, or null if + * the search fails to produce a non-null {@link SaslServer} instance.

+ * + *

A security provider for {@link SaslServerFactory} registers with the + * JCA Security Provider Framework keys of the form:

+ * + *
+   *    SaslServerFactory.mechanism_name
+   * 
+ * + *

and values that are class names of implementations of {@link + * SaslServerFactory}.

+ * + *

For example, a provider that contains a factory class, + * com.wiz.sasl.digest.ServerFactory, that supports the + * "DIGEST-MD5" mechanism would register the following entry + * with the JCA:

+ * + *
+   *    SaslServerFactory.DIGEST-MD5     com.wiz.sasl.digest.ServerFactory
+   * 
+ * + *

See the "Java Cryptography Architecture API Specification & + * Reference" for information about how to install and configure security + * service providers.

+ * + * @param mechanism the non-null mechanism name. It must be an + * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). + * @param protocol the non-null string name of the protocol for which the + * authentication is being performed (e.g. "ldap"). + * @param serverName the non-null fully qualified host name of the server. + * @param props the possibly null set of properties used to + * select the SASL mechanism and to configure the authentication exchange of + * the selected mechanism. For example, if props contains the {@link + * Sasl#POLICY_NOPLAINTEXT} property with the value "true", then + * the selected SASL mechanism must not be susceptible to simple plain + * passive attacks. In addition to the standard properties declared in this + * class, other, possibly mechanism-specific, properties can be included. + * Properties not relevant to the selected mechanism are ignored. + * @param cbh the possibly null callback handler to used by the + * SASL mechanisms to get further information from the application/library to + * complete the authentication. For example, a SASL mechanism might require + * the authentication ID, password and realm from the caller. The + * authentication ID is requested by using a + * {@link javax.security.auth.callback.NameCallback}. The password is + * requested by using a {@link javax.security.auth.callback.PasswordCallback}. + * The realm is requested by using a {@link RealmChoiceCallback} if there is + * a list of realms to choose from, and by using a {@link RealmCallback} if + * the realm must be entered. + * @return a possibly null {@link SaslServer} created using the + * parameters supplied. If null, the method cannot find a + * {@link SaslServerFactory} instance that will produce one. + * @throws SaslException if a {@link SaslServer} instance cannot be created + * because of an error. + */ + public static SaslServer createSaslServer(String mechanism, String protocol, + String serverName, + Map props, + CallbackHandler cbh) + throws SaslException + { + if (mechanism == null) + return null; + Provider[] providers = Security.getProviders(); + if (providers == null || providers.length == 0) + return null; + + SaslServer result = null; + SaslServerFactory factory = null; + String clazz = null, upper, alias = null; + int j; + Provider p; + for (j = 0; j < providers.length; j++) + { + p = providers[j]; + if (p != null) + { + // try the name as is + clazz = p.getProperty(SERVER_FACTORY_SVC + mechanism); + if (clazz == null) // try all uppercase + { + upper = mechanism.toUpperCase(); + clazz = p.getProperty(SERVER_FACTORY_SVC + upper); + if (clazz == null) // try if it's an alias + { + alias = p.getProperty(ALIAS + SERVER_FACTORY_SVC + mechanism); + if (alias == null) // try all-uppercase alias name + { + alias = p.getProperty(ALIAS + SERVER_FACTORY_SVC + upper); + if (alias == null) // spit the dummy + continue; + } + } + clazz = p.getProperty(SERVER_FACTORY_SVC + alias); + } + } + if (clazz == null) + continue; + else + clazz = clazz.trim(); + + try + { + result = null; + factory = (SaslServerFactory) Class.forName(clazz).newInstance(); + result = + factory.createSaslServer(mechanism, protocol, serverName, props, cbh); + } + catch (ClassCastException ignored) // ignore instantiation exceptions + { + } + catch (ClassNotFoundException ignored) + { + } + catch (InstantiationException ignored) + { + } + catch (IllegalAccessException ignored) + { + } + if (result != null) + return result; + } + return null; + } + + /** + * Gets an enumeration of known factories for producing a {@link SaslServer} + * instance. This method uses the same sources for locating factories as + * createSaslServer(). + * + * @return a non-null {@link Enumeration} of known factories for producing a + * {@link SaslServer} instance. + * @see #createSaslServer(String,String,String,Map,CallbackHandler) + */ + public static Enumeration getSaslServerFactories() + { + Vector result = new Vector(); + HashSet names = new HashSet(); + Provider[] providers = Security.getProviders(); + Iterator it; + if (providers != null) + { + Provider p; + String key; + for (int i = 0; i < providers.length; i++) + { + p = providers[i]; + for (it = p.keySet().iterator(); it.hasNext(); ) + { + key = (String) it.next(); + // add key's binding (a) it is a class of a server factory, + // and (b) the key does not include blanks + if (key.startsWith(SERVER_FACTORY_SVC) && key.indexOf(" ") == -1) + { + names.add(p.getProperty(key)); + break; + } + } + } + } + // we have the factory class names in names; instantiate and enumerate + String c; + for (it = names.iterator(); it.hasNext(); ) + { + c = (String) it.next(); + try + { + SaslServerFactory f = (SaslServerFactory) Class.forName(c).newInstance(); + if (f != null) + result.add(f); + } + catch (ClassCastException ignored) // ignore instantiation exceptions + { + } + catch (ClassNotFoundException ignored) + { + } + catch (InstantiationException ignored) + { + } + catch (IllegalAccessException ignored) + { + } + } + + return result.elements(); + } +} diff --git a/libjava/classpath/javax/security/sasl/SaslClient.java b/libjava/classpath/javax/security/sasl/SaslClient.java new file mode 100644 index 000000000..58eb5e298 --- /dev/null +++ b/libjava/classpath/javax/security/sasl/SaslClient.java @@ -0,0 +1,232 @@ +/* SaslClient.java -- + Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +/** + *

Performs SASL authentication as a client.

+ * + *

A protocol library such as one for LDAP gets an instance of this class in + * order to perform authentication defined by a specific SASL mechanism. + * Invoking methods on the SaslClient instance process challenges + * and create responses according to the SASL mechanism implemented by the + * SaslClient. As the authentication proceeds, the instance + * encapsulates the state of a SASL client's authentication exchange.

+ * + *

Here's an example of how an LDAP library might use a SaslClient. + * It first gets an instance of a SaslClient:

+ *
+ *SaslClient sc =
+ *      Sasl.createSaslClient(mechanisms, authorizationID, protocol,
+ *                            serverName, props, callbackHandler);
+ * 
+ * + *

It can then proceed to use the client for authentication. For example, an + * LDAP library might use the client as follows:

+ *
+ * // Get initial response and send to server
+ *byte[] response = sc.hasInitialResponse()
+ *      ? sc.evaluateChallenge(new byte[0]) : null;
+ *LdapResult res = ldap.sendBindRequest(dn, sc.getName(), response);
+ *while (!sc.isComplete()
+ *       && ((res.status == SASL_BIND_IN_PROGRESS) || (res.status == SUCCESS))) {
+ *   response = sc.evaluateChallenge( res.getBytes() );
+ *   if (res.status == SUCCESS) {
+ *      // we're done; don't expect to send another BIND
+ *      if ( response != null ) {
+ *         throw new SaslException(
+ *               "Protocol error: attempting to send response after completion");
+ *      }
+ *      break;
+ *   }
+ *   res = ldap.sendBindRequest(dn, sc.getName(), response);
+ *}
+ *if (sc.isComplete() && (res.status == SUCCESS) ) {
+ *   String qop = (String)sc.getNegotiatedProperty(Sasl.QOP);
+ *   if ((qop != null)
+ *         && (qop.equalsIgnoreCase("auth-int")
+ *            || qop.equalsIgnoreCase("auth-conf"))) {
+ *      // Use SaslClient.wrap() and SaslClient.unwrap() for future
+ *      // communication with server
+ *      ldap.in = new SecureInputStream(sc, ldap.in);
+ *      ldap.out = new SecureOutputStream(sc, ldap.out);
+ *   }
+ *}
+ * 
+ * + *

If the mechanism has an initial response, the library invokes + * {@link #evaluateChallenge(byte[])} with an empty challenge to get the initial + * response. Protocols such as IMAP4, which do not include an initial response + * with their first authentication command to the server, initiate the + * authentication without first calling {@link #hasInitialResponse()} or + * {@link #evaluateChallenge(byte[])}. When the server responds to the command, + * it sends an initial challenge. For a SASL mechanism in which the client sends + * data first, the server should have issued a challenge with no data. This will + * then result in a call (on the client) to {@link #evaluateChallenge(byte[])} + * with an empty challenge.

+ * + * @see Sasl + * @see SaslClientFactory + * + * @since 1.5 + */ +public interface SaslClient +{ + + /** + * Returns the IANA-registered mechanism name of this SASL client. (e.g. + * "CRAM-MD5", "GSSAPI"). + * + * @return a non-null string representing the IANA-registered mechanism name. + */ + String getMechanismName(); + + /** + * Determines if this mechanism has an optional initial response. If + * true, caller should call {@link #evaluateChallenge(byte[])} + * with an empty array to get the initial response. + * + * @return true if this mechanism has an initial response. + */ + boolean hasInitialResponse(); + + /** + * Evaluates the challenge data and generates a response. If a challenge is + * received from the server during the authentication process, this method is + * called to prepare an appropriate next response to submit to the server. + * + * @param challenge the non-null challenge sent from the server. The + * challenge array may have zero length. + * @return the possibly null reponse to send to the server. It + * is null if the challenge accompanied a "SUCCESS" status and + * the challenge only contains data for the client to update its state and no + * response needs to be sent to the server. The response is a zero-length + * byte array if the client is to send a response with no data. + * @throws SaslException if an error occurred while processing the challenge + * or generating a response. + */ + byte[] evaluateChallenge(byte[] challenge) throws SaslException; + + /** + * Determines if the authentication exchange has completed. This method may + * be called at any time, but typically, it will not be called until the + * caller has received indication from the server (in a protocol-specific + * manner) that the exchange has completed. + * + * @return true if the authentication exchange has completed; + * false otherwise. + */ + boolean isComplete(); + + /** + *

Unwraps a byte array received from the server. This method can be + * called only after the authentication exchange has completed (i.e., when + * {@link #isComplete()} returns true) and only if the + * authentication exchange has negotiated integrity and/or privacy as the + * quality of protection; otherwise, an {@link IllegalStateException} is + * thrown.

+ * + *

incoming is the contents of the SASL buffer as defined in + * RFC 2222 without the leading four octet field that represents the length. + * offset and len specify the portion of incoming + * to use.

+ * + * @param incoming a non-null byte array containing the encoded bytes from + * the server. + * @param offset the starting position at incoming of the bytes + * to use. + * @param len the number of bytes from incoming to use. + * @return a non-null byte array containing the decoded bytes. + * @throws SaslException if incoming cannot be successfully + * unwrapped. + * @throws IllegalStateException if the authentication exchange has not + * completed, or if the negotiated quality of protection has neither + * integrity nor privacy. + */ + byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException; + + /** + *

Wraps a byte array to be sent to the server. This method can be called + * only after the authentication exchange has completed (i.e., when + * {@link #isComplete()} returns true) and only if the + * authentication exchange has negotiated integrity and/or privacy as the + * quality of protection; otherwise, an {@link IllegalStateException} is + * thrown.

+ * + *

The result of this method will make up the contents of the SASL buffer + * as defined in RFC 2222 without the leading four octet field that + * represents the length. offset and len specify + * the portion of outgoing to use.

+ * + * @param outgoing a non-null byte array containing the bytes to encode. + * @param offset the starting position at outgoing of the bytes + * to use. + * @param len the number of bytes from outgoing to use. + * @return a non-null byte array containing the encoded bytes. + * @throws SaslException if outgoing cannot be successfully + * wrapped. + * @throws IllegalStateException if the authentication exchange has not + * completed, or if the negotiated quality of protection has neither + * integrity nor privacy. + */ + byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException; + + /** + * Retrieves the negotiated property. This method can be called only after + * the authentication exchange has completed (i.e., when {@link #isComplete()} + * returns true); otherwise, an {@link IllegalStateException} is + * thrown. + * + * @param propName the non-null property name. + * @return the value of the negotiated property. If null, the + * property was not negotiated or is not applicable to this mechanism. + * @throws IllegalStateException if this authentication exchange has not + * completed. + */ + Object getNegotiatedProperty(String propName); + + /** + * Disposes of any system resources or security-sensitive information the + * SaslClient might be using. Invoking this method invalidates + * the SaslClient instance. This method is idempotent. + * + * @throws SaslException if a problem was encountered while disposing of the + * resources. + */ + void dispose() throws SaslException; +} diff --git a/libjava/classpath/javax/security/sasl/SaslClientFactory.java b/libjava/classpath/javax/security/sasl/SaslClientFactory.java new file mode 100644 index 000000000..be80fd9f1 --- /dev/null +++ b/libjava/classpath/javax/security/sasl/SaslClientFactory.java @@ -0,0 +1,118 @@ +/* SaslClientFactory.java + Copyright (C) 2003, 2005, Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import java.util.Map; + +import javax.security.auth.callback.CallbackHandler; + +/** + *

An interface for creating instances of {@link SaslClient}. A class that + * implements this interface must be thread-safe and handle multiple + * simultaneous requests. It must also have a public constructor that accepts + * no arguments.

+ * + *

This interface is not normally accessed directly by a client, which will + * use the {@link Sasl} static methods to create a client instance instead. + * However, a particular environment may provide and install a new or different + * SaslClientFactory.

+ * + * @see SaslClient + * @see Sasl + * + * @since 1.5 + */ +public interface SaslClientFactory +{ + + /** + * Creates a {@link SaslClient} using the parameters supplied. + * + * @param mechanisms the non-null list of mechanism names to try. Each is the + * IANA-registered name of a SASL mechanism (e.g. "GSSAPI", "CRAM-MD5"). + * @param authorizationID the possibly null protocol-dependent identification + * to be used for authorization. If null or empty, the server + * derives an authorization ID from the client's authentication credentials. + * When the SASL authentication completes successfully, the specified entity + * is granted access. + * @param protocol the non-null string name of the protocol for which the + * authentication is being performed (e.g. "ldap"). + * @param serverName the non-null fully qualified host name of the server to + * authenticate to. + * @param props the possibly null set of properties used to + * select the SASL mechanism and to configure the authentication exchange of + * the selected mechanism. See the {@link Sasl} class for a list of standard + * properties. Other, possibly mechanism-specific, properties can be included. + * Properties not relevant to the selected mechanism are ignored. + * @param cbh the possibly null callback handler to used by the + * SASL mechanisms to get further information from the application/library to + * complete the authentication. For example, a SASL mechanism might require + * the authentication ID, password and realm from the caller. The + * authentication ID is requested by using a + * {@link javax.security.auth.callback.NameCallback}. The password is + * requested by using a {@link javax.security.auth.callback.PasswordCallback}. + * The realm is requested by using a {@link RealmChoiceCallback} if there is + * a list of realms to choose from, and by using a {@link RealmCallback} if + * the realm must be entered. + * @return a possibly null {@link SaslClient} created using the + * parameters supplied. If null, this factory cannot produce a + * {@link SaslClient} using the parameters supplied. + * @throws SaslException if a {@link SaslClient} instance cannot be created + * because of an error. + */ + SaslClient createSaslClient(String[] mechanisms, String authorizationID, + String protocol, String serverName, + Map props, CallbackHandler cbh) + throws SaslException; + + /** + * Returns an array of names of mechanisms that match the specified mechanism + * selection policies. + * + * @param props the possibly null set of properties used to + * specify the security policy of the SASL mechanisms. For example, if props + * contains the {@link Sasl#POLICY_NOPLAINTEXT} property with the value + * "true", then the factory must not return any SASL mechanisms + * that are susceptible to simple plain passive attacks. See the {@link Sasl} + * class for a complete list of policy properties. Non-policy related + * properties, if present in props, are ignored. + * @return a non-null array containing IANA-registered SASL mechanism names. + */ + String[] getMechanismNames(Map props); +} diff --git a/libjava/classpath/javax/security/sasl/SaslException.java b/libjava/classpath/javax/security/sasl/SaslException.java new file mode 100644 index 000000000..f4407e761 --- /dev/null +++ b/libjava/classpath/javax/security/sasl/SaslException.java @@ -0,0 +1,189 @@ +/* SaslException.java + Copyright (C) 2003, 2005, Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import gnu.java.lang.CPStringBuilder; + +import java.io.IOException; +import java.io.PrintStream; +import java.io.PrintWriter; +import java.io.Serializable; + +/** + * This class represents an error that has occurred when using SASL. + * + * @since 1.5 + */ +public class SaslException extends IOException implements Serializable +{ + + // Constants and variables + // ------------------------------------------------------------------------- + + private static final long serialVersionUID = 4579784287983423626L; + + /** + * @serial The possibly null root cause exception. + */ + private Throwable _exception = null; + + // Constructor(s) + // ------------------------------------------------------------------------- + + /** + * Constructs a new instance of SaslException. The root + * exception and the detailed message are null. + */ + public SaslException() + { + super(); + } + + /** + * Constructs a new instance of SaslException with a detailed + * message. The root exception is null. + * + * @param detail a possibly null string containing details of the exception. + * @see Throwable#getMessage() + */ + public SaslException(String detail) + { + super(detail); + } + + /** + * Constructs a new instance of SaslException with a detailed + * message and a root exception. For example, a SaslException + * might result from a problem with the callback handler, which might throw a + * {@link javax.security.auth.callback.UnsupportedCallbackException} if it + * does not support the requested callback, or throw an {@link IOException} + * if it had problems obtaining data for the callback. The + * SaslException's root exception would be then be the exception + * thrown by the callback handler. + * + * @param detail a possibly null string containing details of + * the exception. + * @param ex a possibly null root exception that caused this + * exception. + * @see Throwable#getMessage() + * @see #getCause() + */ + public SaslException(String detail, Throwable ex) + { + super(detail); + _exception = ex; + } + + // Class methods + // ------------------------------------------------------------------------- + + // Instance methods + // ------------------------------------------------------------------------- + + /** + * Returns the cause of this throwable or null if the cause is + * nonexistent or unknown. The cause is the throwable that caused this + * exception to be thrown. + * + * @return the possibly null exception that caused this exception. + */ + public Throwable getCause() + { + return _exception; + } + + /** + * Prints this exception's stack trace to System.err. If this + * exception has a root exception; the stack trace of the root exception is + * also printed to System.err. + */ + public void printStackTrace() + { + super.printStackTrace(); + if (_exception != null) + _exception.printStackTrace(); + } + + /** + * Prints this exception's stack trace to a print stream. If this exception + * has a root exception; the stack trace of the root exception is also + * printed to the print stream. + * + * @param ps the non-null print stream to which to print. + */ + public void printStackTrace(PrintStream ps) + { + super.printStackTrace(ps); + if (_exception != null) + _exception.printStackTrace(ps); + } + + /** + * Prints this exception's stack trace to a print writer. If this exception + * has a root exception; the stack trace of the root exception is also + * printed to the print writer. + * + * @param pw the non-null print writer to use for output. + */ + public void printStackTrace(PrintWriter pw) + { + super.printStackTrace(pw); + if (_exception != null) + _exception.printStackTrace(pw); + } + + /** + * Returns the string representation of this exception. The string + * representation contains this exception's class name, its detailed + * messsage, and if it has a root exception, the string representation of the + * root exception. This string representation is meant for debugging and not + * meant to be interpreted programmatically. + * + * @return the non-null string representation of this exception. + * @see Throwable#getMessage() + */ + public String toString() + { + CPStringBuilder sb = new CPStringBuilder(this.getClass().getName()) + .append(": ").append(super.toString()); + if (_exception != null) + sb.append("; caused by: ").append(_exception.toString()); + return sb.toString(); + } +} diff --git a/libjava/classpath/javax/security/sasl/SaslServer.java b/libjava/classpath/javax/security/sasl/SaslServer.java new file mode 100644 index 000000000..d30b8f6ba --- /dev/null +++ b/libjava/classpath/javax/security/sasl/SaslServer.java @@ -0,0 +1,227 @@ +/* SaslServer.java + Copyright (C) 2003, 2005, Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +/** + *

Performs SASL authentication as a server.

+ * + *

A server such as an LDAP server gets an instance of this class in order to + * perform authentication defined by a specific SASL mechanism. Invoking methods + * on the SaslServer instance generates challenges corresponding to + * the SASL mechanism implemented by the SaslServer instance. As + * the authentication proceeds, the instance encapsulates the state of a SASL + * server's authentication exchange.

+ * + *

Here's an example of how an LDAP server might use a SaslServer + * instance. It first gets an instance of a SaslServer for the SASL + * mechanism requested by the client:

+ * + *
+ *SaslServer ss =
+ *      Sasl.createSaslServer(mechanism, "ldap", myFQDN, props, callbackHandler);
+ * 
+ * + *

It can then proceed to use the server for authentication. For example, + * suppose the LDAP server received an LDAP BIND request containing the name of + * the SASL mechanism and an (optional) initial response. It then might use the + * server as follows:

+ * + *
+ *while (!ss.isComplete()) {
+ *   try {
+ *      byte[] challenge = ss.evaluateResponse(response);
+ *      if (ss.isComplete()) {
+ *         status = ldap.sendBindResponse(mechanism, challenge, SUCCESS);
+ *      } else {
+ *         status = ldap.sendBindResponse(mechanism, challenge, SASL_BIND_IN_PROGRESS);
+ *         response = ldap.readBindRequest();
+ *      }
+ *   } catch (SaslException x) {
+ *      status = ldap.sendErrorResponse(x);
+ *      break;
+ *   }
+ *}
+ *if (ss.isComplete() && (status == SUCCESS)) {
+ *   String qop = (String) sc.getNegotiatedProperty(Sasl.QOP);
+ *   if (qop != null
+ *         && (qop.equalsIgnoreCase("auth-int")
+ *            || qop.equalsIgnoreCase("auth-conf"))) {
+ *      // Use SaslServer.wrap() and SaslServer.unwrap() for future
+ *      // communication with client
+ *      ldap.in = new SecureInputStream(ss, ldap.in);
+ *      ldap.out = new SecureOutputStream(ss, ldap.out);
+ *   }
+ *}
+ * 
+ * + * @see Sasl + * @see SaslServerFactory + * + * @since 1.5 + */ +public interface SaslServer +{ + + /** + * Returns the IANA-registered mechanism name of this SASL server (e.g. + * "CRAM-MD5", "GSSAPI"). + * + * @return a non-null string representing the IANA-registered mechanism name. + */ + String getMechanismName(); + + /** + * Evaluates the response data and generates a challenge. If a response is + * received from the client during the authentication process, this method is + * called to prepare an appropriate next challenge to submit to the client. + * The challenge is null if the authentication has succeeded and + * no more challenge data is to be sent to the client. It is non-null if the + * authentication must be continued by sending a challenge to the client, or + * if the authentication has succeeded but challenge data needs to be + * processed by the client. {@link #isComplete()} should be called after each + * call to evaluateResponse(),to determine if any further + * response is needed from the client. + * + * @param response the non-null (but possibly empty) response sent by the + * client. + * @return the possibly null challenge to send to the client. + * It is null if the authentication has succeeded and there is + * no more challenge data to be sent to the client. + * @throws SaslException if an error occurred while processing the response + * or generating a challenge. + */ + byte[] evaluateResponse(byte[] response) throws SaslException; + + /** + * Determines if the authentication exchange has completed. This method is + * typically called after each invocation of {@link #evaluateResponse(byte[])} + * to determine whether the authentication has completed successfully or + * should be continued. + * + * @return true if the authentication exchange has completed; + * false otherwise. + */ + boolean isComplete(); + + /** + * Reports the authorization ID in effect for the client of this session This + * method can only be called if {@link #isComplete()} returns true. + * + * @return the authorization ID of the client. + * @throws IllegalStateException if this authentication session has not + * completed. + */ + String getAuthorizationID(); + + /** + *

Unwraps a byte array received from the client. This method can be called + * only after the authentication exchange has completed (i.e., when + * {@link #isComplete()} returns true) and only if the + * authentication exchange has negotiated integrity and/or privacy as the + * quality of protection; otherwise, an {@link IllegalStateException} is + * thrown.

+ * + *

incoming is the contents of the SASL buffer as defined in + * RFC 2222 without the leading four octet field that represents the length. + * offset and len specify the portion of incoming + * to use.

+ * + * @param incoming a non-null byte array containing the encoded bytes from + * the client. + * @param offset the starting position at incoming of the bytes + * to use. + * @param len the number of bytes from incoming to use. + * @return a non-null byte array containing the decoded bytes. + * @throws SaslException if incoming cannot be successfully + * unwrapped. + * @throws IllegalStateException if the authentication exchange has not + * completed, or if the negotiated quality of protection has neither + * integrity nor privacy. + */ + byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException; + + /** + *

Wraps a byte array to be sent to the client. This method can be called + * only after the authentication exchange has completed (i.e., when + * {@link #isComplete()} returns true) and only if the + * authentication exchange has negotiated integrity and/or privacy as the + * quality of protection; otherwise, an {@link IllegalStateException} is + * thrown.

+ * + *

The result of this method will make up the contents of the SASL buffer + * as defined in RFC 2222 without the leading four octet field that + * represents the length. offset and len specify + * the portion of outgoing to use. + * + * @param outgoing a non-null byte array containing the bytes to encode. + * @param offset the starting position at outgoing of the bytes + * to use. + * @param len the number of bytes from outgoing to use. + * @return a non-null byte array containing the encoded bytes. + * @throws SaslException if outgoing cannot be successfully + * wrapped. + * @throws IllegalStateException if the authentication exchange has not + * completed, or if the negotiated quality of protection has neither + * integrity nor privacy. + */ + byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException; + + /** + * Retrieves the negotiated property. This method can be called only after + * the authentication exchange has completed (i.e., when + * {@link #isComplete()} returns true); otherwise, an + * {@link IllegalStateException} is thrown. + * + * @return the value of the negotiated property. If null, the + * property was not negotiated or is not applicable to this mechanism. + * @throws IllegalStateException if this authentication exchange has not + * completed. + */ + Object getNegotiatedProperty(String propName); + + /** + * Disposes of any system resources or security-sensitive information the + * SaslServer might be using. Invoking this method invalidates + * the SaslServer instance. This method is idempotent. + * + * @throws SaslException if a problem was encountered while disposing of the + * resources. + */ + void dispose() throws SaslException; +} diff --git a/libjava/classpath/javax/security/sasl/SaslServerFactory.java b/libjava/classpath/javax/security/sasl/SaslServerFactory.java new file mode 100644 index 000000000..b51ce3dba --- /dev/null +++ b/libjava/classpath/javax/security/sasl/SaslServerFactory.java @@ -0,0 +1,116 @@ +/* SaslServerFactory.java + Copyright (C) 2003, 2005, Free Software Foundation, Inc. + +This file is part of GNU Classpath. + +GNU Classpath is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +GNU Classpath is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with GNU Classpath; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. */ + + +package javax.security.sasl; + +import java.util.Map; + +import javax.security.auth.callback.CallbackHandler; + +/** + *

An interface for creating instances of {@link SaslServer}. A class that + * implements this interface must be thread-safe and handle multiple + * simultaneous requests. It must also have a public constructor that accepts + * no arguments.

+ * + *

This interface is not normally accessed directly by a server, which will + * use the {@link Sasl} static methods to create a {@link SaslServer} instance + * instead. However, a particular environment may provide and install a new or + * different SaslServerFactory.

+ * + * @see SaslServer + * @see Sasl + * + * @since 1.5 + */ +public interface SaslServerFactory +{ + + /** + * Creates a {@link SaslServer} instance using the parameters supplied. It + * returns null if no {@link SaslServer} instance can be created + * using the parameters supplied. Throws {@link SaslException} if it cannot + * create a {@link SaslServer} because of an error. + * + * @param mechanism the non-null IANA-registered name of a SASL mechanism + * (e.g. "GSSAPI", "CRAM-MD5"). + * @param protocol the non-null string name of the protocol for which the + * authentication is being performed (e.g. "ldap"). + * @param serverName the non-null fully qualified host name of the server to + * authenticate to. + * @param props the possibly null set of properties used to select the SASL + * mechanism and to configure the authentication exchange of the selected + * mechanism. See the {@link Sasl} class for a list of standard properties. + * Other, possibly mechanism-specific, properties can be included. Properties + * not relevant to the selected mechanism are ignored. + * @param cbh the possibly null callback handler to used by the SASL + * mechanisms to get further information from the application/library to + * complete the authentication. For example, a SASL mechanism might require + * the authentication ID, password and realm from the caller. The + * authentication ID is requested by using a + * {@link javax.security.auth.callback.NameCallback}. The password is + * requested by using a {@link javax.security.auth.callback.PasswordCallback}. + * The realm is requested by using a {@link RealmChoiceCallback} if there is + * a list of realms to choose from, and by using a {@link RealmCallback} if + * the realm must be entered. + * @return a possibly null {@link SaslServer} created using the parameters + * supplied. If null is returned, it means that this factory + * cannot produce a {@link SaslServer} using the parameters supplied. + * @throws SaslException if a SaslServer instance cannot be created because + * of an error. + */ + SaslServer createSaslServer(String mechanism, String protocol, + String serverName, Map props, + CallbackHandler cbh) + throws SaslException; + + /** + * Returns an array of names of mechanisms that match the specified mechanism + * selection policies. + * + * @param props the possibly null set of properties used to + * specify the security policy of the SASL mechanisms. For example, if props + * contains the {@link Sasl#POLICY_NOPLAINTEXT} property with the value + * "true", then the factory must not return any SASL mechanisms + * that are susceptible to simple plain passive attacks. See the {@link Sasl} + * class for a complete list of policy properties. Non-policy related + * properties, if present in props, are ignored. + * @return a non-null array containing IANA-registered SASL mechanism names. + */ + String[] getMechanismNames(Map props); +} diff --git a/libjava/classpath/javax/security/sasl/package.html b/libjava/classpath/javax/security/sasl/package.html new file mode 100644 index 000000000..4cde67043 --- /dev/null +++ b/libjava/classpath/javax/security/sasl/package.html @@ -0,0 +1,46 @@ + + + + +GNU Classpath - javax.security.sasl + + +

+ + + -- cgit v1.2.3