Class GSSAuthenticator


  • public class GSSAuthenticator
    extends java.lang.Object
    Class providing basic GSS authentication services. Can be used as-is, but is often extended to provide environment specific implementations.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      org.ietf.jgss.GSSCredential getGSSCredential​(org.ietf.jgss.GSSManager mgr)
      Overridable method to get GSS accept credential suitable for the current environment.
      org.ietf.jgss.GSSManager getGSSManager()
      Overridable method to get GSS manager suitable for current environment.
      void setKeytabFile​(java.lang.String keytabFile)
      Set the location of the Kerberos keytab.
      void setServicePrincipalName​(java.lang.String servicePrincipalName)
      Set the service principal name to be used.
      boolean validateIdentity​(ServerSession session, java.lang.String identity)
      Validate the source identity obtained from the context after negotiation is complete.
      boolean validateInitialUser​(ServerSession session, java.lang.String user)
      Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • servicePrincipalName

        private java.lang.String servicePrincipalName
      • keytabFile

        private java.lang.String keytabFile
    • Constructor Detail

      • GSSAuthenticator

        public GSSAuthenticator()
    • Method Detail

      • getGSSManager

        public org.ietf.jgss.GSSManager getGSSManager()
        Overridable method to get GSS manager suitable for current environment.
        Returns:
        A new manager
      • getGSSCredential

        public org.ietf.jgss.GSSCredential getGSSCredential​(org.ietf.jgss.GSSManager mgr)
                                                     throws java.net.UnknownHostException,
                                                            javax.security.auth.login.LoginException,
                                                            org.ietf.jgss.GSSException
        Overridable method to get GSS accept credential suitable for the current environment. The default implementation uses a Kerberos key table.
        Parameters:
        mgr - The GSS manager
        Returns:
        The credential; if the result is null gssapi authentication fails immediately
        Throws:
        java.net.UnknownHostException - If the local host name could not be determined
        javax.security.auth.login.LoginException - If the subject could not be found
        org.ietf.jgss.GSSException - If the credential could not be obtained
      • validateInitialUser

        public boolean validateInitialUser​(ServerSession session,
                                           java.lang.String user)
        Validate the user name passed in the initial SSH_MSG_USERAUTH_REQUEST message. This is sort of mandated by RFC 4462, but it may be more useful to wait for the GSS negotiation to complete. The default implementation here always succeeds.
        Parameters:
        session - The current session
        user - The user name from the initial request
        Returns:
        true if the user is valid, false if invalid
      • validateIdentity

        public boolean validateIdentity​(ServerSession session,
                                        java.lang.String identity)
        Validate the source identity obtained from the context after negotiation is complete. The default implementation here always succeeds.
        Parameters:
        session - The current session
        identity - The identity from the GSS context
        Returns:
        true if the identity is valid, false if invalid
      • setServicePrincipalName

        public void setServicePrincipalName​(java.lang.String servicePrincipalName)
        Set the service principal name to be used. The default is host/hostname.
        Parameters:
        servicePrincipalName - The principal name
      • setKeytabFile

        public void setKeytabFile​(java.lang.String keytabFile)
        Set the location of the Kerberos keytab. The default is defined by the JRE.
        Parameters:
        keytabFile - The location of the keytab