Network Working Group J. Kabat Request for Comments: 2853 ValiCert, Inc. Category: Standards Track M. Upadhyay Sun Microsystems, Inc. June 2000
Network Working Group J. Kabat Request for Comments: 2853 ValiCert, Inc. Category: Standards Track M. Upadhyay Sun Microsystems, Inc. June 2000
Generic Security Service API Version 2 : Java Bindings
通用安全服务API第2版:Java绑定
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
The Generic Security Services Application Program Interface (GSS-API) offers application programmers uniform access to security services atop a variety of underlying cryptographic mechanisms. This document specifies the Java bindings for GSS-API which is described at a language independent conceptual level in RFC 2743 [GSSAPIv2-UPDATE].
通用安全服务应用程序接口(GSS-API)为应用程序程序员提供了对各种底层加密机制之上的安全服务的统一访问。本文档指定了GSS-API的Java绑定,该绑定在RFC 2743[GSSAPIv2 UPDATE]中描述为独立于语言的概念级别。
The GSS-API allows a caller application to authenticate a principal identity, to delegate rights to a peer, and to apply security services such as confidentiality and integrity on a per-message basis. Examples of security mechanisms defined for GSS-API are The Simple Public-Key GSS-API Mechanism [SPKM] and The Kerberos Version 5 GSS-API Mechanism [KERBV5].
GSS-API允许调用方应用程序对主体身份进行身份验证,将权限委托给对等方,并基于每条消息应用保密性和完整性等安全服务。为GSS-API定义的安全机制的示例有简单公钥GSS-API机制[SPKM]和Kerberos版本5 GSS-API机制[KERBV5]。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 5 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . 6 3. Additional Controls . . . . . . . . . . . . . . . . . . . 8 3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . 10 3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 10 3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 11 3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . 12 3.6. Inter-process Context Transfer . . . . . . . . . . . . . 12 3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 13
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 5 2. GSS-API Operational Paradigm . . . . . . . . . . . . . . . 6 3. Additional Controls . . . . . . . . . . . . . . . . . . . 8 3.1. Delegation . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Mutual Authentication . . . . . . . . . . . . . . . . . 10 3.3. Replay and Out-of-Sequence Detection . . . . . . . . . . 10 3.4. Anonymous Authentication . . . . . . . . . . . . . . . . 11 3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . 12 3.6. Inter-process Context Transfer . . . . . . . . . . . . . 12 3.7. The Use of Incomplete Contexts . . . . . . . . . . . . . 13
4. Calling Conventions . . . . . . . . . . . . . . . . . . . 13 4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 13 4.3. Integer types . . . . . . . . . . . . . . . . . . . . . 14 4.4. Opaque Data types . . . . . . . . . . . . . . . . . . . 14 4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . 15 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 15 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 15 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . 16 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 4.10. Authentication tokens . . . . . . . . . . . . . . . . . 18 4.11. Interprocess tokens . . . . . . . . . . . . . . . . . . 18 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . 19 4.12.1. GSS status codes . . . . . . . . . . . . . . . . . . 19 4.12.2. Mechanism-specific status codes . . . . . . . . . . . 21 4.12.3. Supplementary status codes . . . . . . . . . . . . . 21 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . 25 4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . 26 4.16. Optional Parameters . . . . . . . . . . . . . . . . . . 26 5. Introduction to GSS-API Classes and Interfaces . . . . . . 26 5.1. GSSManager class . . . . . . . . . . . . . . . . . . . . 26 5.2. GSSName interface . . . . . . . . . . . . . . . . . . . 27 5.3. GSSCredential interface . . . . . . . . . . . . . . . . 28 5.4. GSSContext interface . . . . . . . . . . . . . . . . . . 28 5.5. MessageProp class . . . . . . . . . . . . . . . . . . . 30 5.6. GSSException class . . . . . . . . . . . . . . . . . . . 30 5.7. Oid class . . . . . . . . . . . . . . . . . . . . . . . 30 5.8. ChannelBinding class . . . . . . . . . . . . . . . . . . 31 6. Detailed GSS-API Class Description . . . . . . . . . . . . 31 6.1. public abstract class GSSManager . . . . . . . . . . . . 31 6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . . 32 6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 33 6.1.3. getMechs . . . . . . . . . . . . . . . . . . . . . . . 33 6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . 33 6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . 33 6.1.6. createName . . . . . . . . . . . . . . . . . . . . . . 33 6.1.7. createName . . . . . . . . . . . . . . . . . . . . . . 34 6.1.8. createName . . . . . . . . . . . . . . . . . . . . . . 35 6.1.9. createName . . . . . . . . . . . . . . . . . . . . . . 35 6.1.10. createCredential . . . . . . . . . . . . . . . . . . 36 6.1.11. createCredential . . . . . . . . . . . . . . . . . . 36 6.1.12. createCredential . . . . . . . . . . . . . . . . . . 37 6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 37 6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 38 6.1.15. createContext . . . . . . . . . . . . . . . . . . . . 38 6.1.16. addProviderAtFront . . . . . . . . . . . . . . . . . 38 6.1.16.1. Example Code . . . . . . . . . . . . . . . . . . . 39
4. Calling Conventions . . . . . . . . . . . . . . . . . . . 13 4.1. Package Name . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Provider Framework . . . . . . . . . . . . . . . . . . . 13 4.3. Integer types . . . . . . . . . . . . . . . . . . . . . 14 4.4. Opaque Data types . . . . . . . . . . . . . . . . . . . 14 4.5. Strings . . . . . . . . . . . . . . . . . . . . . . . . 15 4.6. Object Identifiers . . . . . . . . . . . . . . . . . . . 15 4.7. Object Identifier Sets . . . . . . . . . . . . . . . . . 15 4.8. Credentials . . . . . . . . . . . . . . . . . . . . . . 16 4.9. Contexts . . . . . . . . . . . . . . . . . . . . . . . . 18 4.10. Authentication tokens . . . . . . . . . . . . . . . . . 18 4.11. Interprocess tokens . . . . . . . . . . . . . . . . . . 18 4.12. Error Reporting . . . . . . . . . . . . . . . . . . . . 19 4.12.1. GSS status codes . . . . . . . . . . . . . . . . . . 19 4.12.2. Mechanism-specific status codes . . . . . . . . . . . 21 4.12.3. Supplementary status codes . . . . . . . . . . . . . 21 4.13. Names . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.14. Channel Bindings . . . . . . . . . . . . . . . . . . . 25 4.15. Stream Objects . . . . . . . . . . . . . . . . . . . . 26 4.16. Optional Parameters . . . . . . . . . . . . . . . . . . 26 5. Introduction to GSS-API Classes and Interfaces . . . . . . 26 5.1. GSSManager class . . . . . . . . . . . . . . . . . . . . 26 5.2. GSSName interface . . . . . . . . . . . . . . . . . . . 27 5.3. GSSCredential interface . . . . . . . . . . . . . . . . 28 5.4. GSSContext interface . . . . . . . . . . . . . . . . . . 28 5.5. MessageProp class . . . . . . . . . . . . . . . . . . . 30 5.6. GSSException class . . . . . . . . . . . . . . . . . . . 30 5.7. Oid class . . . . . . . . . . . . . . . . . . . . . . . 30 5.8. ChannelBinding class . . . . . . . . . . . . . . . . . . 31 6. Detailed GSS-API Class Description . . . . . . . . . . . . 31 6.1. public abstract class GSSManager . . . . . . . . . . . . 31 6.1.1. Example Code . . . . . . . . . . . . . . . . . . . . . 32 6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . 33 6.1.3. getMechs . . . . . . . . . . . . . . . . . . . . . . . 33 6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . 33 6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . 33 6.1.6. createName . . . . . . . . . . . . . . . . . . . . . . 33 6.1.7. createName . . . . . . . . . . . . . . . . . . . . . . 34 6.1.8. createName . . . . . . . . . . . . . . . . . . . . . . 35 6.1.9. createName . . . . . . . . . . . . . . . . . . . . . . 35 6.1.10. createCredential . . . . . . . . . . . . . . . . . . 36 6.1.11. createCredential . . . . . . . . . . . . . . . . . . 36 6.1.12. createCredential . . . . . . . . . . . . . . . . . . 37 6.1.13. createContext . . . . . . . . . . . . . . . . . . . . 37 6.1.14. createContext . . . . . . . . . . . . . . . . . . . . 38 6.1.15. createContext . . . . . . . . . . . . . . . . . . . . 38 6.1.16. addProviderAtFront . . . . . . . . . . . . . . . . . 38 6.1.16.1. Example Code . . . . . . . . . . . . . . . . . . . 39
6.1.17. addProviderAtEnd . . . . . . . . . . . . . . . . . . 40 6.1.17.1. Example Code . . . . . . . . . . . . . . . . . . . 41 6.2. public interface GSSName . . . . . . . . . . . . . . . . 42 6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . . 42 6.2.2. Static Constants . . . . . . . . . . . . . . . . . . . 43 6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 44 6.2.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 44 6.2.5. canonicalize . . . . . . . . . . . . . . . . . . . . . 44 6.2.6. export . . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.7. toString . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.8. getStringNameType . . . . . . . . . . . . . . . . . . 45 6.2.9. isAnonymous . . . . . . . . . . . . . . . . . . . . . 45 6.2.10. isMN . . . . . . . . . . . . . . . . . . . . . . . . 45 6.3. public interface GSSCredential implements Cloneable . . 45 6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . . 46 6.3.2. Static Constants . . . . . . . . . . . . . . . . . . . 47 6.3.3. dispose . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.5. getName . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.6. getRemainingLifetime . . . . . . . . . . . . . . . . . 48 6.3.7. getRemainingInitLifetime . . . . . . . . . . . . . . . 49 6.3.8. getRemainingAcceptLifetime . . . . . . . . . . . . . . 49 6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . . 49 6.3.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 49 6.3.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 50 6.3.12. add . . . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.13. equals . . . . . . . . . . . . . . . . . . . . . . . 51 6.4. public interface GSSContext . . . . . . . . . . . . . . 51 6.4.1. Example Code . . . . . . . . . . . . . . . . . . . . . 52 6.4.2. Static Constants . . . . . . . . . . . . . . . . . . . 54 6.4.3. initSecContext . . . . . . . . . . . . . . . . . . . . 54 6.4.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 55 6.4.4. initSecContext . . . . . . . . . . . . . . . . . . . . 56 6.4.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 56 6.4.5. acceptSecContext . . . . . . . . . . . . . . . . . . . 57 6.4.5.1. Example Code . . . . . . . . . . . . . . . . . . . . 58 6.4.6. acceptSecContext . . . . . . . . . . . . . . . . . . . 59 6.4.6.1. Example Code . . . . . . . . . . . . . . . . . . . . 59 6.4.7. isEstablished . . . . . . . . . . . . . . . . . . . . 60 6.4.8. dispose . . . . . . . . . . . . . . . . . . . . . . . 60 6.4.9. getWrapSizeLimit . . . . . . . . . . . . . . . . . . . 61 6.4.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . 61 6.4.11. wrap . . . . . . . . . . . . . . . . . . . . . . . . 62 6.4.12. unwrap . . . . . . . . . . . . . . . . . . . . . . . 63 6.4.13. unwrap . . . . . . . . . . . . . . . . . . . . . . . 64 6.4.14. getMIC . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.15. getMIC . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.16. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 66
6.1.17. addProviderAtEnd . . . . . . . . . . . . . . . . . . 40 6.1.17.1. Example Code . . . . . . . . . . . . . . . . . . . 41 6.2. public interface GSSName . . . . . . . . . . . . . . . . 42 6.2.1. Example Code . . . . . . . . . . . . . . . . . . . . . 42 6.2.2. Static Constants . . . . . . . . . . . . . . . . . . . 43 6.2.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 44 6.2.4. equals . . . . . . . . . . . . . . . . . . . . . . . . 44 6.2.5. canonicalize . . . . . . . . . . . . . . . . . . . . . 44 6.2.6. export . . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.7. toString . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.8. getStringNameType . . . . . . . . . . . . . . . . . . 45 6.2.9. isAnonymous . . . . . . . . . . . . . . . . . . . . . 45 6.2.10. isMN . . . . . . . . . . . . . . . . . . . . . . . . 45 6.3. public interface GSSCredential implements Cloneable . . 45 6.3.1. Example Code . . . . . . . . . . . . . . . . . . . . . 46 6.3.2. Static Constants . . . . . . . . . . . . . . . . . . . 47 6.3.3. dispose . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.4. getName . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.5. getName . . . . . . . . . . . . . . . . . . . . . . . 48 6.3.6. getRemainingLifetime . . . . . . . . . . . . . . . . . 48 6.3.7. getRemainingInitLifetime . . . . . . . . . . . . . . . 49 6.3.8. getRemainingAcceptLifetime . . . . . . . . . . . . . . 49 6.3.9. getUsage . . . . . . . . . . . . . . . . . . . . . . . 49 6.3.10. getUsage . . . . . . . . . . . . . . . . . . . . . . 49 6.3.11. getMechs . . . . . . . . . . . . . . . . . . . . . . 50 6.3.12. add . . . . . . . . . . . . . . . . . . . . . . . . . 50 6.3.13. equals . . . . . . . . . . . . . . . . . . . . . . . 51 6.4. public interface GSSContext . . . . . . . . . . . . . . 51 6.4.1. Example Code . . . . . . . . . . . . . . . . . . . . . 52 6.4.2. Static Constants . . . . . . . . . . . . . . . . . . . 54 6.4.3. initSecContext . . . . . . . . . . . . . . . . . . . . 54 6.4.3.1. Example Code . . . . . . . . . . . . . . . . . . . . 55 6.4.4. initSecContext . . . . . . . . . . . . . . . . . . . . 56 6.4.4.1. Example Code . . . . . . . . . . . . . . . . . . . . 56 6.4.5. acceptSecContext . . . . . . . . . . . . . . . . . . . 57 6.4.5.1. Example Code . . . . . . . . . . . . . . . . . . . . 58 6.4.6. acceptSecContext . . . . . . . . . . . . . . . . . . . 59 6.4.6.1. Example Code . . . . . . . . . . . . . . . . . . . . 59 6.4.7. isEstablished . . . . . . . . . . . . . . . . . . . . 60 6.4.8. dispose . . . . . . . . . . . . . . . . . . . . . . . 60 6.4.9. getWrapSizeLimit . . . . . . . . . . . . . . . . . . . 61 6.4.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . 61 6.4.11. wrap . . . . . . . . . . . . . . . . . . . . . . . . 62 6.4.12. unwrap . . . . . . . . . . . . . . . . . . . . . . . 63 6.4.13. unwrap . . . . . . . . . . . . . . . . . . . . . . . 64 6.4.14. getMIC . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.15. getMIC . . . . . . . . . . . . . . . . . . . . . . . 65 6.4.16. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 66
6.4.17. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 67 6.4.18. export . . . . . . . . . . . . . . . . . . . . . . . 68 6.4.19. requestMutualAuth . . . . . . . . . . . . . . . . . . 68 6.4.20. requestReplayDet . . . . . . . . . . . . . . . . . . 69 6.4.21. requestSequenceDet . . . . . . . . . . . . . . . . . 69 6.4.22. requestCredDeleg . . . . . . . . . . . . . . . . . . 69 6.4.23. requestAnonymity . . . . . . . . . . . . . . . . . . 69 6.4.24. requestConf . . . . . . . . . . . . . . . . . . . . . 70 6.4.25. requestInteg . . . . . . . . . . . . . . . . . . . . 70 6.4.26. requestLifetime . . . . . . . . . . . . . . . . . . . 70 6.4.27. setChannelBinding . . . . . . . . . . . . . . . . . . 71 6.4.28. getCredDelegState . . . . . . . . . . . . . . . . . . 71 6.4.29. getMutualAuthState . . . . . . . . . . . . . . . . . 71 6.4.30. getReplayDetState . . . . . . . . . . . . . . . . . . 71 6.4.31. getSequenceDetState . . . . . . . . . . . . . . . . . 71 6.4.32. getAnonymityState . . . . . . . . . . . . . . . . . . 72 6.4.33. isTransferable . . . . . . . . . . . . . . . . . . . 72 6.4.34. isProtReady . . . . . . . . . . . . . . . . . . . . . 72 6.4.35. getConfState . . . . . . . . . . . . . . . . . . . . 72 6.4.36. getIntegState . . . . . . . . . . . . . . . . . . . . 72 6.4.37. getLifetime . . . . . . . . . . . . . . . . . . . . . 73 6.4.38. getSrcName . . . . . . . . . . . . . . . . . . . . . 73 6.4.39. getTargName . . . . . . . . . . . . . . . . . . . . . 73 6.4.40. getMech . . . . . . . . . . . . . . . . . . . . . . . 73 6.4.41. getDelegCred . . . . . . . . . . . . . . . . . . . . 73 6.4.42. isInitiator . . . . . . . . . . . . . . . . . . . . . 73 6.5. public class MessageProp . . . . . . . . . . . . . . . . 74 6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . . 74 6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . . 75 6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . . 75 6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . . 75 6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . . 75 6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . . 75 6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . . 75 6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . . 76 6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . . 76 6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 76 6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 76 6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 76 6.6. public class ChannelBinding . . . . . . . . . . . . . . 77 6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . . 77 6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 78 6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . . 78 6.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 78 6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 78 6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 79 6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 79 6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 80
6.4.17. verifyMIC . . . . . . . . . . . . . . . . . . . . . . 67 6.4.18. export . . . . . . . . . . . . . . . . . . . . . . . 68 6.4.19. requestMutualAuth . . . . . . . . . . . . . . . . . . 68 6.4.20. requestReplayDet . . . . . . . . . . . . . . . . . . 69 6.4.21. requestSequenceDet . . . . . . . . . . . . . . . . . 69 6.4.22. requestCredDeleg . . . . . . . . . . . . . . . . . . 69 6.4.23. requestAnonymity . . . . . . . . . . . . . . . . . . 69 6.4.24. requestConf . . . . . . . . . . . . . . . . . . . . . 70 6.4.25. requestInteg . . . . . . . . . . . . . . . . . . . . 70 6.4.26. requestLifetime . . . . . . . . . . . . . . . . . . . 70 6.4.27. setChannelBinding . . . . . . . . . . . . . . . . . . 71 6.4.28. getCredDelegState . . . . . . . . . . . . . . . . . . 71 6.4.29. getMutualAuthState . . . . . . . . . . . . . . . . . 71 6.4.30. getReplayDetState . . . . . . . . . . . . . . . . . . 71 6.4.31. getSequenceDetState . . . . . . . . . . . . . . . . . 71 6.4.32. getAnonymityState . . . . . . . . . . . . . . . . . . 72 6.4.33. isTransferable . . . . . . . . . . . . . . . . . . . 72 6.4.34. isProtReady . . . . . . . . . . . . . . . . . . . . . 72 6.4.35. getConfState . . . . . . . . . . . . . . . . . . . . 72 6.4.36. getIntegState . . . . . . . . . . . . . . . . . . . . 72 6.4.37. getLifetime . . . . . . . . . . . . . . . . . . . . . 73 6.4.38. getSrcName . . . . . . . . . . . . . . . . . . . . . 73 6.4.39. getTargName . . . . . . . . . . . . . . . . . . . . . 73 6.4.40. getMech . . . . . . . . . . . . . . . . . . . . . . . 73 6.4.41. getDelegCred . . . . . . . . . . . . . . . . . . . . 73 6.4.42. isInitiator . . . . . . . . . . . . . . . . . . . . . 73 6.5. public class MessageProp . . . . . . . . . . . . . . . . 74 6.5.1. Constructors . . . . . . . . . . . . . . . . . . . . . 74 6.5.2. getQOP . . . . . . . . . . . . . . . . . . . . . . . . 75 6.5.3. getPrivacy . . . . . . . . . . . . . . . . . . . . . . 75 6.5.4. getMinorStatus . . . . . . . . . . . . . . . . . . . . 75 6.5.5. getMinorString . . . . . . . . . . . . . . . . . . . . 75 6.5.6. setQOP . . . . . . . . . . . . . . . . . . . . . . . . 75 6.5.7. setPrivacy . . . . . . . . . . . . . . . . . . . . . . 75 6.5.8. isDuplicateToken . . . . . . . . . . . . . . . . . . . 76 6.5.9. isOldToken . . . . . . . . . . . . . . . . . . . . . . 76 6.5.10. isUnseqToken . . . . . . . . . . . . . . . . . . . . 76 6.5.11. isGapToken . . . . . . . . . . . . . . . . . . . . . 76 6.5.12. setSupplementaryStates . . . . . . . . . . . . . . . 76 6.6. public class ChannelBinding . . . . . . . . . . . . . . 77 6.6.1. Constructors . . . . . . . . . . . . . . . . . . . . . 77 6.6.2. getInitiatorAddress . . . . . . . . . . . . . . . . . 78 6.6.3. getAcceptorAddress . . . . . . . . . . . . . . . . . . 78 6.6.4. getApplicationData . . . . . . . . . . . . . . . . . . 78 6.6.5. equals . . . . . . . . . . . . . . . . . . . . . . . . 78 6.7. public class Oid . . . . . . . . . . . . . . . . . . . . 79 6.7.1. Constructors . . . . . . . . . . . . . . . . . . . . . 79 6.7.2. toString . . . . . . . . . . . . . . . . . . . . . . . 80
6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 80 6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . . 80 6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 80 6.8. public class GSSException extends Exception . . . . . . 80 6.8.1. Static Constants . . . . . . . . . . . . . . . . . . . 81 6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 83 6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 84 6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 84 6.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 85 6.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 85 7. Sample Applications . . . . . . . . . . . . . . . . . . . 85 7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 85 7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . 89 8. Security Considerations . . . . . . . . . . . . . . . . . 93 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 94 10. Bibliography . . . . . . . . . . . . . . . . . . . . . . 94 11. Authors' Addresses . . . . . . . . . . . . . . . . . . . 95 12. Full Copyright Statement. . . . . . . . . . . . . . . . . 96
6.7.3. equals . . . . . . . . . . . . . . . . . . . . . . . . 80 6.7.4. getDER . . . . . . . . . . . . . . . . . . . . . . . . 80 6.7.5. containedIn . . . . . . . . . . . . . . . . . . . . . 80 6.8. public class GSSException extends Exception . . . . . . 80 6.8.1. Static Constants . . . . . . . . . . . . . . . . . . . 81 6.8.2. Constructors . . . . . . . . . . . . . . . . . . . . . 83 6.8.3. getMajor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.4. getMinor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.5. getMajorString . . . . . . . . . . . . . . . . . . . . 84 6.8.6. getMinorString . . . . . . . . . . . . . . . . . . . . 84 6.8.7. setMinor . . . . . . . . . . . . . . . . . . . . . . . 84 6.8.8. toString . . . . . . . . . . . . . . . . . . . . . . . 85 6.8.9. getMessage . . . . . . . . . . . . . . . . . . . . . . 85 7. Sample Applications . . . . . . . . . . . . . . . . . . . 85 7.1. Simple GSS Context Initiator . . . . . . . . . . . . . . 85 7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . 89 8. Security Considerations . . . . . . . . . . . . . . . . . 93 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 94 10. Bibliography . . . . . . . . . . . . . . . . . . . . . . 94 11. Authors' Addresses . . . . . . . . . . . . . . . . . . . 95 12. Full Copyright Statement. . . . . . . . . . . . . . . . . 96
This document specifies Java language bindings for the Generic Security Services Application Programming Interface Version 2 (GSS-API). GSS-API Version 2 is described in a language independent format in RFC 2743 [GSSAPIv2-UPDATE]. The GSS-API allows a caller application to authenticate a principal identity, to delegate rights to a peer, and to apply security services such as confidentiality and integrity on a per-message basis.
本文档指定了通用安全服务应用程序编程接口版本2(GSS-API)的Java语言绑定。GSS-API版本2在RFC 2743[GSSAPIv2更新]中以独立于语言的格式进行了描述。GSS-API允许调用方应用程序对主体身份进行身份验证,将权限委托给对等方,并基于每条消息应用保密性和完整性等安全服务。
This document leverages the work performed by the WG in the area of RFC 2743 [GSSAPIv2-UPDATE] and the C-bindings RFC 2744 [GSSAPI-C]. Whenever appropriate, text has been used from the C-bindings RFC 2744 to explain generic concepts and provide direction to the implementors.
本文件利用了工作组在RFC 2743[GSSAPIv2更新]和C-绑定RFC 2744[GSSAPI-C]领域所做的工作。在适当的时候,可以使用C-bindings RFC 2744中的文本来解释一般概念,并为实现者提供指导。
The design goals of this API have been to satisfy all the functionality defined in RFC 2743 and to provide these services in an object oriented method. The specification also aims to satisfy the needs of both types of Java application developers, those who would like access to a "system-wide" GSS-API implementation, as well as those who would want to provide their own "custom" implementation.
该API的设计目标是满足RFC 2743中定义的所有功能,并以面向对象的方法提供这些服务。该规范还旨在满足两种类型的Java应用程序开发人员的需求,即希望访问“系统范围”GSS-API实现的开发人员,以及希望提供自己的“自定义”实现的开发人员。
A "system-wide" implementation is one that is available to all applications in the form of a library package. It may be a standard package in the Java runtime environment (JRE) being used or it may be additionally installed and accessible to any application via the CLASSPATH.
“系统范围”实现是以库包的形式提供给所有应用程序的实现。它可能是正在使用的Java运行时环境(JRE)中的标准包,也可能是额外安装的,任何应用程序都可以通过类路径访问它。
A "custom" implementation of the GSS-API, on the other hand, is one that would, in most cases, be bundled with the application during distribution. It is expected that such an implementation would be meant to provide for some particular need of the application, such as support for some specific mechanism.
另一方面,GSS-API的“定制”实现在大多数情况下会在发布期间与应用程序捆绑在一起。预计这种实现将意味着提供应用程序的某些特定需求,例如支持某些特定机制。
The design of this API also aims to provide a flexible framework to add and manage GSS-API mechanisms. GSS-API leverages the Java Cryptography Architecture (JCA) provider model to support the plugability of mechanisms. Mechanisms can be added on a "system-wide" basis, where all users of the framework will have them available. The specification also allows for the addition of mechanisms per-instance of the GSS-API.
该API的设计还旨在提供一个灵活的框架来添加和管理GSS-API机制。GSS-API利用Java加密体系结构(JCA)提供程序模型来支持机制的可插入性。可以在“全系统”的基础上添加机制,框架的所有用户都可以使用这些机制。该规范还允许为GSS-API的每个实例添加机制。
Lastly, this specification presents an API that will naturally fit within the operation environment of the Java platform. Readers are assumed to be familiar with both the GSS-API and the Java platform.
最后,本规范提供了一个API,它自然适合Java平台的操作环境。假定读者熟悉GSS-API和Java平台。
The Generic Security Service Application Programming Interface Version 2 [GSSAPIv2-UPDATE] defines a generic security API to calling applications. It allows a communicating application to authenticate the user associated with another application, to delegate rights to another application, and to apply security services such as confidentiality and integrity on a per-message basis.
通用安全服务应用程序编程接口版本2[GSSAPIv2 UPDATE]定义了调用应用程序的通用安全API。它允许通信应用程序对与另一个应用程序关联的用户进行身份验证,将权限委托给另一个应用程序,并基于每条消息应用保密性和完整性等安全服务。
There are four stages to using GSS-API:
使用GSS-API分为四个阶段:
1) The application acquires a set of credentials with which it may prove its identity to other processes. The application's credentials vouch for its global identity, which may or may not be related to any local username under which it may be running.
1) 应用程序获取一组凭据,可以使用这些凭据向其他进程证明其身份。应用程序的凭据保证其全局标识,该标识可能与应用程序运行时使用的任何本地用户名相关,也可能与此无关。
2) A pair of communicating applications establish a joint security context using their credentials. The security context encapsulates shared state information, which is required in order that per-message security services may be provided. Examples of state information that might be shared between applications as part of a security context are cryptographic keys, and message sequence numbers. As part of the establishment of a security context, the context initiator is
2) 一对通信应用程序使用其凭据建立联合安全上下文。安全上下文封装共享状态信息,这是提供每条消息安全服务所必需的。作为安全上下文的一部分,应用程序之间可能共享的状态信息的示例包括加密密钥和消息序列号。作为建立安全上下文的一部分,上下文启动器是
authenticated to the responder, and may require that the responder is authenticated back to the initiator. The initiator may optionally give the responder the right to initiate further security contexts, acting as an agent or delegate of the initiator. This transfer of rights is termed "delegation", and is achieved by creating a set of credentials, similar to those used by the initiating application, but which may be used by the responder.
对响应者进行身份验证,并且可能要求响应者通过身份验证返回到启动器。发起者可以任选地给予响应者作为发起者的代理或委托来发起进一步的安全上下文的权利。这种权利的转移称为“委托”,通过创建一组凭证来实现,类似于发起应用程序使用的凭证,但响应者可以使用这些凭证。
A GSSContext object is used to establish and maintain the shared information that makes up the security context. Certain GSSContext methods will generate a token, which applications treat as cryptographically protected, opaque data. The caller of such GSSContext method is responsible for transferring the token to the peer application, encapsulated if necessary in an application-to-application protocol. On receipt of such a token, the peer application should pass it to a corresponding GSSContext method which will decode the token and extract the information, updating the security context state information accordingly.
GSSContext对象用于建立和维护组成安全上下文的共享信息。某些GSSContext方法将生成令牌,应用程序将其视为受加密保护的不透明数据。这种GSSContext方法的调用方负责将令牌传输到对等应用程序,必要时封装在应用程序到应用程序协议中。在收到这样的令牌后,对等应用程序应将其传递给相应的GSSContext方法,该方法将解码令牌并提取信息,相应地更新安全上下文状态信息。
3) Per-message services are invoked on a GSSContext object to apply either:
3) 在GSSContext对象上调用每消息服务以应用:
integrity and data origin authentication, or
完整性和数据源身份验证,或
confidentiality, integrity and data origin authentication
机密性、完整性和数据源身份验证
to application data, which are treated by GSS-API as arbitrary octet-strings. An application transmitting a message that it wishes to protect will call the appropriate GSSContext method (getMIC or wrap) to apply protection, and send the resulting token to the receiving application. The receiver will pass the received token (and, in the case of data protected by getMIC, the accompanying message-data) to the corresponding decoding method of the GSSContext interface (verifyMIC or unwrap) to remove the protection and validate the data.
应用程序数据,GSS-API将其视为任意八位字节字符串。发送希望保护的消息的应用程序将调用适当的GSSContext方法(getMIC或wrap)来应用保护,并将生成的令牌发送给接收应用程序。接收器将接收到的令牌(以及在getMIC保护数据的情况下,附带的消息数据)传递给GSSContext接口的相应解码方法(verifyMIC或unwrap),以移除保护并验证数据。
4) At the completion of a communications session (which may extend across several transport connections), each application uses a GSSContext method to invalidate the security context and release any system or cryptographic resources held. Multiple contexts may also be used (either successively or simultaneously) within a single communications association, at the discretion of the applications.
4) 在通信会话(可能扩展到多个传输连接)完成时,每个应用程序使用GSSContext方法使安全上下文无效,并释放所持有的任何系统或加密资源。应用程序可自行决定在单个通信关联中使用多个上下文(连续或同时)。
This section discusses the optional services that a context initiator may request of the GSS-API before the context establishment. Each of these services is requested by calling the appropriate mutator method in the GSSContext object before the first call to init is performed. Only the context initiator can request context flags.
本节讨论上下文启动器在上下文建立之前可能向GSS-API请求的可选服务。在执行对init的第一次调用之前,通过在GSSContext对象中调用适当的mutator方法来请求这些服务。只有上下文启动器才能请求上下文标志。
The optional services defined are:
定义的可选服务包括:
Delegation The (usually temporary) transfer of rights from initiator to acceptor, enabling the acceptor to authenticate itself as an agent of the initiator.
授权从发起人到接受人的权利转移(通常是暂时的),使接受人能够将自己作为发起人的代理人进行身份验证。
Mutual Authentication In addition to the initiator authenticating its identity to the context acceptor, the context acceptor should also authenticate itself to the initiator.
相互认证除了发起者向上下文接受者认证其身份之外,上下文接受者还应该向发起者认证自身。
Replay Detection In addition to providing message integrity services, GSSContext per-message operations of getMIC and wrap should include message numbering information to enable verifyMIC and unwrap to detect if a message has been duplicated.
重播检测除了提供消息完整性服务外,getMIC和wrap的GSSContext per message操作还应包括消息编号信息,以使verifyMIC和unwrap能够检测消息是否被复制。
Out-of-Sequence Detection In addition to providing message integrity services, GSSContext per-message operations (getMIC and wrap) should include message sequencing information to enable verifyMIC and unwrap to detect if a message has been received out of sequence.
失序检测除了提供消息完整性服务外,GSSContext每条消息操作(getMIC和wrap)应包括消息序列信息,以使verifyMIC和unwrap能够检测消息是否已失序接收。
Anonymous Authentication The establishment of the security context should not reveal the initiator's identity to the context acceptor.
匿名身份验证安全上下文的建立不应向上下文接受者透露启动器的身份。
Some mechanisms may not support all optional services, and some mechanisms may only support some services in conjunction with others. The GSSContext interface offers query methods to allow the verification by the calling application of which services will be available from the context when the establishment phase is complete. In general, if the security mechanism is capable of providing a requested service, it should do so even if additional services must be enabled in order to provide the requested service. If the mechanism is incapable of providing a requested service, it should proceed without the service leaving the application to abort the context establishment process if it considers the requested service to be mandatory.
有些机制可能不支持所有可选服务,有些机制可能只支持某些服务与其他服务结合使用。GSSContext接口提供了查询方法,允许调用应用程序在建立阶段完成时验证上下文中哪些服务可用。通常,如果安全机制能够提供请求的服务,那么即使必须启用附加服务才能提供请求的服务,它也应该这样做。如果该机制无法提供请求的服务,则如果该机制认为请求的服务是强制性的,则该机制应在服务不离开应用程序的情况下继续,以中止上下文建立过程。
Some mechanisms may specify that support for some services is optional, and that implementors of the mechanism need not provide it. This is most commonly true of the confidentiality service, often because of legal restrictions on the use of data-encryption, but may apply to any of the services. Such mechanisms are required to send at least one token from acceptor to initiator during context establishment when the initiator indicates a desire to use such a service, so that the initiating GSS-API can correctly indicate whether the service is supported by the acceptor's GSS-API.
一些机制可能指定对某些服务的支持是可选的,并且该机制的实现者不需要提供它。这在保密服务中最常见,通常是因为数据加密的使用受到法律限制,但可能适用于任何服务。当发起方表示希望使用这样的服务时,需要这样的机制在上下文建立期间从接受方向发起方发送至少一个令牌,以便发起GSS-API能够正确指示该服务是否受接受方的GSS-API支持。
The GSS-API allows delegation to be controlled by the initiating application via the requestCredDeleg method before the first call to init has been issued. Some mechanisms do not support delegation, and for such mechanisms attempts by an application to enable delegation are ignored.
GSS-API允许发起应用程序在发出对init的第一次调用之前,通过RequestCredDelege方法控制委派。有些机制不支持委托,对于这种机制,应用程序启用委托的尝试将被忽略。
The acceptor of a security context, for which the initiator enabled delegation, can check if delegation was enabled by using the getCredDelegState method of the GSSContext interface. In cases when it is, the delegated credential object can be obtained by calling the getDelegCred method. The obtained GSSCredential object may then be used to initiate subsequent GSS-API security contexts as an agent or delegate of the initiator. If the original initiator's identity is "A" and the delegate's identity is "B", then, depending on the underlying mechanism, the identity embodied by the delegated credential may be either "A" or "B acting for A".
安全上下文的接受者(启动器为其启用了委派)可以使用GSSContext接口的getCredDelegState方法检查是否启用了委派。在这种情况下,可以通过调用getDelegCredential方法来获取委托凭证对象。然后,所获得的GSSCredential对象可作为启动器的代理或委托用于启动后续GSS-API安全上下文。如果原始发起人的身份是“A”,而委托人的身份是“B”,则根据基础机制,委托凭证体现的身份可以是“A”或“代表A的B”。
For many mechanisms that support delegation, a simple boolean does not provide enough control. Examples of additional aspects of delegation control that a mechanism might provide to an application are duration of delegation, network addresses from which delegation is valid, and constraints on the tasks that may be performed by a delegate. Such controls are presently outside the scope of the GSS-API. GSS-API implementations supporting mechanisms offering additional controls should provide extension routines that allow these controls to be exercised (perhaps by modifying the initiator's GSS-API credential object prior to its use in establishing a context). However, the simple delegation control provided by GSS-API should always be able to over-ride other mechanism-specific delegation controls. If the application instructs the GSSContext object that delegation is not desired, then the implementation must not permit delegation to occur. This is an exception to the general rule that a mechanism may enable services even if they are not requested - delegation may only be provided at the explicit request of the application.
对于许多支持委托的机制,简单的布尔值不能提供足够的控制。机制可能向应用程序提供的委托控制的其他方面的示例包括委托持续时间、委托有效的网络地址以及委托可能执行的任务的约束。此类控制目前不在GSS-API的范围内。支持提供附加控件的机制的GSS-API实现应提供允许执行这些控件的扩展例程(可能通过在使用发起程序的GSS-API凭据对象建立上下文之前修改该对象)。然而,GSS-API提供的简单委托控制应该始终能够超越其他特定于机制的委托控制。如果应用程序指示GSSContext对象不需要委派,则实现不得允许委派发生。这是一般规则的一个例外,即即使未请求服务,机制也可以启用服务-只能在应用程序明确请求时提供委托。
Usually, a context acceptor will require that a context initiator authenticate itself so that the acceptor may make an access-control decision prior to performing a service for the initiator. In some cases, the initiator may also request that the acceptor authenticate itself. GSS-API allows the initiating application to request this mutual authentication service by calling the requestMutualAuth method of the GSSContext interface with a "true" parameter before making the first call to init. The initiating application is informed as to whether or not the context acceptor has authenticated itself. Note that some mechanisms may not support mutual authentication, and other mechanisms may always perform mutual authentication, whether or not the initiating application requests it. In particular, mutual authentication may be required by some mechanisms in order to support replay or out-of-sequence message detection, and for such mechanisms a request for either of these services will automatically enable mutual authentication.
通常,上下文接受者将要求上下文发起者进行自身身份验证,以便接受者可以在为发起者执行服务之前做出访问控制决策。在某些情况下,发起者还可以请求接受者对自己进行身份验证。GSS-API允许发起应用程序通过在第一次调用init之前使用“true”参数调用GSSContext接口的requestMutualAuth方法来请求此相互身份验证服务。启动应用程序被告知上下文接受者是否已对自身进行了身份验证。请注意,某些机制可能不支持相互身份验证,而其他机制可能始终执行相互身份验证,无论启动应用程序是否请求它。特别地,一些机制可能需要相互认证,以支持重播或无序消息检测,并且对于这种机制,对这些服务中的任何一个的请求将自动启用相互认证。
The GSS-API may provide detection of mis-ordered messages once a security context has been established. Protection may be applied to messages by either application, by calling either getMIC or wrap methods of the GSSContext interface, and verified by the peer application by calling verifyMIC or unwrap for the peer's GSSContext object.
一旦建立了安全上下文,GSS-API可提供错误排序消息的检测。通过调用GSSContext接口的getMIC或wrap方法,可通过任一应用程序对消息应用保护,并通过调用对等方的GSSContext对象的verifyMIC或unwrap,由对等方应用程序进行验证。
The getMIC method calculates a cryptographic checksum of an application message, and returns that checksum in a token. The application should pass both the token and the message to the peer application, which presents them to the verifyMIC method of the peer's GSSContext object.
getMIC方法计算应用程序消息的加密校验和,并在令牌中返回该校验和。应用程序应将令牌和消息传递给对等应用程序,对等应用程序将它们呈现给对等方的GSSContext对象的verifyMIC方法。
The wrap method calculates a cryptographic checksum of an application message, and places both the checksum and the message inside a single token. The application should pass the token to the peer application, which presents it to the unwrap method of the peer's GSSContext object to extract the message and verify the checksum.
wrap方法计算应用程序消息的加密校验和,并将校验和消息放在单个令牌中。应用程序应将令牌传递给对等应用程序,对等应用程序将令牌呈现给对等方的GSSContext对象的unwrap方法,以提取消息并验证校验和。
Either pair of routines may be capable of detecting out-of-sequence message delivery, or duplication of messages. Details of such mis-ordered messages are indicated through supplementary query methods of the MessageProp object that is filled in by each of these routines.
这两个例程中的任何一个都可以检测到顺序错误的消息传递或消息的重复。这些错误排序的消息的详细信息通过这些例程中的每个例程填写的MessageProp对象的补充查询方法来指示。
A mechanism need not maintain a list of all tokens that have been processed in order to support these status codes. A typical mechanism might retain information about only the most recent "N"
为了支持这些状态代码,机制不需要维护已处理的所有令牌的列表。典型的机制可能只保留有关最新“N”的信息
tokens processed, allowing it to distinguish duplicates and missing tokens within the most recent "N" messages; the receipt of a token older than the most recent "N" would result in the isOldToken method of the instance of MessageProp to return "true".
已处理的令牌,允许它在最近的“N”消息中区分重复和缺失的令牌;接收到比最近的“N”早的令牌将导致MessageProp实例的isOldToken方法返回“true”。
In certain situations, an application may wish to initiate the authentication process to authenticate a peer, without revealing its own identity. As an example, consider an application providing access to a database containing medical information, and offering unrestricted access to the service. A client of such a service might wish to authenticate the service (in order to establish trust in any information retrieved from it), but might not wish the service to be able to obtain the client's identity (perhaps due to privacy concerns about the specific inquiries, or perhaps simply to avoid being placed on mailing-lists).
在某些情况下,应用程序可能希望启动身份验证过程以对对等方进行身份验证,而不透露其自身的身份。作为一个例子,考虑一个应用程序,提供对包含医疗信息的数据库的访问,并提供对服务的无限制访问。此类服务的客户可能希望验证该服务(以便对从中检索到的任何信息建立信任),但可能不希望该服务能够获得客户的身份(可能是由于对特定查询的隐私问题,或者可能只是为了避免被列入邮件列表)。
In normal use of the GSS-API, the initiator's identity is made available to the acceptor as a result of the context establishment process. However, context initiators may request that their identity not be revealed to the context acceptor. Many mechanisms do not support anonymous authentication, and for such mechanisms the request will not be honored. An authentication token will still be generated, but the application is always informed if a requested service is unavailable, and has the option to abort context establishment if anonymity is valued above the other security services that would require a context to be established.
在GSS-API的正常使用中,作为上下文建立过程的结果,发起者的身份可供接受者使用。然而,上下文发起者可以请求不向上下文接受者透露其身份。许多机制不支持匿名身份验证,对于此类机制,请求将不会得到满足。仍将生成身份验证令牌,但如果请求的服务不可用,应用程序始终会得到通知,并且如果匿名性的价值高于需要建立上下文的其他安全服务,则应用程序可以选择中止上下文建立。
In addition to informing the application that a context is established anonymously (via the isAnonymous method of the GSSContext class), the getSrcName method of the acceptor's GSSContext object will, for such contexts, return a reserved internal-form name, defined by the implementation.
除了通知应用程序上下文是匿名建立的(通过GSSContext类的isAnonymous方法),对于此类上下文,接受方的GSSContext对象的getSrcName方法将返回由实现定义的保留内部表单名。
The toString method for a GSSName object representing an anonymous entity will return a printable name. The returned value will be syntactically distinguishable from any valid principal name supported by the implementation. The associated name-type object identifier will be an oid representing the value of NT_ANONYMOUS. This name-type oid will be defined as a public, static Oid object of the GSSName class. The printable form of an anonymous name should be chosen such that it implies anonymity, since this name may appear in, for example, audit logs. For example, the string "<anonymous>" might be a good choice, if no valid printable names supported by the implementation can begin with "<" and end with ">".
代表匿名实体的GSSName对象的toString方法将返回一个可打印的名称。返回值将在语法上与实现支持的任何有效主体名称区分开来。关联的名称类型对象标识符将是表示NT_ANONYMOUS值的oid。此名称类型oid将定义为GSSName类的公共静态oid对象。应选择匿名名称的可打印形式,以使其暗示匿名性,因为该名称可能出现在例如审计日志中。例如,如果实现不支持以“<”开头并以“>”结尾的有效可打印名称,那么字符串“<anonymous>”可能是一个不错的选择。
When using the equal method of the GSSName interface, and one of the operands is a GSSName instance representing an anonymous entity, the method must return "false".
当使用GSSName接口的equal方法,并且其中一个操作数是表示匿名实体的GSSName实例时,该方法必须返回“false”。
If a GSSContext supports the confidentiality service, wrap method may be used to encrypt application messages. Messages are selectively encrypted, under the control of the setPrivacy method of the MessageProp object used in the wrap method.
如果GSSContext支持保密服务,则可以使用wrap方法加密应用程序消息。消息在wrap方法中使用的MessageProp对象的setPrivacy方法的控制下被选择性地加密。
GSS-API V2 provides functionality which allows a security context to be transferred between processes on a single machine. These are implemented using the export method of GSSContext and a byte array constructor of the same class. The most common use for such a feature is a client-server design where the server is implemented as a single process that accepts incoming security contexts, which then launches child processes to deal with the data on these contexts. In such a design, the child processes must have access to the security context object created within the parent so that they can use per-message protection services and delete the security context when the communication session ends.
GSS-API V2提供了允许在单个计算机上的进程之间传输安全上下文的功能。它们是使用GSSContext的导出方法和同一类的字节数组构造函数实现的。这种特性最常见的用途是客户机-服务器设计,其中服务器被实现为单个进程,该进程接受传入的安全上下文,然后启动子进程来处理这些上下文中的数据。在这种设计中,子进程必须能够访问在父进程中创建的安全上下文对象,以便它们可以使用每消息保护服务,并在通信会话结束时删除安全上下文。
Since the security context data structure is expected to contain sequencing information, it is impractical in general to share a context between processes. Thus GSSContext interface provides an export method that the process, which currently owns the context, can call to declare that it has no intention to use the context subsequently, and to create an inter-process token containing information needed by the adopting process to successfully re-create the context. After successful completion of export, the original security context is made inaccessible to the calling process by GSS-API and any further usage of this object will result in failures. The originating process transfers the inter-process token to the adopting process, which creates a new GSSContext object using the byte array constructor. The properties of the context are equivalent to that of the original context.
由于安全上下文数据结构预期包含排序信息,因此在进程之间共享上下文通常是不切实际的。因此,GSSContext接口提供了一个导出方法,当前拥有上下文的进程可以调用该方法来声明它不打算随后使用上下文,并创建一个进程间令牌,其中包含进程成功重新创建上下文所需的信息。成功完成导出后,GSS-API将使调用进程无法访问原始安全上下文,进一步使用此对象将导致失败。发起进程将进程间令牌传输给采用进程,采用进程使用字节数组构造函数创建一个新的GSSContext对象。上下文的属性等同于原始上下文的属性。
The inter-process token may contain sensitive data from the original security context (including cryptographic keys). Applications using inter-process tokens to transfer security contexts must take appropriate steps to protect these tokens in transit.
进程间令牌可能包含来自原始安全上下文(包括加密密钥)的敏感数据。使用进程间令牌传输安全上下文的应用程序必须采取适当的步骤来保护传输中的这些令牌。
Implementations are not required to support the inter-process transfer of security contexts. Calling the isTransferable method of the GSSContext interface will indicate if the context object is transferable.
实现不需要支持安全上下文的进程间传输。调用GSSContext接口的isTransferable方法将指示上下文对象是否可转移。
Some mechanisms may allow the per-message services to be used before the context establishment process is complete. For example, a mechanism may include sufficient information in its initial context-level tokens for the context acceptor to immediately decode messages protected with wrap or getMIC. For such a mechanism, the initiating application need not wait until subsequent context-level tokens have been sent and received before invoking the per-message protection services.
某些机制可能允许在上下文建立过程完成之前使用每消息服务。例如,机制可以在其初始上下文级别令牌中包括足够的信息,以便上下文接受者立即解码受wrap或getMIC保护的消息。对于这种机制,在调用每消息保护服务之前,发起应用程序无需等待后续上下文级令牌被发送和接收。
An application can invoke the isProtReady method of the GSSContext class to determine if the per-message services are available in advance of complete context establishment. Applications wishing to use per-message protection services on partially-established contexts should query this method before attempting to invoke wrap or getMIC.
应用程序可以调用GSSContext类的isProtReady方法,以确定在完全建立上下文之前每消息服务是否可用。希望在部分建立的上下文上使用每消息保护服务的应用程序应在尝试调用wrap或getMIC之前查询此方法。
Java provides the implementors with not just a syntax for the language, but also an operational environment. For example, memory is automatically managed and does not require application intervention. These language features have allowed for a simpler API and have led to the elimination of certain GSS-API functions.
Java不仅为实现者提供了该语言的语法,还提供了一个操作环境。例如,内存是自动管理的,不需要应用程序干预。这些语言特性允许使用更简单的API,并消除了某些GSS-API函数。
Moreover, the JCA defines a provider model which allows for implementation independent access to security services. Using this model, applications can seamlessly switch between different implementations and dynamically add new services. The GSS-API specification leverages these concepts by the usage of providers for the mechanism implementations.
此外,JCA定义了一个提供者模型,该模型允许对安全服务进行独立于实现的访问。使用此模型,应用程序可以在不同实现之间无缝切换,并动态添加新服务。GSS-API规范通过为机制实现使用提供程序来利用这些概念。
The classes and interfaces defined in this document reside in the package called "org.ietf.jgss". Applications that wish to make use of this API should import this package name as shown in section 7.
本文档中定义的类和接口位于名为“org.ietf.jgss”的包中。希望使用此API的应用程序应导入此包名称,如第7节所示。
The Java security API's use a provider architecture that allows applications to be implementation independent and security API implementations to be modular and extensible. The
Java安全API使用了一种提供者体系结构,允许应用程序独立于实现,安全API实现模块化和可扩展。这个
java.security.Provider class is an abstract class that a vendor extends. This class maps various properties that represent different security services that are available to the names of the actual vendor classes that implement those services. When requesting a service, an application simply specifies the desired provider and the API delegates the request to service classes available from that provider.
Provider类是供应商扩展的抽象类。此类映射表示不同安全服务的各种属性,这些安全服务可用于实现这些服务的实际供应商类的名称。当请求服务时,应用程序只需指定所需的提供者,API将请求委托给该提供者提供的服务类。
Using the Java security provider model insulates applications from implementation details of the services they wish to use. Applications can switch between providers easily and new providers can be added as needed, even at runtime.
使用Java安全提供者模型将应用程序与它们希望使用的服务的实现细节隔离开来。应用程序可以在提供程序之间轻松切换,并且可以根据需要添加新的提供程序,即使在运行时也是如此。
The GSS-API may use providers to find components for specific underlying security mechanisms. For instance, a particular provider might contain components that will allow the GSS-API to support the Kerberos v5 mechanism and another might contain components to support the SPKM mechanism. By delegating mechanism specific functionality to the components obtained from providers the GSS-API can be extended to support an arbitrary list of mechanism.
GSS-API可以使用提供程序查找特定底层安全机制的组件。例如,一个特定的提供程序可能包含允许GSS-API支持Kerberos v5机制的组件,另一个提供程序可能包含支持SPKM机制的组件。通过将特定于机制的功能委托给从提供者获得的组件,GSS-API可以扩展为支持任意机制列表。
How the GSS-API locates and queries these providers is beyond the scope of this document and is being deferred to a Service Provider Interface (SPI) specification. The availability of such a SPI specification is not mandatory for the adoption of this API specification nor is it mandatory to use providers in the implementation of a GSS-API framework. However, by using the provider framework together with an SPI specification one can create an extensible and implementation independent GSS-API framework.
GSS-API如何定位和查询这些提供程序超出了本文档的范围,将推迟到服务提供程序接口(SPI)规范。此类SPI规范的可用性不是采用本API规范的强制性要求,也不是在GSS-API框架的实现中使用提供者的强制性要求。但是,通过将提供者框架与SPI规范一起使用,可以创建一个可扩展且独立于实现的GSS-API框架。
All numeric values are declared as "int" primitive Java type. The Java specification guarantees that this will be a 32 bit two's complement signed number.
所有数值都声明为“int”原语Java类型。Java规范保证这将是一个32位2的补码有符号数。
Throughout this API, the "boolean" primitive Java type is used wherever a boolean value is required or returned.
在整个API中,“boolean”原语Java类型用于任何需要或返回布尔值的地方。
Java byte arrays are used to represent opaque data types which are consumed and produced by the GSS-API in the forms of tokens. Java arrays contain a length field which enables the users to easily determine their size. The language has automatic garbage collection which alleviates the need by developers to release memory and simplifies buffer ownership issues.
Java字节数组用于表示GSS-API以令牌形式使用和生成的不透明数据类型。Java数组包含一个长度字段,使用户可以轻松确定其大小。该语言具有自动垃圾收集功能,可减轻开发人员释放内存的需要,并简化缓冲区所有权问题。
The String object will be used to represent all textual data. The Java String object, transparently treats all characters as two-byte Unicode characters which allows support for many locals. All routines returning or accepting textual data will use the String object.
字符串对象将用于表示所有文本数据。Java字符串对象透明地将所有字符视为双字节Unicode字符,这允许支持许多局部变量。所有返回或接受文本数据的例程都将使用String对象。
An Oid object will be used to represent Universal Object Identifiers (Oids). Oids are ISO-defined, hierarchically globally-interpretable identifiers used within the GSS-API framework to identify security mechanisms and name formats. The Oid object can be created from a string representation of its dot notation (e.g. "1.3.6.1.5.6.2") as well as from its ASN.1 DER encoding. Methods are also provided to test equality and provide the DER representation for the object.
Oid对象将用于表示通用对象标识符(Oid)。OID是在GSS-API框架内使用的ISO定义的、分层的全局可解释标识符,用于标识安全机制和名称格式。Oid对象可以通过点符号的字符串表示(例如“1.3.6.1.5.6.2”)以及ASN.1 DER编码创建。还提供了测试相等性的方法,并为对象提供DER表示。
An important feature of the Oid class is that its instances are immutable - i.e. there are no methods defined that allow one to change the contents of an Oid. This property allows one to treat these objects as "statics" without the need to perform copies.
Oid类的一个重要特性是其实例是不可变的,即没有定义允许更改Oid内容的方法。此属性允许将这些对象视为“静态”,而无需执行复制。
Certain routines allow the usage of a default oid. A "null" value can be used in those cases.
某些例程允许使用默认oid。在这些情况下,可以使用“null”值。
The Java bindings represents object identifiers sets as arrays of Oid objects. All Java arrays contain a length field which allows for easy manipulation and reference.
Java绑定将对象标识符集表示为Oid对象的数组。所有Java数组都包含一个长度字段,该字段允许轻松操作和引用。
In order to support the full functionality of RFC 2743, the Oid class includes a method which checks for existence of an Oid object within a specified array. This is equivalent in functionality to gss_test_oid_set_member. The use of Java arrays and Java's automatic garbage collection has eliminated the need for the following routines: gss_create_empty_oid_set, gss_release_oid_set, and gss_add_oid_set_member. Java GSS-API implementations will not contain them. Java's automatic garbage collection and the immutable property of the Oid object eliminates the complicated memory management issues of the C counterpart.
为了支持RFC 2743的全部功能,Oid类包含一个方法,用于检查指定数组中是否存在Oid对象。这在功能上等同于gss_test_oid_set_成员。使用Java数组和Java的自动垃圾收集消除了对以下例程的需要:gss_创建_空_oid_集、gss_发布_oid_集和gss_添加_oid_集成员。Java GSS-API实现将不包含它们。Java的自动垃圾收集和Oid对象的不可变属性消除了C对应对象复杂的内存管理问题。
When ever a default value for an Object Identifier Set is required, a "null" value can be used. Please consult the detailed method description for details.
当需要对象标识符集的默认值时,可以使用“null”值。有关详细信息,请参阅详细的方法说明。
GSS-API credentials are represented by the GSSCredential interface. The interface contains several constructs to allow for the creation of most common credential objects for the initiator and the acceptor. Comparisons are performed using the interface's "equals" method. The following general description of GSS-API credentials is included from the C-bindings specification:
GSS-API凭据由GSSCredential接口表示。该接口包含多个构造,以允许为发起方和接受方创建最常见的凭据对象。使用接口的“equals”方法执行比较。C-bindings规范中包含以下GSS-API凭据的一般说明:
GSS-API credentials can contain mechanism-specific principal authentication data for multiple mechanisms. A GSS-API credential is composed of a set of credential-elements, each of which is applicable to a single mechanism. A credential may contain at most one credential-element for each supported mechanism. A credential-element identifies the data needed by a single mechanism to authenticate a single principal, and conceptually contains two credential-references that describe the actual mechanism-specific authentication data, one to be used by GSS-API for initiating contexts, and one to be used for accepting contexts. For mechanisms that do not distinguish between acceptor and initiator credentials, both references would point to the same underlying mechanism-specific authentication data.
GSS-API凭据可以包含多个机制的特定于机制的主体身份验证数据。GSS-API凭据由一组凭据元素组成,每个元素都适用于单个机制。对于每个受支持的机制,凭证最多可以包含一个凭证元素。凭证元素标识单个机制对单个主体进行身份验证所需的数据,概念上包含两个凭证引用,用于描述实际机制特定的身份验证数据,一个用于GSS-API启动上下文,另一个用于接受上下文。对于不区分接受方凭据和发起方凭据的机制,两个引用将指向相同的底层机制特定身份验证数据。
Credentials describe a set of mechanism-specific principals, and give their holder the ability to act as any of those principals. All principal identities asserted by a single GSS-API credential should belong to the same entity, although enforcement of this property is an implementation-specific matter. A single GSSCredential object represents all the credential elements that have been acquired.
凭证描述一组特定于机制的主体,并使其持有者能够充当这些主体中的任何一个。由单个GSS-API凭据声明的所有主体标识都应属于同一实体,尽管此属性的强制执行是一个特定于实现的问题。单个GSSCredential对象表示已获取的所有凭证元素。
The creation's of an GSSContext object allows the value of "null" to be specified as the GSSCredential input parameter. This will indicate a desire by the application to act as a default principal. While individual GSS-API implementations are free to determine such default behavior as appropriate to the mechanism, the following default behavior by these routines is recommended for portability:
GSSContext对象的创建允许将“null”值指定为GSSCredential输入参数。这将表明应用程序希望充当默认主体。虽然各个GSS-API实现可以自由确定适合于该机制的默认行为,但为了便于移植,建议使用这些例程的以下默认行为:
For the initiator side of the context:
对于上下文的启动器端:
1) If there is only a single principal capable of initiating security contexts for the chosen mechanism that the application is authorized to act on behalf of, then that principal shall be used, otherwise
1) 如果只有一个主体能够为应用程序被授权代表的所选机制启动安全上下文,则应使用该主体,否则
2) If the platform maintains a concept of a default network-identity for the chosen mechanism, and if the application is authorized to act on behalf of that identity for the purpose of initiating security contexts, then the principal corresponding to that identity shall be used, otherwise
2) 如果平台为所选机制维护默认网络身份的概念,并且如果应用程序被授权代表该身份启动安全上下文,则应使用与该身份对应的主体,否则
3) If the platform maintains a concept of a default local identity, and provides a means to map local identities into network-identities for the chosen mechanism, and if the application is authorized to act on behalf of the network-identity image of the default local identity for the purpose of initiating security contexts using the chosen mechanism, then the principal corresponding to that identity shall be used, otherwise
3) 如果平台维护默认本地标识的概念,并提供将本地标识映射到所选机制的网络标识的方法,并且如果应用程序被授权代表默认本地标识的网络标识映像,以便使用所选机制启动安全上下文,则应使用与该身份对应的主体,否则
4) A user-configurable default identity should be used.
4) 应使用用户可配置的默认标识。
and for the acceptor side of the context
对于上下文的接受方来说
1) If there is only a single authorized principal identity capable of accepting security contexts for the chosen mechanism, then that principal shall be used, otherwise
1) 如果只有一个授权主体标识能够接受所选机制的安全上下文,则应使用该主体,否则
2) If the mechanism can determine the identity of the target principal by examining the context-establishment token processed during the accept method, and if the accepting application is authorized to act as that principal for the purpose of accepting security contexts using the chosen mechanism, then that principal identity shall be used, otherwise
2) 如果该机制可以通过检查在接受方法期间处理的上下文建立令牌来确定目标主体的身份,并且如果接受应用程序被授权作为该主体使用所选机制接受安全上下文,则应使用该主体身份,否则
3) If the mechanism supports context acceptance by any principal, and if mutual authentication was not requested, any principal that the application is authorized to accept security contexts under using the chosen mechanism may be used, otherwise
3) 如果该机制支持任何主体接受上下文,并且如果未请求相互认证,则可以使用应用程序在使用所选机制的情况下被授权接受安全上下文的任何主体,否则
4) A user-configurable default identity shall be used.
4) 应使用用户可配置的默认标识。
The purpose of the above rules is to allow security contexts to be established by both initiator and acceptor using the default behavior whenever possible. Applications requesting default behavior are likely to be more portable across mechanisms and implementations than ones that instantiate an GSSCredential object representing a specific identity.
上述规则的目的是允许发起方和接受方尽可能使用默认行为来建立安全上下文。与实例化表示特定标识的GSSCredential对象的应用程序相比,请求默认行为的应用程序可能更易于跨机制和实现移植。
The GSSContext interface is used to represent one end of a GSS-API security context, storing state information appropriate to that end of the peer communication, including cryptographic state information. The instantiation of the context object is done differently by the initiator and the acceptor. After the context has been instantiated, the initiator may choose to set various context options which will determine the characteristics of the desired security context. When all the application desired characteristics have been set, the initiator will call the initSecContext method which will produce a token for consumption by the peer's acceptSecContext method. It is the responsibility of the application to deliver the authentication token(s) between the peer applications for processing. Upon completion of the context establishment phase, context attributes can be retrieved, by both the initiator and acceptor, using the accessor methods. These will reflect the actual attributes of the established context. At this point the context can be used by the application to apply cryptographic services to its data.
GSSContext接口用于表示GSS-API安全上下文的一端,存储适用于对等通信一端的状态信息,包括加密状态信息。上下文对象的实例化由发起方和接受方以不同的方式完成。在上下文被实例化之后,发起方可以选择设置各种上下文选项,这些选项将确定所需安全上下文的特征。设置了所有应用程序所需的特征后,启动器将调用initSecContext方法,该方法将生成令牌供对等方的acceptSecContext方法使用。应用程序负责在对等应用程序之间传递身份验证令牌以进行处理。上下文建立阶段完成后,发起方和接受方都可以使用访问器方法检索上下文属性。这些将反映既定环境的实际属性。此时,应用程序可以使用上下文将加密服务应用于其数据。
A token is a caller-opaque type that GSS-API uses to maintain synchronization between each end of the GSS-API security context. The token is a cryptographically protected octet-string, generated by the underlying mechanism at one end of a GSS-API security context for use by the peer mechanism at the other end. Encapsulation (if required) within the application protocol and transfer of the token are the responsibility of the peer applications.
令牌是一种调用方不透明类型,GSS-API使用它来维护GSS-API安全上下文各端之间的同步。令牌是受加密保护的八位字节字符串,由GSS-API安全上下文一端的底层机制生成,供另一端的对等机制使用。应用程序协议中的封装(如果需要)和令牌的传输由对等应用程序负责。
Java GSS-API uses byte arrays to represent authentication tokens. Overloaded methods exist which allow the caller to supply input and output streams which will be used for the reading and writing of the token data.
JavaGSS-API使用字节数组表示身份验证令牌。重载方法允许调用者提供输入和输出流,这些流将用于令牌数据的读写。
Certain GSS-API routines are intended to transfer data between processes in multi-process programs. These routines use a caller-opaque octet-string, generated by the GSS-API in one process for use by the GSS-API in another process. The calling application is responsible for transferring such tokens between processes. Note that, while GSS-API implementors are encouraged to avoid placing sensitive information within interprocess tokens, or to cryptographically protect them, many implementations will be unable to avoid placing key material or other sensitive data within them. It is the application's responsibility to ensure that interprocess tokens are protected in transit, and transferred only to processes
某些GSS-API例程用于在多进程程序中的进程之间传输数据。这些例程使用一个调用方不透明八位字节字符串,该字符串由GSS-API在一个进程中生成,供GSS-API在另一个进程中使用。调用应用程序负责在进程之间传输此类令牌。注意,虽然鼓励GSS-API实现者避免在进程间令牌中放置敏感信息,或对其进行加密保护,但许多实现将无法避免在其中放置关键材料或其他敏感数据。应用程序负责确保进程间令牌在传输过程中受到保护,并且仅传输到进程
that are trustworthy. An interprocess token is represented using a byte array emitted from the export method of the GSSContext interface. The receiver of the interprocess token would initialize an GSSContext object with this token to create a new context. Once a context has been exported, the GSSContext object is invalidated and is no longer available.
这些都是值得信赖的。进程间令牌使用从GSSContext接口的导出方法发出的字节数组表示。进程间令牌的接收方将使用该令牌初始化GSSContext对象以创建新上下文。导出上下文后,GSSContext对象将失效,不再可用。
RFC 2743 defined the usage of major and minor status values for signaling of GSS-API errors. The major code, also called GSS status code, is used to signal errors at the GSS-API level independent of the underlying mechanism(s). The minor status value or Mechanism status code, is a mechanism defined error value indicating a mechanism specific error code.
RFC 2743定义了GSS-API错误信号的主要和次要状态值的使用。主代码也称为GSS状态代码,用于在GSS-API级别发出错误信号,与底层机制无关。次要状态值或机构状态代码是机构定义的错误值,指示特定于机构的错误代码。
Java GSS-API uses exceptions implemented by the GSSException class to signal both minor and major error values. Both mechanism specific errors and GSS-API level errors are signaled through instances of this class. The usage of exceptions replaces the need for major and minor codes to be used within the API calls. GSSException class also contains methods to obtain textual representations for both the major and minor values, which is equivalent to the functionality of gss_display_status.
JavaGSS-API使用GSSException类实现的异常来表示次要和主要错误值。特定于机制的错误和GSS-API级别的错误都通过此类的实例发出信号。异常的使用取代了在API调用中使用主要和次要代码的需要。GSSException类还包含获取主要值和次要值的文本表示的方法,这相当于gss_display_status的功能。
GSS status codes indicate errors that are independent of the underlying mechanism(s) used to provide the security service. The errors that can be indicated via a GSS status code are generic API routine errors (errors that are defined in the GSS-API specification). These bindings take advantage of the Java exceptions mechanism, thus eliminating the need for calling errors.
GSS状态代码表示独立于用于提供安全服务的底层机制的错误。可通过GSS状态代码指示的错误是通用API例程错误(GSS-API规范中定义的错误)。这些绑定利用了Java异常机制,因此无需调用错误。
A GSS status code indicates a single fatal generic API error from the routine that has thrown the GSSException. Using exceptions announces that a fatal error has occurred during the execution of the method. The GSS-API operational model also allows for the signaling of supplementary status information from the per-message calls. These need to be handled as return values since using exceptions is not appropriate for informatory or warning-like information. The methods that are capable of producing supplementary information are the two per-message methods GSSContext.verifyMIC() and GSSContext.unwrap(). These methods fill the supplementary status codes in the MessageProp object that was passed in.
GSS状态代码表示抛出GSSException的例程中的一个致命通用API错误。使用异常会宣布在方法执行期间发生了致命错误。GSS-API操作模型还允许从每消息调用发出补充状态信息的信令。这些需要作为返回值处理,因为使用异常不适合于信息性或类似警告的信息。能够生成补充信息的方法是每消息两个方法GSSContext.verifyMIC()和GSSContext.unwrap()。这些方法在传入的MessageProp对象中填充补充状态代码。
GSSException object, along with providing the functionality for setting of the various error codes and translating them into textual representation, also contains the definitions of all the numeric error values. The following table lists the definitions of error codes:
GSSException对象除了提供设置各种错误代码并将其转换为文本表示的功能外,还包含所有数字错误值的定义。下表列出了错误代码的定义:
Table: GSS Status Codes
表:GSS状态代码
Name Value Meaning
名称值含义
BAD_MECH 1 An unsupported mechanism was requested.
错误的机械1请求了不受支持的机制。
BAD_NAME 2 An invalid name was supplied.
错误名称2提供的名称无效。
BAD_NAMETYPE 3 A supplied name was of an unsupported type.
错误的名称类型3提供的名称的类型不受支持。
BAD_BINDINGS 4 Incorrect channel bindings were supplied.
错误的\u绑定提供了4个不正确的通道绑定。
BAD_STATUS 5 An invalid status code was supplied.
错误的\u状态5提供了无效的状态代码。
BAD_MIC 6 A token had an invalid MIC.
坏麦克风6令牌的麦克风无效。
NO_CRED 7 No credentials were supplied, or the credentials were unavailable or inaccessible.
没有凭据7未提供凭据,或者凭据不可用或无法访问。
NO_CONTEXT 8 Invalid context has been supplied.
未提供\u上下文8无效上下文。
DEFECTIVE_TOKEN 9 A supplied token was invalid.
缺陷_令牌9提供的令牌无效。
DEFECTIVE_CREDENTIAL 10 A supplied credential was invalid.
有缺陷的\u凭证10提供的凭证无效。
CREDENTIALS_EXPIRED 11 The referenced credentials have expired.
凭据\u已过期11引用的凭据已过期。
CONTEXT_EXPIRED 12 The context has expired.
上下文\u已过期12上下文已过期。
FAILURE 13 Miscellaneous failure, unspecified at the GSS-API level.
故障13杂项故障,GSS-API级别未指定。
BAD_QOP 14 The quality-of-protection requested could not be provided.
坏_QOP 14无法提供要求的保护质量。
UNAUTHORIZED 15 The operation is forbidden by local security policy.
当地安全政策禁止未经授权的操作。
UNAVAILABLE 16 The operation or option is unavailable.
不可用16操作或选项不可用。
DUPLICATE_ELEMENT 17 The requested credential element already exists.
重复\u元素17请求的凭证元素已存在。
NAME_NOT_MN 18 The provided name was not a mechanism name.
NAME_NOT_MN 18提供的名称不是机制名称。
OLD_TOKEN 19 The token's validity period has expired.
旧令牌19令牌的有效期已过期。
DUPLICATE_TOKEN 20 The token was a duplicate of an earlier version.
复制\u令牌20该令牌是早期版本的副本。
The GSS major status code of FAILURE is used to indicate that the underlying mechanism detected an error for which no specific GSS status code is defined. The mechanism-specific status code can provide more details about the error.
GSS主要故障状态代码用于指示底层机制检测到未定义特定GSS状态代码的错误。特定于机制的状态代码可以提供有关错误的更多详细信息。
The different major status codes that can be contained in the GSSException object thrown by the methods in this specification are the same as the major status codes returned by the corresponding calls in RFC 2743 [GSSAPIv2-UPDATE].
本规范中的方法引发的GSSException对象中可能包含的不同主要状态代码与RFC 2743[GSSAPIv2 UPDATE]中相应调用返回的主要状态代码相同。
Mechanism-specific status codes are communicated in two ways, they are part of any GSSException thrown from the mechanism specific layer to signal a fatal error, or they are part of the MessageProp object that the per-message calls use to signal non-fatal errors.
特定于机制的状态代码以两种方式进行通信,它们是从特定于机制的层抛出的任何GSSException的一部分,以表示致命错误,或者它们是MessageProp对象的一部分,per message调用使用该对象来表示非致命错误。
A default value of 0 in either the GSSException object or the MessageProp object will be used to represent the absence of any mechanism specific status code.
GSSException对象或MessageProp对象中的默认值0将用于表示没有任何机制特定的状态代码。
Supplementary status codes are confined to the per-message methods of the GSSContext interface. Because of the informative nature of these errors it is not appropriate to use exceptions to signal them. Instead, the per-message operations of the GSSContext interface return these values in a MessageProp object.
补充状态代码仅限于GSSContext接口的每条消息方法。由于这些错误的信息性,使用异常来通知它们是不合适的。相反,GSSContext接口的每消息操作在MessageProp对象中返回这些值。
The MessageProp class defines query methods which return boolean values indicating the following supplementary states:
MessageProp类定义查询方法,这些方法返回指示以下补充状态的布尔值:
Table: Supplementary Status Methods
表:补充地位法
Method Name Meaning when "true" is returned
返回“true”时的方法名称含义
isDuplicateToken The token was a duplicate of an earlier token.
isDuplicateToken该令牌是早期令牌的副本。
isOldToken The token's validity period has expired.
isOldToken令牌的有效期已过期。
isUnseqToken A later token has already been processed.
isUnseqToken已处理稍后的令牌。
isGapToken An expected per-message token was not received.
isGapToken未收到预期的每消息令牌。
"true" return value for any of the above methods indicates that the token exhibited the specified property. The application must determine the appropriate course of action for these supplementary values. They are not treated as errors by the GSS-API.
上述任何方法的“true”返回值表示令牌显示了指定的属性。应用程序必须为这些补充值确定适当的操作过程。GSS-API不会将其视为错误。
A name is used to identify a person or entity. GSS-API authenticates the relationship between a name and the entity claiming the name.
姓名用于识别个人或实体。GSS-API验证名称和声明名称的实体之间的关系。
Since different authentication mechanisms may employ different namespaces for identifying their principals, GSS-API's naming support is necessarily complex in multi-mechanism environments (or even in some single-mechanism environments where the underlying mechanism supports multiple namespaces).
由于不同的身份验证机制可能使用不同的名称空间来标识其主体,因此GSS-API的命名支持在多机制环境中(甚至在底层机制支持多个名称空间的某些单机制环境中)必然非常复杂。
Two distinct conceptual representations are defined for names:
为名称定义了两种不同的概念表示:
1) A GSS-API form represented by implementations of the GSSName interface: A single GSSName object may contain multiple names from different namespaces, but all names should refer to the same entity. An example of such an internal name would be the name returned from a call to the getName method of the GSSCredential interface, when applied to a credential containing credential elements for multiple authentication mechanisms employing different namespaces. This GSSName object will contain a distinct name for the entity for each authentication mechanism.
1) 由GSSName接口的实现表示的GSS-API表单:单个GSSName对象可能包含来自不同名称空间的多个名称,但所有名称都应引用同一实体。这种内部名称的一个示例是,当应用于包含使用不同名称空间的多个身份验证机制的凭据元素的凭据时,调用GSSCredential接口的getName方法返回的名称。此GSSName对象将包含每个身份验证机制的实体的不同名称。
For GSS-API implementations supporting multiple namespaces, GSSName implementations must contain sufficient information to determine the namespace to which each primitive name belongs.
对于支持多个名称空间的GSS-API实现,GSSName实现必须包含足够的信息来确定每个原语名称所属的名称空间。
2) Mechanism-specific contiguous byte array and string forms: Different GSSName initialization methods are provided to handle both byte array and string formats and to accommodate various calling applications and name types. These formats are capable of containing only a single name (from a single namespace). Contiguous string names are always accompanied by an object identifier specifying the namespace to which the name belongs, and their format is dependent on the authentication mechanism that employs that name. The string name forms are assumed to be printable, and may therefore be used by GSS-API applications for communication with their users. The byte array name formats are assumed to be in non-printable formats (e.g. the byte array returned from the export method of the GSSName interface).
2) 特定于机制的连续字节数组和字符串形式:提供了不同的GSSName初始化方法来处理字节数组和字符串格式,并适应各种调用应用程序和名称类型。这些格式只能包含单个名称(来自单个名称空间)。连续字符串名称始终伴随着一个对象标识符,该标识符指定名称所属的命名空间,其格式取决于使用该名称的身份验证机制。假定字符串名称表单是可打印的,因此GSS-API应用程序可以使用这些表单与用户通信。字节数组名称格式假定为不可打印格式(例如,从GSSName接口的导出方法返回的字节数组)。
A GSSName object can be converted to a contiguous representation by using the toString method. This will guarantee that the name will be converted to a printable format. Different initialization methods in the GSSName interface are defined allowing support for multiple syntaxes for each supported namespace, and allowing users the freedom to choose a preferred name representation. The toString method should use an implementation-chosen printable syntax for each supported name-type. To obtain the printable name type, getStringNameType method can be used.
可以使用toString方法将GSSName对象转换为连续表示。这将保证名称将转换为可打印格式。GSSName接口中定义了不同的初始化方法,允许为每个受支持的命名空间支持多个语法,并允许用户自由选择首选名称表示。toString方法应该为每个支持的名称类型使用一个实现选择的可打印语法。要获取可打印的名称类型,可以使用getStringNameType方法。
There is no guarantee that calling the toString method on the GSSName interface will produce the same string form as the original imported string name. Furthermore, it is possible that the name was not even constructed from a string representation. The same applies to name-space identifiers which may not necessarily survive unchanged after a journey through the internal name-form. An example of this might be a mechanism that authenticates X.500 names, but provides an algorithmic mapping of Internet DNS names into X.500. That mechanism's implementation of GSSName might, when presented with a DNS name, generate an internal name that contained both the original DNS name and the equivalent X.500 name. Alternatively, it might only store the X.500 name. In the latter case, the toString method of GSSName would most likely generate a printable X.500 name, rather than the original DNS name.
无法保证在GSSName接口上调用toString方法将产生与原始导入字符串名称相同的字符串形式。此外,名称甚至可能不是由字符串表示形式构造的。这同样适用于名称空间标识符,这些标识符在经过内部名称表单之后不一定会保持不变。这方面的一个例子可能是一种验证X.500名称的机制,但它提供了将Internet DNS名称映射到X.500的算法。该机制的GSSName实现可能会在显示DNS名称时生成一个内部名称,该名称包含原始DNS名称和等效的X.500名称。或者,它可能只存储X.500名称。在后一种情况下,GSSName的toString方法很可能生成一个可打印的X.500名称,而不是原始DNS名称。
The context acceptor can obtain a GSSName object representing the entity performing the context initiation (through the usage of getSrcName method). Since this name has been authenticated by a single mechanism, it contains only a single name (even if the internal name presented by the context initiator to the GSSContext
上下文接受者可以获得表示执行上下文初始化的实体的GSSName对象(通过使用getSrcName方法)。由于此名称已通过单个机制进行身份验证,因此它只包含一个名称(即使上下文启动器向GSSContext提供的内部名称
object had multiple components). Such names are termed internal mechanism names, or "MN"s and the names emitted by GSSContext interface in the getSrcName and getTargName are always of this type. Since some applications may require MNs without wanting to incur the overhead of an authentication operation, creation methods are provided that take not only the name buffer and name type, but also the mechanism oid for which this name should be created. When dealing with an existing GSSName object, the canonicalize method may be invoked to convert a general internal name into an MN.
对象具有多个组件)。这些名称被称为内部机制名称,或“MN”,并且getSrcName和getargname中的GSSContext接口发出的名称始终属于这种类型。由于某些应用程序可能需要MNs而不希望产生身份验证操作的开销,因此提供了创建方法,这些方法不仅采用名称缓冲区和名称类型,而且还采用应为其创建此名称的机制oid。处理现有GSSName对象时,可以调用规范化方法将通用内部名称转换为MN。
GSSName objects can be compared using their equal method, which returns "true" if the two names being compared refer to the same entity. This is the preferred way to perform name comparisons instead of using the printable names that a given GSS-API implementation may support. Since GSS-API assumes that all primitive names contained within a given internal name refer to the same entity, equal can return "true" if the two names have at least one primitive name in common. If the implementation embodies knowledge of equivalence relationships between names taken from different namespaces, this knowledge may also allow successful comparisons of internal names containing no overlapping primitive elements.
GSSName对象可以使用其相等方法进行比较,如果要比较的两个名称引用同一实体,则该方法返回“true”。这是执行名称比较的首选方法,而不是使用给定GSS-API实现可能支持的可打印名称。由于GSS-API假定给定内部名称中包含的所有基元名称都引用同一实体,因此,如果两个名称至少有一个共同的基元名称,equal可以返回“true”。如果实现包含来自不同名称空间的名称之间的等价关系的知识,那么该知识还可以允许成功比较不包含重叠基本元素的内部名称。
When used in large access control lists, the overhead of creating an GSSName object on each name and invoking the equal method on each name from the ACL may be prohibitive. As an alternative way of supporting this case, GSS-API defines a special form of the contiguous byte array name which may be compared directly (byte by byte). Contiguous names suitable for comparison are generated by the export method. Exported names may be re-imported by using the byte array constructor and specifying the NT_EXPORT_NAME as the name type object identifier. The resulting GSSName name will also be a MN. The GSSName interface defines public static Oid objects representing the standard name types. Structurally, an exported name object consists of a header containing an OID identifying the mechanism that authenticated the name, and a trailer containing the name itself, where the syntax of the trailer is defined by the individual mechanism specification. Detailed description of the format is specified in the language-independent GSS-API specification [GSSAPIv2-UPDATE].
在大型访问控制列表中使用时,在每个名称上创建GSSName对象并从ACL中调用每个名称上的equal方法的开销可能是不允许的。作为支持这种情况的另一种方式,GSS-API定义了一种特殊形式的连续字节数组名称,可以直接(逐字节)进行比较。export方法生成适合比较的连续名称。导出的名称可以通过使用字节数组构造函数重新导入,并将NT\u导出\u名称指定为名称类型对象标识符。生成的GSSName名称也将是MN。GSSName接口定义了表示标准名称类型的公共静态Oid对象。从结构上讲,导出的名称对象由一个标头和一个尾部组成,前者包含标识对名称进行身份验证的机制的OID,后者包含名称本身,其中尾部的语法由各个机制规范定义。格式的详细说明在独立于语言的GSS-API规范[GSSAPIv2更新]中规定。
Note that the results obtained by using the equals method will in general be different from those obtained by invoking canonicalize and export, and then comparing the byte array output. The first series of operation determines whether two (unauthenticated) names identify the same principal; the second whether a particular mechanism would authenticate them as the same principal. These two operations will in general give the same results only for MNs.
请注意,使用equals方法获得的结果通常与调用规范化和导出,然后比较字节数组输出得到的结果不同。第一系列操作确定两个(未经验证的)名称是否标识相同的主体;第二个问题是特定机制是否将它们作为同一主体进行身份验证。这两种操作通常仅对MNs产生相同的结果。
It is important to note that the above are guidelines as how GSSName implementations should behave, and are not intended to be specific requirements of how names objects must be implemented. The mechanism designers are free to decide on the details of their implementations of the GSSName interface as long as the behavior satisfies the above guidelines.
需要注意的是,以上是GSSName实现应该如何运行的指导原则,而不是必须如何实现名称对象的具体要求。只要行为满足上述准则,机制设计者就可以自由决定GSSName接口实现的细节。
GSS-API supports the use of user-specified tags to identify a given context to the peer application. These tags are intended to be used to identify the particular communications channel that carries the context. Channel bindings are communicated to the GSS-API using the ChannelBinding object. The application may use byte arrays to specify the application data to be used in the channel binding as well as using instances of the InetAddress. The InetAddress for the initiator and/or acceptor can be used within an instance of a ChannelBinding. ChannelBinding can be set for the GSSContext object using the setChannelBinding method before the first call to init or accept has been performed. Unless the setChannelBinding method has been used to set the ChannelBinding for a GSSContext object, "null" ChannelBinding will be assumed. InetAddress is currently the only address type defined within the Java platform and as such, it is the only one supported within the ChannelBinding class. Applications that use other types of addresses can include them as part of the application specific data.
GSS-API支持使用用户指定的标记来标识对等应用程序的给定上下文。这些标签用于识别承载上下文的特定通信信道。通道绑定使用ChannelBinding对象与GSS-API通信。应用程序可以使用字节数组指定要在通道绑定中使用的应用程序数据,也可以使用InetAddress实例。发起方和/或接受方的InetAddress可以在ChannelBinding的实例中使用。在第一次调用init或accept之前,可以使用setChannelBinding方法为GSSContext对象设置ChannelBinding。除非已使用setChannelBinding方法为GSSContext对象设置ChannelBinding,否则将假定为“null”ChannelBinding。InetAddress目前是Java平台中定义的唯一地址类型,因此,它是ChannelBinding类中唯一受支持的地址类型。使用其他类型地址的应用程序可以将其作为应用程序特定数据的一部分。
Conceptually, the GSS-API concatenates the initiator and acceptor address information, and the application supplied byte array to form an octet string. The mechanism calculates a MIC over this octet string and binds the MIC to the context establishment token emitted by init method of the GSSContext interface. The same bindings are set by the context acceptor for its GSSContext object and during processing of the accept method a MIC is calculated in the same way. The calculated MIC is compared with that found in the token, and if the MICs differ, accept will throw a GSSException with the major code set to BAD_BINDINGS, and the context will not be established. Some mechanisms may include the actual channel binding data in the token (rather than just a MIC); applications should therefore not use confidential data as channel-binding components.
从概念上讲,GSS-API将启动器和接收器地址信息以及应用程序提供的字节数组连接起来以形成八位字节字符串。该机制计算该八位字符串上的MIC,并将MIC绑定到GSSContext接口的init方法发出的上下文建立令牌。上下文接受器为其GSSContext对象设置相同的绑定,并且在处理accept方法期间,以相同的方式计算MIC。将计算出的MIC与令牌中的MIC进行比较,如果MIC不同,accept将抛出GSSException,主代码设置为BAD_绑定,并且不会建立上下文。一些机制可以包括令牌中的实际信道绑定数据(而不仅仅是MIC);因此,应用程序不应将机密数据用作通道绑定组件。
Individual mechanisms may impose additional constraints on addresses that may appear in channel bindings. For example, a mechanism may verify that the initiator address field of the channel binding contains the correct network address of the host system. Portable applications should therefore ensure that they either provide correct information for the address fields, or omit setting of the addressing information.
个别机制可能会对可能出现在通道绑定中的地址施加额外的约束。例如,机制可以验证通道绑定的启动器地址字段是否包含主机系统的正确网络地址。因此,便携式应用程序应该确保为地址字段提供正确的信息,或者省略地址信息的设置。
The context object provides overloaded methods which use input and output streams as the means to convey authentication and per-message GSS-API tokens. It is important to note that the streams are expected to contain the usual GSS-API tokens which would otherwise be handled through the usage of byte arrays. The tokens are expected to have a definite start and an end. The callers are responsible for ensuring that the supplied streams will not block, or expect to block until a full token is processed by the GSS-API method. Only a single GSS-API token will be processed per invocation of the stream based method.
上下文对象提供重载方法,这些方法使用输入和输出流作为传递身份验证和每消息GSS-API令牌的手段。需要注意的是,流预期包含通常的GSS-API令牌,否则将通过使用字节数组来处理这些令牌。代币应该有一个明确的起点和终点。调用方负责确保所提供的流不会阻塞,或者在GSS-API方法处理完整令牌之前不会阻塞。每次调用基于流的方法时,只处理一个GSS-API令牌。
The usage of streams allows the callers to have control and management of the supplied buffers. Because streams are non-primitive objects, the callers can make the streams as complicated or as simple as desired simply by using the streams defined in the java.io package or creating their own through the use of inheritance. This will allow for the application's greatest flexibility.
流的使用允许调用方控制和管理提供的缓冲区。由于流是非基本对象,调用方可以通过使用java.io包中定义的流或通过使用继承创建自己的流,使流变得复杂或简单。这将使应用程序具有最大的灵活性。
Whenever the application wishes to omit an optional parameter the "null" value shall be used. The detailed method descriptions indicate which parameters are optional. Methods overloading has also been used as a technique to indicate default parameters.
当应用程序希望省略可选参数时,应使用“空”值。详细的方法说明说明了哪些参数是可选的。方法重载也被用作指示默认参数的技术。
This section presents a brief description of the classes and interfaces that constitute the GSS-API. The implementations of these are obtained from the CLASSPATH defined by the application. If Java GSS becomes part of the standard Java API's then these classes will be available by default on all systems as part of the JRE's system classes.
本节简要介绍构成GSS-API的类和接口。这些的实现是从应用程序定义的类路径获得的。如果JavaGSS成为标准JavaAPI的一部分,那么默认情况下,这些类将作为JRE系统类的一部分在所有系统上可用。
This section also shows the corresponding RFC 2743 functionality implemented by each of the classes. Detailed description of these classes and their methods is presented in section 6.
本节还显示了每个类实现的相应RFC 2743功能。第6节详细介绍了这些类及其方法。
This abstract class serves as a factory to instantiate implementations of the GSS-API interfaces and also provides methods to make queries about underlying security mechanisms.
这个抽象类作为工厂来实例化GSS-API接口的实现,还提供了查询底层安全机制的方法。
A default implementation can be obtained using the static method getInstance(). Applications that desire to provide their own implementation of the GSSManager class can simply extend the abstract class themselves.
可以使用静态方法getInstance()获得默认实现。希望提供自己的GSSManager类实现的应用程序可以简单地扩展抽象类本身。
This class contains equivalents of the following RFC 2743 routines:
此类包含以下RFC 2743例程的等效程序:
gss_import_name Create an internal name from 6.1.9- the supplied information. 6.1.12
gss_导入_名称根据6.1.9-提供的信息创建内部名称。6.1.12
gss_acquire_cred Acquire credential 6.1.13- for use. 6.1.15
gss_acquire_cred acquire凭证6.1.13-供使用。6.1.15
gss_import_sec_context Create a previously exported 6.1.18 context.
gss_导入_秒_上下文创建以前导出的6.1.18上下文。
gss_indicate_mechs List the mechanisms 6.1.6 supported by this GSS-API implementation.
gss_表示_机械列出了此gss-API实施支持的6.1.6机制。
gss_inquire_mechs_for_name List the mechanisms 6.1.8 supporting the specified name type.
gss_inquire_mechs_for_name列出支持指定名称类型的机构6.1.8。
gss_inquire_names_for_mech List the name types 6.1.7 supported by the specified mechanism.
gss_inquire_names_for_mech列出指定机制支持的名称类型6.1.7。
GSS-API names are represented in the Java bindings through the GSSName interface. Different name formats and their definitions are identified with universal Object Identifiers (oids). The format of the names can be derived based on the unique oid of each name type. The following GSS-API routines are provided by the GSSName interface:
GSS-API名称通过GSSName接口在Java绑定中表示。不同的名称格式及其定义由通用对象标识符(OID)标识。可以根据每个名称类型的唯一oid派生名称的格式。GSSName接口提供以下GSS-API例程:
RFC 2743 Routine Function Section(s)
RFC 2743例行程序功能部分
gss_display_name Covert internal name 6.2.7 representation to text format.
gss_显示_名称将内部名称6.2.7表示转换为文本格式。
gss_compare_name Compare two internal names. 6.2.3, 6.2.4
gss_compare_name比较两个内部名称。6.2.3, 6.2.4
gss_release_name Release resources associated N/A with the internal name.
gss_release_name与内部名称关联的发布资源不适用。
gss_canonicalize_name Convert an internal name to a 6.1.11, mechanism name.
gss_规范化_名称将内部名称转换为6.1.11机制名称。
gss_export_name Convert a mechanism name to 6.2.6 export format.
gss_导出_名称将机构名称转换为6.2.6导出格式。
gss_duplicate_name Create a copy of the internal N/A name.
gss\u重复\u名称创建内部N/a名称的副本。
The gss_release_name call is not provided as Java does its own garbage collection. The gss_duplicate_name call is also redundant; the GSSName interface has no mutator methods that can change the state of the object so it is safe for sharing.
由于Java自己进行垃圾收集,因此不提供gss_release_name调用。gss_duplicate_名称调用也是冗余的;GSSName接口没有可以更改对象状态的mutator方法,因此共享是安全的。
The GSSCredential interface is responsible for the encapsulation of GSS-API credentials. Credentials identify a single entity and provide the necessary cryptographic information to enable the creation of a context on behalf of that entity. A single credential may contain multiple mechanism specific credentials, each referred to as a credential element. The GSSCredential interface provides the functionality of the following GSS-API routines:
GSSCredential接口负责GSS-API凭据的封装。凭据标识单个实体并提供必要的加密信息,以支持代表该实体创建上下文。一个凭证可以包含多个特定于机制的凭证,每个凭证都称为凭证元素。GSSCredential接口提供以下GSS-API例程的功能:
RFC 2743 Routine Function Section(s)
RFC 2743例行程序功能部分
gss_add_cred Constructs credentials 6.3.12 incrementally.
gss_添加_cred以增量方式构造凭据6.3.12。
gss_inquire_cred Obtain information about 6.3.4,6.3.5 credential.
gss_inquire_cred获取有关6.3.4,6.3.5凭证的信息。
gss_inquire_cred_by_mech Obtain per-mechanism 6.3.5-6.3.10 information about a credential.
gss_通过_mech查询_cred_根据机制6.3.5-6.3.10获取有关凭证的信息。
gss_release_cred Disposes of credentials 6.3.3 after use.
gss_release_cred在使用后处理凭证6.3.3。
This interface encapsulates the functionality of context-level calls required for security context establishment and management between peers as well as the per-message services offered to applications. A context is established between a pair of peers and allows the usage of security services on a per-message basis on application data. It
此接口封装了对等方之间安全上下文建立和管理所需的上下文级别调用的功能,以及为应用程序提供的每消息服务。在一对对等点之间建立上下文,并允许基于应用程序数据的每条消息使用安全服务。信息技术
is created over a single security mechanism. The GSSContext interface provides the functionality of the following GSS-API routines:
是通过单个安全机制创建的。GSSContext接口提供以下GSS-API例程的功能:
RFC 2743 Routine Function Section(s)
RFC 2743例行程序功能部分
gss_init_sec_context Initiate the creation of a 6.4.3, security context with a peer. 6.4.4
gss_init_sec_上下文与对等方启动6.4.3安全上下文的创建。6.4.4
gss_accept_sec_context Accept a security context 6.4.5, initiated by a peer. 6.4.6
gss_accept_sec_context接受由对等方发起的安全上下文6.4.5。6.4.6
gss_delete_sec_context Destroy a security context. 6.4.8
gss_删除_秒_上下文销毁安全上下文。6.4.8
gss_context_time Obtain remaining context 6.4.37 time.
gss_上下文_时间获取剩余上下文6.4.37时间。
gss_inquire_context Obtain context 6.4.29 to characteristics. 6.3.42
gss_inquire_上下文获取上下文6.4.29至特征。6.3.42
gss_wrap_size_limit Determine token-size limit 6.4.9 for gss_wrap.
gss_包裹大小_限制确定gss_包裹的令牌大小限制6.4.9。
gss_export_sec_context Transfer security context 6.4.18 to another process.
gss_导出_sec_上下文将安全上下文6.4.18传输到另一个进程。
gss_get_mic Calculate a cryptographic 6.4.14, Message Integrity Code (MIC) 6.4.15 for a message.
gss_get_mic为消息计算加密6.4.14、消息完整性代码(mic)6.4.15。
gss_verify_mic Verify integrity on a received 6.4.16, message. 6.4.17
gss\u验证\u mic验证收到的6.4.16消息的完整性。6.4.17
gss_wrap Attach a MIC to a message and 6.4.10, optionally encrypt the message 6.4.11 content.
gss_wrap将麦克风连接到消息和6.4.10,可以选择加密消息6.4.11内容。
gss_unwrap Obtain a previously wrapped 6.4.12, application message verifying 6.4.13 its integrity and optionally decrypting it.
gss_unwrap获取先前包装的6.4.12应用程序消息,验证6.4.13的完整性并可选地对其进行解密。
The functionality offered by the gss_process_context_token routine has not been included in the Java bindings specification. The corresponding functionality of gss_delete_sec_context has also been modified to not return any peer tokens. This has been proposed in
Java绑定规范中未包含gss_进程_上下文_令牌例程提供的功能。gss_delete_sec_上下文的相应功能也已修改为不返回任何对等令牌。这项建议已于一九九七年提出
accordance to the recommendations stated in RFC 2743. GSSContext does offer the functionality of destroying the locally-stored context information.
根据RFC 2743中规定的建议。GSSContext确实提供了销毁本地存储的上下文信息的功能。
This helper class is used in the per-message operations on the context. An instance of this class is created by the application and then passed into the per-message calls. In some cases, the application conveys information to the GSS-API implementation through this object and in other cases the GSS-API returns information to the application by setting it in this object. See the description of the per-message operations wrap, unwrap, getMIC, and verifyMIC in the GSSContext interfaces for details.
此帮助器类用于上下文上的每条消息操作。该类的一个实例由应用程序创建,然后传递到每消息调用。在某些情况下,应用程序通过此对象将信息传递给GSS-API实现,而在其他情况下,GSS-API通过在此对象中进行设置将信息返回给应用程序。有关详细信息,请参阅GSSContext接口中每消息操作wrap、unwrap、getMIC和verifyMIC的说明。
Exceptions are used in the Java bindings to signal fatal errors to the calling applications. This replaces the major and minor codes used in the C-bindings specification as a method of signaling failures. The GSSException class handles both minor and major codes, as well as their translation into textual representation. All GSS-API methods are declared as throwing this exception.
Java绑定中使用异常向调用应用程序发出致命错误的信号。这取代了C-bindings规范中使用的主要和次要代码,作为一种发送故障信号的方法。GSSException类处理次要代码和主要代码,以及将它们转换为文本表示。所有GSS-API方法都声明为引发此异常。
RFC 2743 Routine Function Section
RFC 2743例行程序功能部分
gss_display_status Retrieve textual 6.8.5, 6.8.6, representation of error 6.8.8, 6.8.9 codes.
gss_显示_状态检索文本6.8.5、6.8.6、错误表示6.8.8、6.8.9代码。
This utility class is used to represent Universal Object Identifiers and their associated operations. GSS-API uses object identifiers to distinguish between security mechanisms and name types. This class, aside from being used whenever an object identifier is needed, implements the following GSS-API functionality:
此实用程序类用于表示通用对象标识符及其关联操作。GSS-API使用对象标识符来区分安全机制和名称类型。此类除了在需要对象标识符时使用外,还实现了以下GSS-API功能:
RFC 2743 Routine Function Section
RFC 2743例行程序功能部分
gss_test_oid_set_member Determine if the specified oid 6.7.5 is part of a set of oids.
gss_测试_oid_集合_成员确定指定oid 6.7.5是否为oid集合的一部分。
An instance of this class is used to specify channel binding information to the GSSContext object before the start of a security context establishment. The application may use a byte array to specify application data to be used in the channel binding as well as use instances of the InetAddress. InetAddress is currently the only address type defined within the Java platform and as such, it is the only one supported within the ChannelBinding class. Applications that use other types of addresses can include them as part of the application data.
此类的实例用于在开始安全上下文建立之前指定GSSContext对象的通道绑定信息。应用程序可以使用字节数组来指定要在通道绑定中使用的应用程序数据以及InetAddress的实例。InetAddress目前是Java平台中定义的唯一地址类型,因此,它是ChannelBinding类中唯一受支持的地址类型。使用其他类型地址的应用程序可以将其作为应用程序数据的一部分。
This section lists a detailed description of all the public methods that each of the GSS-API classes and interfaces must provide.
本节列出了每个GSS-API类和接口必须提供的所有公共方法的详细描述。
The GSSManager class is an abstract class that serves as a factory for three GSS interfaces: GSSName, GSSCredential, and GSSContext. It also provides methods for applications to determine what mechanisms are available from the GSS implementation and what nametypes these mechanisms support. An instance of the default GSSManager subclass may be obtained through the static method getInstance(), but applications are free to instantiate other subclasses of GSSManager.
The GSSManager class is an abstract class that serves as a factory for three GSS interfaces: GSSName, GSSCredential, and GSSContext. It also provides methods for applications to determine what mechanisms are available from the GSS implementation and what nametypes these mechanisms support. An instance of the default GSSManager subclass may be obtained through the static method getInstance(), but applications are free to instantiate other subclasses of GSSManager.translate error, please retry
All but one method in this class are declared abstract. This means that subclasses have to provide the complete implementation for those methods. The only exception to this is the static method getInstance() which will have platform specific code to return an instance of the default subclass.
All but one method in this class are declared abstract. This means that subclasses have to provide the complete implementation for those methods. The only exception to this is the static method getInstance() which will have platform specific code to return an instance of the default subclass.translate error, please retry
Platform providers of GSS are required not to add any constructors to this class, private, public, or protected. This will ensure that all subclasses invoke only the default constructor provided to the base class by the compiler.
GSS的平台提供商不需要向此类添加任何构造函数(私有、公共或受保护)。这将确保所有子类只调用编译器提供给基类的默认构造函数。
A subclass extending the GSSManager abstract class may be implemented as a modular provider based layer that utilizes some well known service provider specification. The GSSManager API provides the application with methods to set provider preferences on such an implementation. These methods also allow the implementation to throw a well-defined exception in case provider based configuration is not supported. Applications that expect to be portable should be aware of this and recover cleanly by catching the exception.
扩展GSSManager抽象类的子类可以实现为基于模块化提供者的层,该层利用一些众所周知的服务提供者规范。GSSManager API为应用程序提供了在此类实现上设置提供程序首选项的方法。如果不支持基于提供程序的配置,这些方法还允许实现抛出定义良好的异常。希望可移植的应用程序应该意识到这一点,并通过捕获异常进行干净的恢复。
It is envisioned that there will be three most common ways in which providers will be used:
预计将有三种最常见的供应商使用方式:
1) The application does not care about what provider is used (the default case).
1) 应用程序不关心使用什么提供程序(默认情况)。
2) The application wants a particular provider to be used preferentially, either for a particular mechanism or all the time, irrespective of mechanism.
2) 应用程序希望优先使用特定的提供者,无论是用于特定的机制还是始终使用,而不考虑机制。
3) The application wants to use the locally configured providers as far as possible but if support is missing for one or more mechanisms then it wants to fall back on its own provider.
3) 应用程序希望尽可能使用本地配置的提供程序,但如果缺少对一个或多个机制的支持,则希望依靠自己的提供程序。
The GSSManager class has two methods that enable these modes of usage: addProviderAtFront() and addProviderAtEnd(). These methods have the effect of creating an ordered list of <provider, oid> pairs where each pair indicates a preference of provider for a given oid.
GSSManager类有两个方法可以启用这些使用模式:addProviderAtFront()和addProviderAtEnd()。这些方法的作用是创建<provider,oid>对的有序列表,其中每对表示提供者对给定oid的偏好。
The use of these methods does not require any knowledge of whatever service provider specification the GSSManager subclass follows. It is hoped that these methods will serve the needs of most applications. Additional methods may be added to an extended GSSManager that could be part of a service provider specification that is standardized later.
使用这些方法不需要了解GSSManager子类遵循的任何服务提供者规范。希望这些方法能满足大多数应用的需要。可以将其他方法添加到扩展GSSManager中,该扩展GSSManager可能是稍后标准化的服务提供商规范的一部分。
GSSManager mgr = GSSManager.getInstance();
GSSManager mgr = GSSManager.getInstance();
// What mechs are available to us? Oid[] supportedMechs = mgr.getMechs();
// What mechs are available to us? Oid[] supportedMechs = mgr.getMechs();
// Set a preference for the provider to be used when support is needed // for the mechanisms "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1".
//为需要支持时使用的提供程序设置首选项//机制“1.2.840.113554.1.2.2”和“1.3.6.1.5.5.1.1”。
Oid krb = new Oid("1.2.840.113554.1.2.2"); Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
Oid krb = new Oid("1.2.840.113554.1.2.2"); Oid spkm1 = new Oid("1.3.6.1.5.5.1.1");
Provider p = (Provider) (new com.foo.security.Provider());
Provider p = (Provider) (new com.foo.security.Provider());
mgr.addProviderAtFront(p, krb); mgr.addProviderAtFront(p, spkm1);
mgr.addProviderAtFront(p, krb); mgr.addProviderAtFront(p, spkm1);
// What name types does this spkm implementation support? Oid[] nameTypes = mgr.getNamesForMech(spkm1);
// What name types does this spkm implementation support? Oid[] nameTypes = mgr.getNamesForMech(spkm1);
public static GSSManager getInstance()
公共静态GSSManager getInstance()
Returns the default GSSManager implementation.
返回默认的GSSManager实现。
public abstract Oid[] getMechs()
公共摘要Oid[]getMechs()
Returns an array of Oid objects indicating mechanisms available to GSS-API callers. A "null" value is returned when no mechanism are available (an example of this would be when mechanism are dynamically configured, and currently no mechanisms are installed).
返回Oid对象数组,指示GSS-API调用方可用的机制。当没有可用的机制时,将返回“null”值(例如,当动态配置了机制,并且当前未安装任何机制时)。
public abstract Oid[] getNamesForMech(Oid mech) throws GSSException
公共抽象Oid[]getNamesForMech(Oid mech)抛出GSSException
Returns name type Oid's supported by the specified mechanism.
返回指定机制支持的名称类型Oid。
Parameters:
参数:
mech The Oid object for the mechanism to query.
mech要查询的机制的Oid对象。
public abstract Oid[] getMechsForName(Oid nameType)
公共抽象Oid[]getMechsForName(Oid名称类型)
Returns an array of Oid objects corresponding to the mechanisms that support the specific name type. "null" is returned when no mechanisms are found to support the specified name type.
返回与支持特定名称类型的机制相对应的Oid对象数组。当找不到支持指定名称类型的机制时,返回“null”。
Parameters:
参数:
nameType The Oid object for the name type.
名称类型名称类型的Oid对象。
public abstract GSSName createName(String nameStr, Oid nameType) throws GSSException
公共抽象GSSName createName(字符串nameStr,Oid nameType)引发GSSExException
Factory method to convert a contiguous string name from the specified namespace to a GSSName object. In general, the GSSName object created will not be an MN; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not multi-mechanism.
方法将指定命名空间中的连续字符串名称转换为GSSName对象。通常,创建的GSSName对象将不是MN;两个例外的例子是当namespace type参数指示NT_EXPORT_NAME时,或者当GSS-API实现不是多机制时。
Parameters:
参数:
nameStr The string representing a printable form of the name to create.
nameStr表示要创建的名称的可打印形式的字符串。
nameType The Oid specifying the namespace of the printable name supplied. Note that nameType serves to describe and qualify the interpretation of the input nameStr, it does not necessarily imply a type for the output GSSName implementation. "null" value can be used to specify that a mechanism specific default printable syntax should be assumed by each mechanism that examines nameStr.
nameType指定提供的可打印名称的命名空间的Oid。注意,nameType用于描述和限定输入nameStr的解释,它不一定意味着输出GSSName实现的类型。“null”值可用于指定检查nameStr的每个机制都应采用特定于机制的默认可打印语法。
public abstract GSSName createName(byte name[], Oid nameType) throws GSSException
公共抽象GSSName createName(字节名[],Oid名称类型)引发GSSExException
Factory method to convert a contiguous byte array containing a name from the specified namespace to a GSSName object. In general, the GSSName object created will not be an MN; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not multi-mechanism.
方法将包含指定命名空间中名称的连续字节数组转换为GSSName对象。通常,创建的GSSName对象将不是MN;两个例外的例子是当namespace type参数指示NT_EXPORT_NAME时,或者当GSS-API实现不是多机制时。
Parameters:
参数:
name The byte array containing the name to create.
命名包含要创建的名称的字节数组。
nameType The Oid specifying the namespace of the name supplied in the byte array. Note that nameType serves to describe and qualify the interpretation of the input name byte array, it does not necessarily imply a type for the output GSSName implementation. "null" value can be used to specify that a mechanism specific default syntax should be assumed by each mechanism that examines the byte array.
nameType指定字节数组中提供的名称的命名空间的Oid。注意,nameType用于描述和限定输入名称字节数组的解释,它不一定意味着输出GSSName实现的类型。“null”值可用于指定检查字节数组的每个机制都应采用特定于机制的默认语法。
public abstract GSSName createName(String nameStr, Oid nameType, Oid mech) throws GSSException
公共抽象GSSName createName(字符串nameStr、Oid nameType、Oid mech)引发GSSExException
Factory method to convert a contiguous string name from the specified namespace to an GSSName object that is a mechanism name (MN). In other words, this method is a utility that does the equivalent of two steps: the createName described in 6.1.7 and then also the GSSName.canonicalize() described in 6.2.5.
方法将指定命名空间中的连续字符串名称转换为作为机制名称(MN)的GSSName对象。换句话说,这个方法是一个相当于两个步骤的实用程序:6.1.7中描述的createName,以及6.2.5中描述的GSSName.canonicalize()。
Parameters:
参数:
nameStr The string representing a printable form of the name to create.
nameStr表示要创建的名称的可打印形式的字符串。
nameType The Oid specifying the namespace of the printable name supplied. Note that nameType serves to describe and qualify the interpretation of the input nameStr, it does not necessarily imply a type for the output GSSName implementation. "null" value can be used to specify that a mechanism specific default printable syntax should be assumed when the mechanism examines nameStr.
nameType指定提供的可打印名称的命名空间的Oid。注意,nameType用于描述和限定输入nameStr的解释,它不一定意味着输出GSSName实现的类型。“null”值可用于指定在机制检查nameStr时应采用特定于机制的默认可打印语法。
mech Oid specifying the mechanism for which this name should be created.
mech Oid指定应为其创建此名称的机构。
public abstract createName(byte name[], Oid nameType, Oid mech) throws GSSException
公共抽象createName(字节名[],Oid名称类型,Oid机械)引发GSSExException
Factory method to convert a contiguous byte array containing a name from the specified namespace to a GSSName object that is an MN. In other words, this method is a utility that does the equivalent of two steps: the createName described in 6.1.8 and then also the GSSName.canonicalize() described in 6.2.5.
方法将包含指定命名空间中名称的连续字节数组转换为作为MN的GSSName对象。换句话说,此方法是一个实用程序,它执行两个步骤:6.1.8中描述的createName,以及6.2.5中描述的GSSName.canonicalize()。
Parameters:
参数:
name The byte array representing the name to create.
命名表示要创建的名称的字节数组。
nameType The Oid specifying the namespace of the name supplied in the byte array. Note that nameType serves to describe and qualify the interpretation of the input name byte array, it does not necessarily imply a type for the output GSSName implementation. "null" value
nameType指定字节数组中提供的名称的命名空间的Oid。注意,nameType用于描述和限定输入名称字节数组的解释,它不一定意味着输出GSSName实现的类型。“空”值
can be used to specify that a mechanism specific default syntax should be assumed by each mechanism that examines the byte array.
可用于指定检查字节数组的每个机制都应采用特定于机制的默认语法。
mech Oid specifying the mechanism for which this name should be created.
mech Oid指定应为其创建此名称的机构。
public abstract GSSCredential createCredential (int usage) throws GSSException
公共抽象GSSCredential createCredential(int用法)引发GSSExException
Factory method for acquiring default credentials. This will cause the GSS-API to use system specific defaults for the set of mechanisms, name, and a DEFAULT lifetime.
获取默认凭据的工厂方法。这将导致GSS-API对机制集、名称和默认生存期使用特定于系统的默认值。
Parameters:
参数:
usage The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
用法此凭据对象的预期用途。此参数的值必须是以下值之一:GSSCredential.ACCEPT_和_INITIATE、GSSCredential.ACCEPT_ONLY、GSSCredential.INITIATE_ONLY
public abstract GSSCredential createCredential (GSSName aName, int lifetime, Oid mech, int usage) throws GSSException
公共抽象GSSCredential createCredential(GSSName aName、int life、Oid mech、int usage)抛出GSSException
Factory method for acquiring a single mechanism credential.
用于获取单个机构凭证的工厂方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
lifetime The number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
生存期凭据应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mech The oid of the desired mechanism. Use "(Oid) null" to request the default mechanism(s).
mech所需机构的oid。使用“(Oid)null”请求默认机制。
usage The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
用法此凭据对象的预期用途。此参数的值必须是以下值之一:GSSCredential.ACCEPT_和_INITIATE、GSSCredential.ACCEPT_ONLY、GSSCredential.INITIATE_ONLY
public abstract GSSCredential createCredential(GSSName aName, int lifetime, Oid mechs[], int usage) throws GSSException
公共抽象GSSCredential createCredential(GSSName aName,int life,Oid mechs[],int usage)抛出GSSException
Factory method for acquiring credentials over a set of mechanisms. Acquires credentials for each of the mechanisms specified in the array called mechs. To determine the list of mechanisms' for which the acquisition of credentials succeeded, the caller should use the GSSCredential.getMechs() method.
用于通过一组机制获取凭据的工厂方法。获取在名为Mech的数组中指定的每个机制的凭据。要确定成功获取凭据的机制列表,调用方应使用GSSCredential.getMechs()方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
lifetime The number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
生存期凭据应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mechs The array of mechanisms over which the credential is to be acquired. Use "(Oid[]) null" for requesting a system specific default set of mechanisms.
mechs获取凭证的机制阵列。使用“(Oid[])null”请求特定于系统的默认机制集。
usage The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
用法此凭据对象的预期用途。此参数的值必须是以下值之一:GSSCredential.ACCEPT_和_INITIATE、GSSCredential.ACCEPT_ONLY、GSSCredential.INITIATE_ONLY
public abstract GSSContext createContext(GSSName peer, Oid mech, GSSCredential myCred, int lifetime) throws GSSException
公共抽象GSSContext createContext(GSSName peer、Oid mech、GSSCredential myCred、int life)抛出GSSException
Factory method for creating a context on the initiator's side. Context flags may be modified through the mutator methods prior to calling GSSContext.initSecContext().
用于在启动器端创建上下文的工厂方法。在调用GSSContext.initSecContext()之前,可以通过mutator方法修改上下文标志。
Parameters:
参数:
peer Name of the target peer.
目标对等方的对等方名称。
mech Oid of the desired mechanism. Use "(Oid) null" to request default mechanism.
所需机构的机械类型。使用“(Oid)null”请求默认机制。
myCred Credentials of the initiator. Use "null" to act as a default initiator principal.
发起程序的myCred凭据。使用“null”作为默认启动器主体。
lifetime The request lifetime, in seconds, for the context. Use GSSContext.INDEFINITE_LIFETIME and GSSContext.DEFAULT_LIFETIME to request indefinite or default context lifetime.
生存期上下文的请求生存期,以秒为单位。使用GSSContext.infinite_生存期和GSSContext.DEFAULT_生存期请求不确定或默认上下文生存期。
public abstract GSSContext createContext(GSSCredential myCred) throws GSSException
公共抽象GSSContext createContext(GSSCredential myCred)抛出GSSException
Factory method for creating a context on the acceptor' side. The context's properties will be determined from the input token supplied to the accept method.
用于在接受方创建上下文的工厂方法。上下文的属性将由提供给accept方法的输入标记确定。
Parameters:
参数:
myCred Credentials for the acceptor. Use "null" to act as a default acceptor principal.
接受方的myCred凭据。使用“null”作为默认的接受主体。
public abstract GSSContext createContext(byte [] interProcessToken) throws GSSException
公共抽象GSSContext createContext(字节[]interProcessToken)引发GSSExException
Factory method for creating a previously exported context. The context properties will be determined from the input token and can't be modified through the set methods.
用于创建以前导出的上下文的工厂方法。上下文属性将由输入标记确定,不能通过set方法修改。
Parameters:
参数:
interProcessToken The token previously emitted from the export method.
interProcessToken先前从导出方法发出的标记。
public abstract void addProviderAtFront(Provider p, Oid mech) throws GSSException
公共抽象void addProviderAtFront(提供程序p、Oid mech)引发GSSExException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider ahead of all others no matter what the mechanism is. Only when the indicated provider does not support the needed mechanism should the GSSManager move on to a different provider.
此方法用于向GSSManager指示,当需要对给定机制提供支持时,应用程序希望先使用特定的提供程序。当机制使用null值而不是Oid时,无论机制是什么,GSSManager都必须先使用指定的提供程序。只有当指定的提供程序不支持所需的机制时,GSSManager才应转到其他提供程序。
Calling this method repeatedly preserves the older settings but lowers them in preference thus forming an ordered list of provider and Oid pairs that grows at the top.
重复调用此方法会保留旧的设置,但会降低它们的优先级,从而形成一个有序的提供者和Oid对列表,并在顶部增长。
Calling addProviderAtFront with a null Oid will remove all previous preferences that were set for this provider in the GSSManager instance. Calling addProviderAtFront with a non-null Oid will remove any previous preference that was set using this mechanism and this provider together.
使用空Oid调用addProviderAtFront将删除GSSManager实例中为此提供程序设置的所有以前的首选项。使用非空Oid调用addProviderAtFront将删除以前使用此机制和此提供程序一起设置的任何首选项。
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
如果GSSManager实现不支持具有可插拔提供程序体系结构的SPI,则应抛出状态代码为GSSException.UNAVAILABLE的GSSException,以指示该操作不可用。
Parameters:
参数:
p The provider instance that should be used whenever support is needed for mech.
p在需要mech支持时应使用的提供程序实例。
mech The mechanism for which the provider is being set
mech为其设置提供程序的机制
Suppose an application desired that the provider A always be checked first when any mechanism is needed, it would call:
假设应用程序希望在需要任何机制时始终首先检查提供者A,它将调用:
GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list:
GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list:
mgr.addProviderAtFront(A, null);
经理addProviderAtFront(A,空);
Now if it also desired that the mechanism of Oid m1 always be obtained from the provider B before the previously set A was checked, it would call:
现在,如果它还希望Oid m1的机制总是在检查之前的集合A之前从提供者B获得,它将调用:
mgr.addProviderAtFront(B, m1);
经理助理行政主任(B、m1);
The GSSManager would then first check with B if m1 was needed. In case B did not provide support for m1, the GSSManager would continue on to check with A. If any mechanism m2 is needed where m2 is different from m1 then the GSSManager would skip B and check with A directly.
如果需要m1,GSSManager将首先与B进行检查。如果B没有为m1提供支持,则GSSManager将继续与A进行检查。如果m2与m1不同,则需要任何机制m2,则GSSManager将跳过B并直接与A进行检查。
Suppose at a later time the following call is made to the same GSSManager instance:
假设稍后对同一GSSManager实例进行以下调用:
mgr.addProviderAtFront(B, null)
经理addProviderAtFront(B,空)
then the previous setting with the pair (B, m1) is subsumed by this and should be removed. Effectively the list of preferences now becomes {(B, null), (A, null), ... //followed by the pre-configured list.
然后,该对(B,m1)的上一个设置被包含在其中,并且应该被删除。实际上,首选项列表现在变成{(B,null),(A,null),…//后跟预配置的列表。
Please note, however, that the following call:
但请注意,以下电话:
mgr.addProviderAtFront(A, m3)
经理添加ProviderAtfront(A,m3)
does not subsume the previous setting of (A, null) and the list will effectively become {(A, m3), (B, null), (A, null), ...}
不包含前面的(A,null)设置,列表将有效地变成{(A,m3),(B,null),(A,null),…}
public abstract addProviderAtEnd(Provider p, Oid mech) throws GSSException
公共抽象addProviderAttend(提供程序p,Oid mech)引发GSSException
This method is used to indicate to the GSSManager that the application would like a particular provider to be used if no other provider can be found that supports the given mechanism. When a value of null is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider for any mechanism.
此方法用于向GSSManager指示,如果找不到支持给定机制的其他提供程序,则应用程序希望使用特定的提供程序。当机制使用null值而不是Oid时,GSSManager必须为任何机制使用指定的提供程序。
Calling this method repeatedly preserves the older settings but raises them above newer ones in preference thus forming an ordered list of providers and Oid pairs that grows at the bottom. Thus the older provider settings will be utilized first before this one is.
重复调用此方法会保留旧的设置,但会优先将它们提升到较新的设置之上,从而形成一个有序的提供者和Oid对列表,并在底部增长。因此,在使用此设置之前,将首先使用旧的提供程序设置。
If there are any previously existing preferences that conflict with the preference being set here, then the GSSManager should ignore this request.
如果有任何先前存在的首选项与此处设置的首选项冲突,那么GSSManager应该忽略此请求。
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
如果GSSManager实现不支持具有可插拔提供程序体系结构的SPI,则应抛出状态代码为GSSException.UNAVAILABLE的GSSException,以指示该操作不可用。
Parameters:
参数:
p The provider instance that should be used whenever support is needed for mech.
p在需要mech支持时应使用的提供程序实例。
mech The mechanism for which the provider is being set
mech为其设置提供程序的机制
Suppose an application desired that when a mechanism of Oid m1 is needed the system default providers always be checked first, and only when they do not support m1 should a provider A be checked. It would then make the call:
假设应用程序希望在需要Oid m1机制时,总是首先检查系统默认提供程序,并且只有当它们不支持m1时,才应检查提供程序a。然后它会打电话:
GSSManager mgr = GSSManager.getInstance();
GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1);
经理助理(A、m1);
Now, if it also desired that for all mechanisms the provider B be checked after all configured providers have been checked, it would then call:
现在,如果它还希望在检查所有配置的提供程序之后检查所有机制的提供程序B,那么它将调用:
mgr.addProviderAtEnd(B, null);
经理AddProviderAttend(B,空);
Effectively the list of preferences now becomes {..., (A, m1), (B, null)}.
实际上,首选项列表现在变成了{…,(A,m1),(B,null)}。
Suppose at a later time the following call is made to the same GSSManager instance:
假设稍后对同一GSSManager实例进行以下调用:
mgr.addProviderAtEnd(B, m2)
经理助理(B,m2)
then the previous setting with the pair (B, null) subsumes this and therefore this request should be ignored. The same would happen if a request is made for the already existing pairs of (A, m1) or (B, null).
然后,前面的设置(B,null)包含了这一点,因此应该忽略此请求。如果对已经存在的(a,m1)或(B,null)对发出请求,也会发生同样的情况。
Please note, however, that the following call:
但请注意,以下电话:
mgr.addProviderAtEnd(A, null)
经理AddProviderAttend(A,空)
is not subsumed by the previous setting of (A, m1) and the list will effectively become {..., (A, m1), (B, null), (A, null)}
不包含在前面的(A,m1)设置中,列表将有效地变成{…,(A,m1),(B,null),(A,null)}
This interface encapsulates a single GSS-API principal entity. Different name formats and their definitions are identified with universal Object Identifiers (Oids). The format of the names can be derived based on the unique oid of its namespace type.
此接口封装单个GSS-API主体实体。不同的名称格式及其定义由通用对象标识符(OID)标识。可以根据名称空间类型的唯一oid派生名称的格式。
Included below are code examples utilizing the GSSName interface. The code below creates a GSSName, converts it to a mechanism name (MN), performs a comparison, obtains a printable representation of the name, exports it and then re-imports to obtain a new GSSName.
下面是使用GSSName接口的代码示例。下面的代码创建GSSName,将其转换为机制名称(MN),执行比较,获取名称的可打印表示形式,将其导出,然后重新导入以获取新的GSSName。
GSSManager mgr = GSSManager.getInstance();
GSSManager mgr = GSSManager.getInstance();
// create a host based service name GSSName name = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
// create a host based service name GSSName name = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
GSSName mechName = name.canonicalize(krb5);
GSSName mechName = name.canonicalize(krb5);
// the above two steps are equivalent to the following GSSName mechName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE, krb5);
// the above two steps are equivalent to the following GSSName mechName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE, krb5);
// perform name comparison if (name.equals(mechName)) print("Names are equals.");
// perform name comparison if (name.equals(mechName)) print("Names are equals.");
// obtain textual representation of name and its printable // name type print(mechName.toString() + mechName.getStringNameType().toString());
// obtain textual representation of name and its printable // name type print(mechName.toString() + mechName.getStringNameType().toString());
// export and re-import the name byte [] exportName = mechName.export();
// export and re-import the name byte [] exportName = mechName.export();
// create a new name object from the exported buffer GSSName newName = mgr.createName(exportName, GSSName.NT_EXPORT_NAME);
// create a new name object from the exported buffer GSSName newName = mgr.createName(exportName, GSSName.NT_EXPORT_NAME);
public static final Oid NT_HOSTBASED_SERVICE
公共静态最终Oid NT\U基于主机的\U服务
Oid indicating a host-based service name form. It is used to represent services associated with host computers. This name form is constructed using two elements, "service" and "hostname", as follows:
Oid表示基于主机的服务名称表单。它用于表示与主机关联的服务。此名称表单使用两个元素“服务”和“主机名”构建,如下所示:
service@hostname
service@hostname
Values for the "service" element are registered with the IANA. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) }
Values for the "service" element are registered with the IANA. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 2(gss-host-based-services) }
public static final Oid NT_USER_NAME
公共静态最终Oid NT\u用户名
Name type to indicate a named user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
Name type to indicate a named user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) }
public static final Oid NT_MACHINE_UID_NAME
公共静态最终Oid NT\u机器\u UID\u名称
Name type to indicate a numeric user identifier corresponding to a user on a local system. (e.g. Uid). It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
Name type to indicate a numeric user identifier corresponding to a user on a local system. (e.g. Uid). It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) machine_uid_name(2) }
public static final Oid NT_STRING_UID_NAME
公共静态最终Oid NT\u字符串\u UID\u名称
Name type to indicate a string of digits representing the numeric user identifier of a user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }
Name type to indicate a string of digits representing the numeric user identifier of a user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) }
public static final Oid NT_ANONYMOUS
公共静态最终Oid NT\U匿名
Name type for representing an anonymous entity. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 3(gss-anonymous-name) }
Name type for representing an anonymous entity. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 3(gss-anonymous-name) }
public static final Oid NT_EXPORT_NAME
公共静态最终Oid NT\u导出\u名称
Name type used to indicate an exported name produced by the export method. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 4(gss-api-exported-name) }
Name type used to indicate an exported name produced by the export method. It represents the following value: { 1(iso), 3(org), 6(dod), 1(internet), 5(security), 6(nametypes), 4(gss-api-exported-name) }
public boolean equals(GSSName another) throws GSSException
公共布尔等于(GSSName-other)抛出GSSException
Compares two GSSName objects to determine whether they refer to the same entity. This method may throw a GSSException when the names cannot be compared. If either of the names represents an anonymous entity, the method will return "false".
比较两个GSSName对象以确定它们是否引用同一实体。当无法比较名称时,此方法可能引发GSSExException。如果其中任何一个名称表示匿名实体,则该方法将返回“false”。
Parameters:
参数:
another GSSName object to compare with.
要与之比较的另一个GSSName对象。
public boolean equals(Object another)
公共布尔等于(另一个对象)
A variation of the equals method described in 6.2.3 that is provided to override the Object.equals() method that the implementing class will inherit. The behavior is exactly the same as that in 6.2.3 except that no GSSException is thrown; instead, false will be returned in the situation where an error occurs. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method must return the same integer result when the hashCode() method is called on them.)
6.2.3中描述的equals方法的变体,用于重写实现类将继承的Object.equals()方法。该行为与6.2.3中的行为完全相同,只是没有抛出GSSException;相反,在发生错误的情况下将返回false。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
another GSSName object to compare with.
要与之比较的另一个GSSName对象。
public GSSName canonicalize(Oid mech) throws GSSException
公共GSSName规范化(Oid mech)引发GSSException
Creates a mechanism name (MN) from an arbitrary internal name. This is equivalent to using the factory methods described in 6.1.9 or 6.1.10 that take the mechanism name as one of their parameters.
从任意内部名称创建机制名称(MN)。这相当于使用6.1.9或6.1.10中描述的工厂方法,将机构名称作为其参数之一。
Parameters:
参数:
mech The oid for the mechanism for which the canonical form of the name is requested.
mech请求名称规范形式的机制的oid。
public byte[] export() throws GSSException
公共字节[]导出()引发GSSExException
Returns a canonical contiguous byte representation of a mechanism name (MN), suitable for direct, byte by byte comparison by authorization functions. If the name is not an MN, implementations may throw a GSSException with the NAME_NOT_MN status code. If an implementation chooses not to throw an exception, it should use some system specific default mechanism to canonicalize the name and then export it. The format of the header of the output buffer is specified in RFC 2743.
返回机制名称(MN)的规范连续字节表示形式,适用于通过授权函数进行直接逐字节比较。如果名称不是MN,则实现可能会抛出带有名称\u not \u MN状态代码的GSSException。如果实现选择不抛出异常,它应该使用一些特定于系统的默认机制来规范化名称,然后将其导出。RFC 2743中指定了输出缓冲区标头的格式。
public String toString()
公共字符串toString()
Returns a textual representation of the GSSName object. To retrieve the printed name format, which determines the syntax of the returned string, the getStringNameType method can be used.
返回GSSName对象的文本表示形式。要检索打印的名称格式(它决定返回字符串的语法),可以使用getStringNameType方法。
public Oid getStringNameType() throws GSSException
公共Oid getStringNameType()引发GSSExException
Returns the oid representing the type of name returned through the toString method. Using this oid, the syntax of the printable name can be determined.
返回表示通过toString方法返回的名称类型的oid。使用此oid,可以确定可打印名称的语法。
public boolean isAnonymous()
公共布尔值为nonymous()
Tests if this name object represents an anonymous entity. Returns "true" if this is an anonymous name.
测试此名称对象是否表示匿名实体。如果这是匿名名称,则返回“true”。
public boolean isMN()
公共布尔isMN()
Tests if this name object contains only one mechanism element and is thus a mechanism name as defined by RFC 2743.
测试此名称对象是否仅包含一个机制元素,因此是RFC 2743定义的机制名称。
This interface encapsulates the GSS-API credentials for an entity. A credential contains all the necessary cryptographic information to enable the creation of a context on behalf of the entity that it
此接口封装实体的GSS-API凭据。凭证包含所有必要的加密信息,以支持代表其所属实体创建上下文
represents. It may contain multiple, distinct, mechanism specific credential elements, each containing information for a specific security mechanism, but all referring to the same entity.
代表。它可能包含多个不同的特定于机制的凭证元素,每个元素都包含特定安全机制的信息,但都指向同一实体。
A credential may be used to perform context initiation, acceptance, or both.
凭证可用于执行上下文启动、接受或两者。
GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. GSS-API credential creation is not intended to provide a "login to the network" function, as such a function would involve the creation of new credentials rather than merely acquiring a handle to existing credentials. Such functions, if required, should be defined in implementation-specific extensions to the API.
GSS-API实现必须对呼叫者实施本地访问控制策略,以防止未经授权的呼叫者获取他们无权获得的凭据。GSS-API凭证创建并非旨在提供“登录到网络”功能,因为此类功能将涉及新凭证的创建,而不仅仅是获取现有凭证的句柄。如果需要,这些函数应该在API的特定于实现的扩展中定义。
If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required (e.g. by GSSContext). Such mechanism-specific implementation decisions should be invisible to the calling application; thus the query methods immediately following the creation of a credential object must return valid credential data, and may therefore incur the overhead of a deferred credential acquisition.
如果某个机制的凭证获取非常耗时,则该机制可以选择延迟实际获取,直到需要凭证为止(例如通过GSSContext)。这种特定于机制的实现决策应该对调用应用程序不可见;因此,紧随凭证对象创建之后的查询方法必须返回有效凭证数据,因此可能导致延迟凭证获取的开销。
Applications will create a credential object passing the desired parameters. The application can then use the query methods to obtain specific information about the instantiated credential object (equivalent to the gss_inquire routines). When the credential is no longer needed, the application should call the dispose (equivalent to gss_release_cred) method to release any resources held by the credential object and to destroy any cryptographically sensitive information.
应用程序将创建一个传递所需参数的凭证对象。然后,应用程序可以使用查询方法获取有关实例化凭证对象的特定信息(相当于gss_查询例程)。当不再需要凭证时,应用程序应调用dispose(相当于gss_release_cred)方法来释放凭证对象持有的任何资源并销毁任何加密敏感信息。
Classes implementing this interface also implement the Cloneable interface. This indicates the the class will support the clone() method that will allow the creation of duplicate credentials. This is useful when called just before the add() call to retain a copy of the original credential.
实现此接口的类也实现可克隆接口。这表示类将支持clone()方法,该方法将允许创建重复的凭据。当在add()调用之前调用以保留原始凭证的副本时,这非常有用。
This example code demonstrates the creation of a GSSCredential implementation for a specific entity, querying of its fields, and its release when it is no longer needed.
此示例代码演示了为特定实体创建GSSCredential实现、查询其字段以及在不再需要时发布。
GSSManager mgr = GSSManager.getInstance();
GSSManager mgr = GSSManager.getInstance();
// start by creating a name object for the entity GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// start by creating a name object for the entity GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME);
// now acquire credentials for the entity GSSCredential cred = mgr.createCredential(name, GSSCredential.ACCEPT_ONLY);
// now acquire credentials for the entity GSSCredential cred = mgr.createCredential(name, GSSCredential.ACCEPT_ONLY);
// display credential information - name, remaining lifetime, // and the mechanisms it has been acquired over print(cred.getName().toString()); print(cred.getRemainingLifetime());
// display credential information - name, remaining lifetime, // and the mechanisms it has been acquired over print(cred.getName().toString()); print(cred.getRemainingLifetime());
Oid [] mechs = cred.getMechs(); if (mechs != null) { for (int i = 0; i < mechs.length; i++) print(mechs[i].toString()); }
Oid [] mechs = cred.getMechs(); if (mechs != null) { for (int i = 0; i < mechs.length; i++) print(mechs[i].toString()); }
// release system resources held by the credential cred.dispose();
// release system resources held by the credential cred.dispose();
public static final int INITIATE_AND_ACCEPT
公共静态final int INITIATE_和_ACCEPT
Credential usage flag requesting that it be able to be used for both context initiation and acceptance.
凭证使用标志,要求它能够用于上下文启动和接受。
public static final int INITIATE_ONLY
仅限公共静态最终整数初始化
Credential usage flag requesting that it be able to be used for context initiation only.
凭据使用标志,请求它只能用于上下文初始化。
public static final int ACCEPT_ONLY
公共静态最终整数仅接受
Credential usage flag requesting that it be able to be used for context acceptance only.
凭证使用标志,请求它只能用于上下文接受。
public static final int DEFAULT_LIFETIME
公共静态最终int默认_生存期
A lifetime constant representing the default credential lifetime.
表示默认凭据生存期的生存期常量。
This value must be set to 0.
此值必须设置为0。
public static final int INDEFINITE_LIFETIME
公共静态最终int_寿命
A lifetime constant representing indefinite credential lifetime. This value must be set to the maximum integer value in Java - Integer.MAX_VALUE.
表示无限凭证生存期的生存期常量。此值必须设置为Java-integer.MAX_值中的最大整数值。
public void dispose() throws GSSException
public void dispose()引发GSSExException
Releases any sensitive information that the GSSCredential object may be containing. Applications should call this method as soon as the credential is no longer needed to minimize the time any sensitive information is maintained.
释放GSSCredential对象可能包含的任何敏感信息。一旦不再需要凭证,应用程序应立即调用此方法,以尽可能缩短任何敏感信息的维护时间。
public GSSName getName() throws GSSException
公共GSSName getName()引发GSSExException
Retrieves the name of the entity that the credential asserts.
检索凭据断言的实体的名称。
public GSSName getName(Oid mechOID) throws GSSException
公共GSSName getName(Oid mechOID)引发GSSException
Retrieves a mechanism name of the entity that the credential asserts. Equivalent to calling canonicalize() on the name returned by 7.3.3.
检索凭据断言的实体的机制名称。相当于对7.3.3返回的名称调用canonicalize()。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getRemainingLifetime() throws GSSException
public int getRemainingLifetime()引发GSSExException
Returns the remaining lifetime in seconds for a credential. The remaining lifetime is the minimum lifetime for any of the underlying credential mechanisms. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire. A return value of 0 indicates that the credential is already expired.
返回凭据的剩余生存期(秒)。剩余生存期是任何基础凭据机制的最小生存期。返回值GSSCredential.u life表示凭证未过期。返回值0表示凭据已过期。
public int getRemainingInitLifetime(Oid mech) throws GSSException
public int getRemainingInitLifetime(Oid mech)引发GSSExException
Returns the remaining lifetime is seconds for the credential to remain capable of initiating security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context initiation. A return value of 0 indicates that the credential is already expired.
返回凭据在指定机制下能够启动安全上下文的剩余生存期为秒。返回值GSSCredential.u life表示凭据不会因上下文启动而过期。返回值0表示凭据已过期。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getRemainingAcceptLifetime(Oid mech) throws GSSException
public int getRemainingAcceptLifetime(Oid mech)引发GSSExException
Returns the remaining lifetime is seconds for the credential to remain capable of accepting security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context acceptance. A return value of 0 indicates that the credential is already expired.
返回凭据在指定机制下能够接受安全上下文的剩余生存期为秒。返回值GSSCredential.u life表示凭证不会因上下文接受而过期。返回值0表示凭据已过期。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public int getUsage() throws GSSException
public int getUsage()引发GSSExException
Returns the credential usage flag. The return value will be one of GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or GSSCredential.INITIATE_AND_ACCEPT.
返回凭证使用标志。返回值将是GSSCredential.INITIATE_ONLY、GSSCredential.ACCEPT_ONLY或GSSCredential.INITIATE_和_ACCEPT中的一个。
public int getUsage(Oid mechOID) throws GSSException
public int getUsage(Oid mechOID)引发GSSExException
Returns the credential usage flag for the specified credential mechanism. The return value will be one of GSSCredential.INITIATE_ONLY, GSSCredential.ACCEPT_ONLY, or GSSCredential.INITIATE_AND_ACCEPT.
返回指定凭据机制的凭据使用标志。返回值将是GSSCredential.INITIATE_ONLY、GSSCredential.ACCEPT_ONLY或GSSCredential.INITIATE_和_ACCEPT中的一个。
Parameters:
参数:
mechOID The mechanism for which information should be returned.
mechOID应返回信息的机制。
public Oid[] getMechs() throws GSSException
public Oid[]getMechs()引发GSSExException
Returns an array of mechanisms supported by this credential.
返回此凭据支持的机制数组。
public void add(GSSName aName, int initLifetime, int acceptLifetime, Oid mech, int usage) throws GSSException
public void add(GSSName aName、int initlife、int acceptlife、Oid mech、int usage)抛出GSSException
Adds a mechanism specific credential-element to an existing credential. This method allows the construction of credentials one mechanism at a time.
将特定于机制的凭据元素添加到现有凭据。此方法允许一次构造一个机制的凭据。
This routine is envisioned to be used mainly by context acceptors during the creation of acceptance credentials which are to be used with a variety of clients using different security mechanisms.
该例程主要由上下文接受者在创建接受凭证期间使用,接受凭证将与使用不同安全机制的各种客户端一起使用。
This routine adds the new credential element "in-place". To add the element in a new credential, first call clone() to obtain a copy of this credential, then call its add() method.
此例程添加新的凭证元素“就地”。要在新凭据中添加元素,请首先调用clone()以获取此凭据的副本,然后调用其add()方法。
Parameters:
参数:
aName Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal.
要为其获取此凭据的主体的名称。使用“null”指定默认主体。
initLifetime The number of seconds that credentials should remain valid for initiating of security contexts. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
initLifetime凭据在启动安全上下文时应保持有效的秒数。使用GSSCredential.u LIFETIME请求凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
acceptLifetime The number of seconds that credentials should remain valid for accepting of security contexts. Use GSSCredential.INDEFINITE_LIFETIME to request that the
acceptLifetime凭据在接受安全上下文时应保持有效的秒数。使用GSSCredential.u生命周期请求
credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime.
凭据具有允许的最大生存期。使用GSSCredential.DEFAULT_生存期请求默认凭据生存期。
mech The mechanisms over which the credential is to be acquired.
mech用于获取凭证的机制。
usage The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.ACCEPT_AND_INITIATE, GSSCredential.ACCEPT_ONLY, GSSCredential.INITIATE_ONLY
用法此凭据对象的预期用途。此参数的值必须是以下值之一:GSSCredential.ACCEPT_和_INITIATE、GSSCredential.ACCEPT_ONLY、GSSCredential.INITIATE_ONLY
public boolean equals(Object another)
公共布尔等于(另一个对象)
Tests if this GSSCredential refers to the same entity as the supplied object. The two credentials must be acquired over the same mechanisms and must refer to the same principal. Returns "true" if the two GSSCredentials refer to the same entity; "false" otherwise. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method must return the same integer result when the hashCode() method is called on them.)
测试此GSSCredential是否引用与所提供对象相同的实体。这两个凭证必须通过相同的机制获取,并且必须引用相同的主体。如果两个GSSCredentials引用同一实体,则返回“true”;否则为“假”。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
another Another GSSCredential object for comparison.
另一个GSSCredential对象用于比较。
This interface encapsulates the GSS-API security context and provides the security services (wrap, unwrap, getMIC, verifyMIC) that are available over the context. Security contexts are established between peers using locally acquired credentials. Multiple contexts may exist simultaneously between a pair of peers, using the same or different set of credentials. GSS-API functions in a manner independent of the underlying transport protocol and depends on its calling application to transport its tokens between peers.
此接口封装GSS-API安全上下文,并提供可通过上下文使用的安全服务(wrap、unwrap、getMIC、verifyMIC)。使用本地获取的凭据在对等方之间建立安全上下文。使用相同或不同的凭证集,一对对等方之间可能同时存在多个上下文。GSS-API以独立于底层传输协议的方式运行,并依赖其调用应用程序在对等方之间传输其令牌。
Before the context establishment phase is initiated, the context initiator may request specific characteristics desired of the established context. These can be set using the set methods. After the context is established, the caller can check the actual characteristic and services offered by the context using the query methods.
在发起上下文建立阶段之前,上下文发起方可以请求所建立上下文的期望特定特征。可以使用set方法设置这些参数。建立上下文后,调用方可以使用查询方法检查上下文提供的实际特征和服务。
The context establishment phase begins with the first call to the init method by the context initiator. During this phase the initSecContext and acceptSecContext methods will produce GSS-API authentication tokens which the calling application needs to send to its peer. If an error occurs at any point, an exception will get thrown and the code will start executing in a catch block. If not, the normal flow of code continues and the application can make a call to the isEstablished() method. If this method returns false it indicates that a token is needed from its peer in order to continue the context establishment phase. A return value of true signals that the local end of the context is established. This may still require that a token be sent to the peer, if one is produced by GSS-API. During the context establishment phase, the isProtReady() method may be called to determine if the context can be used for the per-message operations. This allows applications to use per-message operations on contexts which aren't fully established.
上下文建立阶段从上下文启动器对init方法的第一次调用开始。在此阶段,initSecContext和acceptSecContext方法将生成GSS-API身份验证令牌,调用应用程序需要将这些令牌发送给其对等方。如果在任何时候发生错误,将抛出异常,代码将开始在catch块中执行。否则,正常的代码流将继续,应用程序可以调用isEstablished()方法。如果此方法返回false,则表示需要从其对等方获得令牌以继续上下文建立阶段。true的返回值表示已建立上下文的本地端。这可能仍然需要向对等方发送令牌(如果由GSS-API生成)。在上下文建立阶段,可以调用isProtReady()方法来确定上下文是否可用于每消息操作。这允许应用程序在未完全建立的上下文上使用每消息操作。
After the context has been established or the isProtReady() method returns "true", the query routines can be invoked to determine the actual characteristics and services of the established context. The application can also start using the per-message methods of wrap and getMIC to obtain cryptographic operations on application supplied data.
在建立上下文或isProtReady()方法返回“true”后,可以调用查询例程来确定所建立上下文的实际特征和服务。应用程序还可以开始使用wrap和getMIC的per-message方法对应用程序提供的数据进行加密操作。
When the context is no longer needed, the application should call dispose to release any system resources the context may be using.
当不再需要上下文时,应用程序应调用dispose以释放上下文可能正在使用的任何系统资源。
The example code presented below demonstrates the usage of the GSSContext interface for the initiating peer. Different operations on the GSSContext object are presented, including: object instantiation, setting of desired flags, context establishment, query of actual context flags, per-message operations on application data, and finally context deletion.
下面给出的示例代码演示了GSSContext接口在发起对等机中的用法。介绍了GSSContext对象上的不同操作,包括:对象实例化、所需标志的设置、上下文建立、实际上下文标志的查询、对应用程序数据的每条消息操作,以及最后的上下文删除。
GSSManager mgr = GSSManager.getInstance();
GSSManager mgr = GSSManager.getInstance();
// start by creating the name for a service entity GSSName targetName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
// start by creating the name for a service entity GSSName targetName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE);
// create a context using default credentials for the above entity // and the implementation specific default mechanism GSSContext context = mgr.createContext(targetName, null, /* default mechanism */ null, /* default credentials */ GSSContext.INDEFINITE_LIFETIME);
// create a context using default credentials for the above entity // and the implementation specific default mechanism GSSContext context = mgr.createContext(targetName, null, /* default mechanism */ null, /* default credentials */ GSSContext.INDEFINITE_LIFETIME);
// set desired context options - all others are false by default context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true);
// set desired context options - all others are false by default context.requestConf(true); context.requestMutualAuth(true); context.requestReplayDet(true); context.requestSequenceDet(true);
// establish a context between peers - using byte arrays byte []inTok = new byte[0];
// establish a context between peers - using byte arrays byte []inTok = new byte[0];
try { do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
try { do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
// send the token if present if (outTok != null) sendToken(outTok);
// send the token if present if (outTok != null) sendToken(outTok);
// check if we should expect more tokens if (context.isEstablished()) break;
//检查如果(context.isEstablished())中断,我们是否应该期望更多令牌;
// another token expected from peer inTok = readToken();
// another token expected from peer inTok = readToken();
} while (true);
}虽然(正确);
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
// display context information print("Remaining lifetime in seconds = " + context.getLifetime()); print("Context mechanism = " + context.getMech().toString()); print("Initiator = " + context.getSrcName().toString()); print("Acceptor = " + context.getTargName().toString());
// display context information print("Remaining lifetime in seconds = " + context.getLifetime()); print("Context mechanism = " + context.getMech().toString()); print("Initiator = " + context.getSrcName().toString()); print("Acceptor = " + context.getTargName().toString());
if (context.getConfState()) print("Confidentiality security service available");
如果(context.getConfState())打印(“保密安全服务可用”);
if (context.getIntegState()) print("Integrity security service available");
如果(context.getIntegrationState())打印(“完整性安全服务可用”);
// perform wrap on an application supplied message, appMsg, // using QOP = 0, and requesting privacy service byte [] appMsg ...
//在应用程序提供的消息appMsg上执行wrap,//使用QOP=0,并请求隐私服务字节[]appMsg。。。
MessageProp mProp = new MessageProp(0, true);
MessageProp mProp = new MessageProp(0, true);
byte []tok = context.wrap(appMsg, 0, appMsg.length, mProp);
byte []tok = context.wrap(appMsg, 0, appMsg.length, mProp);
if (mProp.getPrivacy()) print("Message protected with privacy.");
如果(mProp.getPrivacy())打印(“受隐私保护的邮件”);
sendToken(tok);
sendToken(tok);
// release the local-end of the context context.dispose();
// release the local-end of the context context.dispose();
public static final int DEFAULT_LIFETIME
公共静态最终int默认_生存期
A lifetime constant representing the default context lifetime. This value must be set to 0.
表示默认上下文生存期的生存期常量。此值必须设置为0。
public static final int INDEFINITE_LIFETIME
公共静态最终int_寿命
A lifetime constant representing indefinite context lifetime. This value must be set to the maximum integer value in Java - Integer.MAX_VALUE.
表示不确定上下文生存期的生存期常量。此值必须设置为Java-integer.MAX_值中的最大整数值。
public byte[] initSecContext(byte inputBuf[], int offset, int len) throws GSSException
公共字节[]initSecContext(字节inputBuf[],int offset,int len)引发GSSExException
Called by the context initiator to start the context creation process. This is equivalent to the stream based method except that the token buffers are handled as byte arrays instead of using stream objects. This method may return an output token which the application will need to send to the peer for processing by the accept call. Typically, the application would do so by calling the flush() method on an OutputStream that encapsulates the connection between the two peers. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished() indicates that more tokens are expected to be supplied to the initSecContext() method. Note that it is possible that the initSecContext() method return a token for the peer, and isEstablished() return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
由上下文启动器调用以启动上下文创建过程。这相当于基于流的方法,只是令牌缓冲区作为字节数组处理,而不是使用流对象。此方法可能会返回一个输出令牌,应用程序需要将该令牌发送给对等方,以便通过accept调用进行处理。通常,应用程序会通过在封装两个对等方之间连接的OutputStream上调用flush()方法来实现。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished()的返回值为“false”表示需要向initSecContext()方法提供更多的令牌。请注意,initSecContext()方法可能会返回对等方的令牌,isEstablished()也可能返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
Parameters:
参数:
inputBuf Token generated by the peer. This parameter is ignored on the first call.
由对等方生成的inputBuf令牌。此参数在第一次调用时被忽略。
offset The offset within the inputBuf where the token begins.
偏移标记开始的inputBuf内的偏移量。
len The length of the token within the inputBuf (starting at the offset).
len inputBuf内令牌的长度(从偏移量开始)。
// Create a new GSSContext implementation object. // GSSContext wrapper implements interface GSSContext. GSSContext context = mgr.createContext(...);
// Create a new GSSContext implementation object. // GSSContext wrapper implements interface GSSContext. GSSContext context = mgr.createContext(...);
byte []inTok = new byte[0];
字节[]inTok=新字节[0];
try {
试一试{
do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
do { byte[] outTok = context.initSecContext(inTok, 0, inTok.length);
// send the token if present if (outTok != null) sendToken(outTok);
// send the token if present if (outTok != null) sendToken(outTok);
// check if we should expect more tokens if (context.isEstablished()) break;
//检查如果(context.isEstablished())中断,我们是否应该期望更多令牌;
// another token expected from peer inTok = readToken(); } while (true);
// another token expected from peer inTok = readToken(); } while (true);
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
public int initSecContext(InputStream inStream, OutputStream outStream) throws GSSException
public int initSecContext(InputStream inStream,OutputStream outtream)抛出GSSException
Called by the context initiator to start the context creation process. This is equivalent to the byte array based method. This method may write an output token to the outStream, which the application will need to send to the peer for processing by the accept call. Typically, the application would do so by calling the flush() method on an OutputStream that encapsulates the connection between the two peers. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished indicates that more tokens are expected to be supplied to the initSecContext method. Note that it is possible that the initSecContext() method return a token for the peer, and isEstablished() return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
由上下文启动器调用以启动上下文创建过程。这相当于基于字节数组的方法。此方法可能会将输出令牌写入扩展流,应用程序需要将其发送给对等方,以便通过accept调用进行处理。通常,应用程序会通过在封装两个对等方之间连接的OutputStream上调用flush()方法来实现。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished的返回值“false”表示预期会向initSecContext方法提供更多令牌。请注意,initSecContext()方法可能会返回对等方的令牌,isEstablished()也可能返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
The GSS-API authentication tokens contain a definitive start and end. This method will attempt to read one of these tokens per invocation, and may block on the stream if only part of the token is available.
GSS-API认证令牌包含最终的开始和结束。此方法将在每次调用时尝试读取其中一个令牌,如果只有部分令牌可用,则可能会阻塞流。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
Parameters:
参数:
inStream Contains the token generated by the peer. This parameter is ignored on the first call.
inStream包含对等方生成的令牌。此参数在第一次调用时被忽略。
outStream Output stream where the output token will be written. During the final stage of context establishment, there may be no bytes written.
将输出令牌写入的输出流外扩。在上下文建立的最后阶段,可能没有写入字节。
This sample code merely demonstrates the token exchange during the context establishment phase. It is expected that most Java applications will use custom implementations of the Input and Output streams that encapsulate the communication routines. For instance, a simple read on the application InputStream, when called by the Context, might cause a token to be read from the peer, and a simple flush() on the application OutputStream might cause a previously written token to be transmitted to the peer.
此示例代码仅演示上下文建立阶段的令牌交换。预计大多数Java应用程序将使用封装通信例程的输入和输出流的自定义实现。例如,当上下文调用应用程序InputStream时,对应用程序InputStream的简单读取可能会导致从对等方读取令牌,而对应用程序OutputStream的简单刷新()可能会导致将以前写入的令牌传输到对等方。
// Create a new GSSContext implementation object.
//创建新的GSSContext实现对象。
// GSSContext wrapper implements interface GSSContext. GSSContext context = mgr.createContext(...);
// GSSContext wrapper implements interface GSSContext. GSSContext context = mgr.createContext(...);
// use standard java.io stream objects ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is = null;
// use standard java.io stream objects ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is = null;
try {
试一试{
do { context.initSecContext(is, os);
do { context.initSecContext(is, os);
// send token if present if (os.size() > 0) sendToken(os);
// send token if present if (os.size() > 0) sendToken(os);
// check if we should expect more tokens if (context.isEstablished()) break;
//检查如果(context.isEstablished())中断,我们是否应该期望更多令牌;
// another token expected from peer is = recvToken();
// another token expected from peer is = recvToken();
} while (true);
}虽然(正确);
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
} catch (GSSException e) { print("GSSAPI error: " + e.getMessage()); }
public byte[] acceptSecContext(byte inTok[], int offset, int len) throws GSSException
公共字节[]acceptSecContext(字节inTok[],int offset,int len)引发GSSException
Called by the context acceptor upon receiving a token from the peer. This call is equivalent to the stream based method except that the token buffers are handled as byte arrays instead of using stream objects.
在从对等方接收令牌时由上下文接受者调用。此调用与基于流的方法等效,只是令牌缓冲区作为字节数组处理,而不是使用流对象。
This method may return an output token which the application will need to send to the peer for further processing by the init call.
此方法可能会返回一个输出令牌,应用程序需要将该令牌发送给对等方,以便通过init调用进行进一步处理。
"null" return value indicates that no token needs to be sent to the peer. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished() indicates that more tokens are expected to be supplied to this method.
“null”返回值表示不需要向对等方发送令牌。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished()返回的值为“false”,表示预期将向该方法提供更多令牌。
Note that it is possible that acceptSecContext() return a token for the peer, and isEstablished() return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
请注意,acceptSecContext()可能返回对等方的令牌,isEstablished()也可能返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
Parameters:
参数:
inTok Token generated by the peer.
对等方生成的inTok令牌。
offset The offset within the inTok where the token begins.
偏移令牌开始的inTok内的偏移量。
len The length of the token within the inTok (starting at the offset).
len inTok内令牌的长度(从偏移量开始)。
// acquire server credentials GSSCredential server = mgr.createCredential(...);
// acquire server credentials GSSCredential server = mgr.createCredential(...);
// create acceptor GSS-API context from the default provider GSSContext context = mgr.createContext(server, null);
// create acceptor GSS-API context from the default provider GSSContext context = mgr.createContext(server, null);
try { do { byte [] inTok = readToken();
try { do { byte [] inTok = readToken();
byte []outTok = context.acceptSecContext(inTok, 0, inTok.length);
字节[]outTok=context.acceptSecContext(inTok,0,inTok.length);
// possibly send token to peer if (outTok != null) sendToken(outTok);
// possibly send token to peer if (outTok != null) sendToken(outTok);
// check if local context establishment is complete if (context.isEstablished()) break; } while (true);
// check if local context establishment is complete if (context.isEstablished()) break; } while (true);
} catch (GSSException e) { print("GSS-API error: " + e.getMessage()); }
} catch (GSSException e) { print("GSS-API error: " + e.getMessage()); }
public void acceptSecContext(InputStream inStream, OutputStream outStream) throws GSSException
public void acceptSecContext(InputStream流入,OutputStream流出)引发GSSException
Called by the context acceptor upon receiving a token from the peer. This call is equivalent to the byte array method. It may write an output token to the outStream, which the application will need to send to the peer for processing by its initSecContext method. Typically, the application would do so by calling the flush() method on an OutputStream that encapsulates the connection between the two peers. The application can call isEstablished() to determine if the context establishment phase is complete for this peer. A return value of "false" from isEstablished() indicates that more tokens are expected to be supplied to this method.
在从对等方接收令牌时由上下文接受者调用。此调用相当于字节数组方法。它可能会将输出令牌写入扩展流,应用程序需要将其发送给对等方,以便通过其initSecContext方法进行处理。通常,应用程序会通过在封装两个对等方之间连接的OutputStream上调用flush()方法来实现。应用程序可以调用isEstablished()来确定该对等方的上下文建立阶段是否已完成。isEstablished()返回的值为“false”,表示预期将向该方法提供更多令牌。
Note that it is possible that acceptSecContext() return a token for the peer, and isEstablished() return "true" also. This indicates that the token needs to be sent to the peer, but the local end of the context is now fully established.
请注意,acceptSecContext()可能返回对等方的令牌,isEstablished()也可能返回“true”。这表示需要将令牌发送到对等方,但上下文的本地端现在已完全建立。
The GSS-API authentication tokens contain a definitive start and end. This method will attempt to read one of these tokens per invocation, and may block on the stream if only part of the token is available.
GSS-API认证令牌包含最终的开始和结束。此方法将在每次调用时尝试读取其中一个令牌,如果只有部分令牌可用,则可能会阻塞流。
Upon completion of the context establishment, the available context options may be queried through the get methods.
上下文建立完成后,可以通过get方法查询可用的上下文选项。
Parameters:
参数:
inStream Contains the token generated by the peer.
inStream包含对等方生成的令牌。
outStream Output stream where the output token will be written. During the final stage of context establishment, there may be no bytes written.
将输出令牌写入的输出流外扩。在上下文建立的最后阶段,可能没有写入字节。
This sample code merely demonstrates the token exchange during the context establishment phase. It is expected that most Java applications will use custom implementations of the Input and Output streams that encapsulate the communication routines. For instance, a simple read on the application InputStream, when called by the Context, might cause a token to be read from the peer, and a simple flush() on the application OutputStream might cause a previously written token to be transmitted to the peer.
此示例代码仅演示上下文建立阶段的令牌交换。预计大多数Java应用程序将使用封装通信例程的输入和输出流的自定义实现。例如,当上下文调用应用程序InputStream时,对应用程序InputStream的简单读取可能会导致从对等方读取令牌,而对应用程序OutputStream的简单刷新()可能会导致将以前写入的令牌传输到对等方。
// acquire server credentials
//获取服务器凭据
GSSCredential server = mgr.createCredential(...);
GSSCredential server = mgr.createCredential(...);
// create acceptor GSS-API context from the default provider GSSContext context = mgr.createContext(server, null);
// create acceptor GSS-API context from the default provider GSSContext context = mgr.createContext(server, null);
// use standard java.io stream objects ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is = null;
// use standard java.io stream objects ByteArrayOutputStream os = new ByteArrayOutputStream(); ByteArrayInputStream is = null;
try { do {
try { do {
is = recvToken();
is = recvToken();
context.acceptSecContext(is, os);
acceptSecContext(is,os);
// possibly send token to peer if (os.size() > 0) sendToken(os);
// possibly send token to peer if (os.size() > 0) sendToken(os);
// check if local context establishment is complete if (context.isEstablished()) break; } while (true);
// check if local context establishment is complete if (context.isEstablished()) break; } while (true);
} catch (GSSException e) { print("GSS-API error: " + e.getMessage()); }
} catch (GSSException e) { print("GSS-API error: " + e.getMessage()); }
public boolean isEstablished()
已建立公共数据库()
Used during context establishment to determine the state of the context. Returns "true" if this is a fully established context on the caller's side and no more tokens are needed from the peer. Should be called after a call to initSecContext() or acceptSecContext() when no GSSException is thrown.
在上下文建立期间用于确定上下文的状态。如果这是调用方端完全建立的上下文,并且不需要来自对等方的更多令牌,则返回“true”。当未引发GSSExException时,应在调用initSecContext()或acceptSecContext()后调用。
public void dispose() throws GSSException
public void dispose()引发GSSExException
Releases any system resources and cryptographic information stored in the context object. This will invalidate the context.
释放存储在上下文对象中的任何系统资源和加密信息。这将使上下文无效。
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokenSize) throws GSSException
public int getWrapSizeLimit(int-qop、boolean-confReq、int-maxTokenSize)引发GSSExException
Returns the maximum message size that, if presented to the wrap method with the same confReq and qop parameters, will result in an output token containing no more than the maxTokenSize bytes.
返回最大消息大小,如果使用相同的confReq和qop参数呈现给wrap方法,将导致输出令牌包含不超过maxTokenSize字节。
This call is intended for use by applications that communicate over protocols that impose a maximum message size. It enables the application to fragment messages prior to applying protection.
此调用用于通过施加最大消息大小的协议进行通信的应用程序。它使应用程序能够在应用保护之前对消息进行分段。
GSS-API implementations are recommended but not required to detect invalid QOP values when getWrapSizeLimit is called. This routine guarantees only a maximum message size, not the availability of specific QOP values for message protection.
建议使用GSS-API实现,但不要求在调用getWrapSizeLimit时检测无效的QOP值。此例程仅保证最大消息大小,而不保证用于消息保护的特定QOP值的可用性。
Successful completion of this call does not guarantee that wrap will be able to protect a message of the computed length, since this ability may depend on the availability of system resources at the time that wrap is called. However, if the implementation itself imposes an upper limit on the length of messages that may be processed by wrap, the implementation should not return a value that is greater than this length.
成功完成此调用并不保证wrap能够保护计算长度的消息,因为此能力可能取决于调用wrap时系统资源的可用性。但是,如果实现本身对wrap可能处理的消息长度施加了上限,则实现不应返回大于此长度的值。
Parameters:
参数:
qop Indicates the level of protection wrap will be asked to provide.
qop表示要求提供的保护级别。
confReq Indicates if wrap will be asked to provide privacy service.
confReq表示是否要求wrap提供隐私服务。
maxTokenSize The desired maximum size of the token emitted by wrap.
maxTokenSize wrap发出的令牌的所需最大大小。
public byte[] wrap(byte inBuf[], int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]换行(字节inBuf[],int offset,int len,MessageProp msgProp)引发GSSException
Applies per-message security services over the established security context. The method will return a token with a cryptographic MIC and may optionally encrypt the specified inBuf. This method is equivalent in functionality to its stream counterpart. The returned byte array will contain both the MIC and the message.
在已建立的安全上下文上应用每消息安全服务。该方法将返回带有加密MIC的令牌,并且可以选择加密指定的inBuf。此方法在功能上与其对应的流等效。返回的字节数组将包含麦克风和消息。
The MessageProp object is instantiated by the application and used to specify a QOP value which selects cryptographic algorithms, and a privacy service to optionally encrypt the message. The underlying mechanism that is used in the call may not be able to provide the privacy service. It sets the actual privacy service that it does provide in this MessageProp object which the caller should then query upon return. If the mechanism is not able to provide the requested QOP, it throws a GSSException with the BAD_QOP code.
MessageProp对象由应用程序实例化,用于指定选择加密算法的QOP值和可选加密消息的隐私服务。呼叫中使用的底层机制可能无法提供隐私服务。它设置了它在MessageProp对象中提供的实际隐私服务,调用方在返回时应该查询该服务。如果该机制无法提供请求的QOP,它将抛出带有BAD_QOP代码的GSSException。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations should support the wrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装。
The application will be responsible for sending the token to the peer.
应用程序将负责向对等方发送令牌。
Parameters:
参数:
inBuf Application data to be protected.
要保护的inBuf应用程序数据。
offset The offset within the inBuf where the data begins.
偏移数据开始的inBuf内的偏移量。
len The length of the data within the inBuf (starting at the offset).
len inBuf内数据的长度(从偏移量开始)。
msgProp Instance of MessageProp that is used by the application to set the desired QOP and privacy state. Set the desired QOP to 0 to request the default QOP. Upon return from this method, this object will contain the the actual privacy state that was applied to the message by the underlying mechanism.
应用程序用于设置所需QOP和隐私状态的MessageProp的msgProp实例。将所需QOP设置为0以请求默认QOP。从该方法返回后,该对象将包含由底层机制应用于消息的实际隐私状态。
public void wrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
public void wrap(InputStream-inStream、OutputStream-outtream、MessageProp-msgProp)抛出GSSException
Allows to apply per-message security services over the established security context. The method will produce a token with a cryptographic MIC and may optionally encrypt the message in inStream. The outStream will contain both the MIC and the message.
允许在已建立的安全上下文上应用每消息安全服务。该方法将生成一个带有加密MIC的令牌,并且可以选择在流内加密消息。扩展流将包含麦克风和消息。
The MessageProp object is instantiated by the application and used to specify a QOP value which selects cryptographic algorithms, and a privacy service to optionally encrypt the message. The underlying mechanism that is used in the call may not be able to provide the privacy service. It sets the actual privacy service that it does
MessageProp对象由应用程序实例化,用于指定选择加密算法的QOP值和可选加密消息的隐私服务。呼叫中使用的底层机制可能无法提供隐私服务。它设置了实际的隐私服务
provide in this MessageProp object which the caller should then query upon return. If the mechanism is not able to provide the requested QOP, it throws a GSSException with the BAD_QOP code.
在此MessageProp对象中提供调用方在返回时应查询的对象。如果该机制无法提供请求的QOP,它将抛出带有BAD_QOP代码的GSSException。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations should support the wrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装。
The application will be responsible for sending the token to the peer.
应用程序将负责向对等方发送令牌。
Parameters:
参数:
inStream Input stream containing the application data to be protected.
包含要保护的应用程序数据的流内输入流。
outStream The output stream to write the protected message to. The application is responsible for sending this to the other peer for processing in its unwrap method.
扩展输出流以将受保护的消息写入。应用程序负责将其发送给另一个对等方,以便在其展开方法中进行处理。
msgProp Instance of MessageProp that is used by the application to set the desired QOP and privacy state. Set the desired QOP to 0 to request the default QOP. Upon return from this method, this object will contain the the actual privacy state that was applied to the message by the underlying mechanism.
应用程序用于设置所需QOP和隐私状态的MessageProp的msgProp实例。将所需QOP设置为0以请求默认QOP。从该方法返回后,该对象将包含由底层机制应用于消息的实际隐私状态。
public byte [] unwrap(byte[] inBuf, int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]展开(字节[]inBuf,int offset,int len,MessageProp msgProp)引发GSSException
Used by the peer application to process tokens generated with the wrap call. This call is equal in functionality to its stream counterpart. The method will return the message supplied in the peer application to the wrap call, verifying the embedded MIC.
对等应用程序用于处理wrap调用生成的令牌。此调用在功能上与它的流对应项相同。该方法将对等应用程序中提供的消息返回到wrap调用,以验证嵌入式麦克风。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP, whether confidentiality was applied to the message, and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP、消息是否应用了机密性以及其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations should support the wrapping and unwrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装和展开。
Parameters:
参数:
inBuf GSS-API wrap token received from peer.
从对等方接收到inBuf GSS-API包装令牌。
offset The offset within the inBuf where the token begins.
偏移令牌开始的inBuf内的偏移量。
len The length of the token within the inBuf (starting at the offset).
len inBuf内令牌的长度(从偏移量开始)。
msgProp Upon return from the method, this object will contain the applied QOP, the privacy state of the message, and supplementary information described in 4.12.3 stating whether the token was a duplicate, old, out of sequence or arriving after a gap.
msgProp从方法返回后,此对象将包含应用的QOP、消息的隐私状态以及4.12.3中描述的补充信息,说明令牌是重复的、旧的、无序的还是在间隔后到达的。
public void unwrap(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
公共无效展开(InputStream inStream、OutputStream outStream、MessageProp msgProp)引发GSSException
Used by the peer application to process tokens generated with the wrap call. This call is equal in functionality to its byte array counterpart. It will produce the message supplied in the peer application to the wrap call, verifying the embedded MIC.
对等应用程序用于处理wrap调用生成的令牌。此调用在功能上与它的字节数组对应项相同。它将生成对等应用程序中提供给wrap调用的消息,验证嵌入式麦克风。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP, whether confidentiality was applied to the message, and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP、消息是否应用了机密性以及其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by wrap to provide "secure framing", implementations should support the wrapping and unwrapping of zero-length messages.
由于一些应用程序级协议可能希望使用wrap发出的令牌来提供“安全帧”,因此实现应该支持零长度消息的包装和展开。
Parameters:
参数:
inStream Input stream containing the GSS-API wrap token received from the peer.
包含从对等方接收的GSS-API wrap令牌的流内输入流。
outStream The output stream to write the application message to.
扩展输出流以将应用程序消息写入。
msgProp Upon return from the method, this object will contain the applied QOP, the privacy state of the message, and supplementary information described in 4.12.3 stating whether the token was a duplicate, old, out of sequence or arriving after a gap.
msgProp从方法返回后,此对象将包含应用的QOP、消息的隐私状态以及4.12.3中描述的补充信息,说明令牌是重复的、旧的、无序的还是在间隔后到达的。
public byte[] getMIC(byte []inMsg, int offset, int len, MessageProp msgProp) throws GSSException
公共字节[]getMIC(字节[]inMsg、int offset、int len、MessageProp msgProp)引发GSSException
Returns a token containing a cryptographic MIC for the supplied message, for transfer to the peer application. Unlike wrap, which encapsulates the user message in the returned token, only the message MIC is returned in the output token. This method is identical in functionality to its stream counterpart.
返回包含所提供消息的加密MIC的令牌,以便传输到对等应用程序。与wrap不同,wrap将用户消息封装在返回的令牌中,输出令牌中只返回消息MIC。此方法在功能上与其对应的流相同。
Note that privacy can only be applied through the wrap call.
请注意,隐私只能通过wrap调用应用。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations should support derivation of MICs from zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,所以实现应该支持从零长度消息派生MIC。
Parameters:
参数:
inMsg Message to generate MIC over.
inMsg消息,用于生成麦克风。
offset The offset within the inMsg where the token begins.
偏移标记开始的inMsg内的偏移量。
len The length of the token within the inMsg (starting at the offset).
len inMsg内令牌的长度(从偏移量开始)。
msgProp Instance of MessageProp that is used by the application to set the desired QOP. Set the desired QOP to 0 in msgProp to request the default QOP. Alternatively pass in "null" for msgProp to request default QOP.
应用程序用于设置所需QOP的MessageProp的msgProp实例。在msgProp中将所需QOP设置为0,以请求默认QOP。或者,为msgProp传入“null”以请求默认QOP。
public void getMIC(InputStream inStream, OutputStream outStream, MessageProp msgProp) throws GSSException
public void getMIC(InputStream-inStream、OutputStream-outtream、MessageProp-msgProp)抛出GSSException
Produces a token containing a cryptographic MIC for the supplied message, for transfer to the peer application. Unlike wrap, which encapsulates the user message in the returned token, only the message MIC is produced in the output token. This method is identical in functionality to its byte array counterpart.
为提供的消息生成包含加密MIC的令牌,以便传输到对等应用程序。与将用户消息封装在返回令牌中的wrap不同,输出令牌中只生成消息MIC。此方法在功能上与对应的字节数组相同。
Note that privacy can only be applied through the wrap call.
请注意,隐私只能通过wrap调用应用。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations should support derivation of MICs from zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,所以实现应该支持从零长度消息派生MIC。
Parameters:
参数:
inStream inStream Input stream containing the message to generate MIC over.
流内输入流,包含要生成麦克风的消息。
outStream outStream Output stream to write the GSS-API output token to.
outStream outStream输出流将GSS-API输出令牌写入。
msgProp Instance of MessageProp that is used by the application to set the desired QOP. Set the desired QOP to 0 in msgProp to request the default QOP. Alternatively pass in "null" for msgProp to request default QOP.
应用程序用于设置所需QOP的MessageProp的msgProp实例。在msgProp中将所需QOP设置为0,以请求默认QOP。或者,为msgProp传入“null”以请求默认QOP。
public void verifyMIC(byte []inTok, int tokOffset, int tokLen, byte[] inMsg, int msgOffset, int msgLen, MessageProp msgProp) throws GSSException
public void verifyMIC(字节[]inTok、int tokOffset、int tokLen、字节[]inMsg、int msgOffset、int msgLen、MessageProp msgProp)引发GSSException
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message. This method is equivalent in functionality to its stream counterpart.
通过提供的消息验证令牌参数中包含的加密MIC。此方法在功能上与其对应的流等效。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP indicating the strength of protection that was applied to the message and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP,指示应用于消息的保护强度和其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations should support the calculation and verification of MICs over zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,因此实现应支持在零长度消息上计算和验证MIC。
Parameters:
参数:
inTok Token generated by peer's getMIC method.
inTok令牌由对等方的getMIC方法生成。
tokOffset The offset within the inTok where the token begins.
tokOffset令牌开始的inTok内的偏移量。
tokLen The length of the token within the inTok (starting at the offset).
tokLen inTok内令牌的长度(从偏移量开始)。
inMsg Application message to verify the cryptographic MIC over.
inMsg应用程序消息,以验证加密麦克风是否正确。
msgOffset The offset within the inMsg where the message begins.
msgOffset消息开始处inMsg内的偏移量。
msgLen The length of the message within the inMsg (starting at the offset).
msgLen inMsg中消息的长度(从偏移量开始)。
msgProp Upon return from the method, this object will contain the applied QOP and supplementary information described in 4.12.3 stating whether the token was a duplicate, old, out of sequence or arriving after a gap. The confidentiality state will be set to "false".
msgProp从方法返回时,此对象将包含应用的QOP和补充信息,如4.12.3所述,说明令牌是重复的、旧的、无序的还是在间隔后到达的。保密状态将设置为“false”。
public void verifyMIC(InputStream tokStream, InputStream msgStream, MessageProp msgProp) throws GSSException
public void verifyMIC(InputStream tokStream、InputStream msgStream、MessageProp msgProp)引发GSSExException
Verifies the cryptographic MIC, contained in the token parameter, over the supplied message. This method is equivalent in functionality to its byte array counterpart.
通过提供的消息验证令牌参数中包含的加密MIC。此方法在功能上与其字节数组对应项等效。
The MessageProp object is instantiated by the application and is used by the underlying mechanism to return information to the caller such as the QOP indicating the strength of protection that was applied to the message and other supplementary message state information.
MessageProp对象由应用程序实例化,并由底层机制用于向调用者返回信息,如QOP,指示应用于消息的保护强度和其他补充消息状态信息。
Since some application-level protocols may wish to use tokens emitted by getMIC to provide "secure framing", implementations should support the calculation and verification of MICs over zero-length messages.
由于一些应用程序级协议可能希望使用getMIC发出的令牌来提供“安全帧”,因此实现应支持在零长度消息上计算和验证MIC。
Parameters:
参数:
tokStream Input stream containing the token generated by peer's getMIC method.
tokStream包含由对等方的getMIC方法生成的令牌的输入流。
msgStream Input stream containing the application message to verify the cryptographic MIC over.
msgStream输入流,包含用于验证加密MIC的应用程序消息。
msgProp Upon return from the method, this object will contain the applied QOP and supplementary information described in 4.12.3 stating whether the token was a duplicate, old, out of sequence or arriving after a gap. The confidentiality state will be set to "false".
msgProp从方法返回时,此对象将包含应用的QOP和补充信息,如4.12.3所述,说明令牌是重复的、旧的、无序的还是在间隔后到达的。保密状态将设置为“false”。
public byte [] export() throws GSSException
公共字节[]导出()引发GSSExException
Provided to support the sharing of work between multiple processes. This routine will typically be used by the context-acceptor, in an application where a single process receives incoming connection requests and accepts security contexts over them, then passes the established context to one or more other processes for message exchange.
用于支持多个流程之间的工作共享。此例程通常由上下文接受者使用,在应用程序中,单个进程接收传入的连接请求并通过它们接受安全上下文,然后将建立的上下文传递给一个或多个其他进程以进行消息交换。
This method deactivates the security context and creates an interprocess token which, when passed to the byte array constructor of the GSSContext interface in another process, will re-activate the context in the second process. Only a single instantiation of a given context may be active at any one time; a subsequent attempt by a context exporter to access the exported security context will fail.
此方法停用安全上下文并创建进程间令牌,当在另一个进程中传递给GSSContext接口的字节数组构造函数时,该令牌将在第二个进程中重新激活上下文。在任何时候,只有一个给定上下文的实例化是活动的;上下文导出器随后尝试访问导出的安全上下文将失败。
The implementation may constrain the set of processes by which the interprocess token may be imported, either as a function of local security policy, or as a result of implementation decisions. For example, some implementations may constrain contexts to be passed only between processes that run under the same account, or which are part of the same process group.
作为本地安全策略的功能或作为实现决策的结果,实现可约束可通过其导入进程间令牌的一组进程。例如,某些实现可能会将上下文限制为仅在同一帐户下运行的进程之间传递,或是在同一进程组中传递。
The interprocess token may contain security-sensitive information (for example cryptographic keys). While mechanisms are encouraged to either avoid placing such sensitive information within interprocess tokens, or to encrypt the token before returning it to the application, in a typical GSS-API implementation this may not be possible. Thus the application must take care to protect the interprocess token, and ensure that any process to which the token is transferred is trustworthy.
进程间令牌可能包含安全敏感信息(例如加密密钥)。虽然鼓励机制避免在进程间令牌中放置此类敏感信息,或在将令牌返回应用程序之前对其进行加密,但在典型的GSS-API实现中,这可能是不可能的。因此,应用程序必须注意保护进程间令牌,并确保令牌传输到的任何进程都是可信的。
public void requestMutualAuth(boolean state) throws GSSException
public void requestMutualAuth(布尔状态)引发GSSException
Sets the request state of the mutual authentication flag for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的相互身份验证标志的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if mutual authentication should be requested during context establishment.
表示在上下文建立期间是否应请求相互身份验证的状态布尔值。
public void requestReplayDet(boolean state) throws GSSException
public void requestReplayet(布尔状态)引发GSSException
Sets the request state of the replay detection service for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的重播检测服务的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if replay detection is desired over the established context.
表示在已建立的上下文中是否需要重播检测的状态布尔值。
public void requestSequenceDet(boolean state) throws GSSException
public void requestSequenceDet(布尔状态)引发GSSExException
Sets the request state for the sequence checking service of the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的序列检查服务的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if sequence detection is desired over the established context.
表示在已建立的上下文中是否需要序列检测的状态布尔值。
public void requestCredDeleg(boolean state) throws GSSException
public void requestCredDeleg(布尔状态)引发GSSExException
Sets the request state for the credential delegation flag for the context. This method is only valid before the context creation process begins and only for the initiator.
设置上下文的凭据委派标志的请求状态。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if credential delegation is desired.
表示是否需要凭据委派的状态布尔值。
public void requestAnonymity(boolean state) throws GSSException
public void requestAnonymity(布尔状态)引发GSSExException
Requests anonymous support over the context. This method is only valid before the context creation process begins and only for the initiator.
请求上下文上的匿名支持。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean representing if anonymity support is requested.
表示是否请求匿名性支持的状态布尔值。
public void requestConf(boolean state) throws GSSException
public void requestConf(布尔状态)引发GSSException
Requests that confidentiality service be available over the context. This method is only valid before the context creation process begins and only for the initiator.
请求在上下文中提供保密服务。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean indicating if confidentiality services are to be requested for the context.
状态布尔值,指示是否为上下文请求保密服务。
public void requestInteg(boolean state) throws GSSException
public void requestInteg(布尔状态)引发GSSExException
Requests that integrity services be available over the context. This method is only valid before the context creation process begins and only for the initiator.
请求在上下文中提供完整性服务。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。
Parameters:
参数:
state Boolean indicating if integrity services are to be requested for the context.
状态布尔值,指示是否为上下文请求完整性服务。
public void requestLifetime(int lifetime) throws GSSException
public void requestLifetime(int lifetime)引发GSSExException
Sets the desired lifetime for the context in seconds. This method is only valid before the context creation process begins and only for the initiator. Use GSSContext.INDEFINITE_LIFETIME and GSSContext.DEFAULT_LIFETIME to request indefinite or default context lifetime.
设置上下文所需的生存期(秒)。此方法仅在上下文创建过程开始之前有效,并且仅对启动器有效。使用GSSContext.infinite_生存期和GSSContext.DEFAULT_生存期请求不确定或默认上下文生存期。
Parameters:
参数:
lifetime The desired context lifetime in seconds.
生存期所需的上下文生存期(秒)。
public void setChannelBinding(ChannelBinding cb) throws GSSException
public void setChannelBinding(ChannelBinding cb)引发GSSExException
Sets the channel bindings to be used during context establishment. This method is only valid before the context creation process begins.
设置上下文建立期间要使用的通道绑定。此方法仅在上下文创建过程开始之前有效。
Parameters:
参数:
cb Channel bindings to be used.
要使用的cb通道绑定。
public boolean getCredDelegState()
公共布尔值getCredDelegState()
Returns the state of the delegated credentials for the context. When issued before context establishment is completed or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
返回上下文的委派凭据的状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public boolean getMutualAuthState()
公共布尔值getMutualAuthState()
Returns the state of the mutual authentication option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
返回上下文的相互身份验证选项的状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public boolean getReplayDetState()
公共布尔getReplayDetState()
Returns the state of the replay detection option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
返回上下文的重播检测选项的状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public boolean getSequenceDetState()
公共布尔getSequenceDetState()
Returns the state of the sequence detection option for the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state,
返回上下文的序列检测选项的状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,
otherwise it will indicate the actual state over the established context.
否则,它将指示已建立上下文的实际状态。
public boolean getAnonymityState()
公共布尔getAnonymityState()
Returns "true" if this is an anonymous context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
如果这是匿名上下文,则返回“true”。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public boolean isTransferable() throws GSSException
公共布尔值isTransferable()引发GSSExException
Returns "true" if the context is transferable to other processes through the use of the export method. This call is only valid on fully established contexts.
如果上下文可通过使用导出方法转移到其他进程,则返回“true”。此调用仅在完全建立的上下文中有效。
public boolean isProtReady()
公共布尔值isProtReady()
Returns "true" if the per message operations can be applied over the context. Some mechanisms may allow the usage of per-message operations before the context is fully established. This will also indicate that the get methods will return actual context state characteristics instead of the desired ones.
如果每消息操作可以应用于上下文,则返回“true”。某些机制可能允许在完全建立上下文之前使用每消息操作。这还表明get方法将返回实际的上下文状态特征,而不是所需的特征。
public boolean getConfState()
公共布尔getConfState()
Returns the confidentiality service state over the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
返回上下文上的机密性服务状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public boolean getIntegState()
公共布尔getIntegrationState()
Returns the integrity service state over the context. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired state, otherwise it will indicate the actual state over the established context.
返回上下文上的完整性服务状态。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的状态,否则它将指示已建立上下文的实际状态。
public int getLifetime()
公共int getLifetime()
Returns the context lifetime in seconds. When issued before context establishment completes or when the isProtReady method returns "false", it returns the desired lifetime, otherwise it will indicate the remaining lifetime for the context.
以秒为单位返回上下文生存期。如果在上下文建立完成之前发出,或者当isProtReady方法返回“false”时,它将返回所需的生存期,否则它将指示上下文的剩余生存期。
public GSSName getSrcName() throws GSSException
公共GSSName getSrcName()引发GSSExException
Returns the name of the context initiator. This call is valid only after the context is fully established or the isProtReady method returns "true". It is guaranteed to return an MN.
返回上下文启动器的名称。只有在完全建立上下文或isProtReady方法返回“true”后,此调用才有效。它保证返回一个MN。
public GSSName getTargName() throws GSSException
公共GSSName getTargName()引发GSSExException
Returns the name of the context target (acceptor). This call is valid only after the context is fully established or the isProtReady method returns "true". It is guaranteed to return an MN.
返回上下文目标(接受器)的名称。只有在完全建立上下文或isProtReady方法返回“true”后,此调用才有效。它保证返回一个MN。
public Oid getMech() throws GSSException
public Oid getMech()引发GSSExException
Returns the mechanism oid for this context. This method may be called before the context is fully established, but the mechanism returned may change on successive calls in negotiated mechanism case.
返回此上下文的机制oid。可以在完全建立上下文之前调用此方法,但在协商机制的情况下,在连续调用时返回的机制可能会更改。
public GSSCredential getDelegCred() throws GSSException
public GSSCredential getDelegCred()引发GSSException
Returns the delegated credential object on the acceptor's side. To check for availability of delegated credentials call getDelegCredState. This call is only valid on fully established contexts.
返回接受方的委派凭证对象。要检查委派凭据的可用性,请调用getDelegCredState。此调用仅在完全建立的上下文中有效。
public boolean isInitiator() throws GSSException
公共布尔isInitiator()引发GSSExException
Returns "true" if this is the initiator of the context. This call is only valid after the context creation process has started.
如果这是上下文的发起方,则返回“true”。此调用仅在上下文创建过程启动后有效。
This is a utility class used within the per-message GSSContext methods to convey per-message properties.
这是一个实用程序类,在每消息GSSContext方法中用于传递每消息属性。
When used with the GSSContext interface's wrap and getMIC methods, an instance of this class is used to indicate the desired QOP and to request if confidentiality services are to be applied to caller supplied data (wrap only). To request default QOP, the value of 0 should be used for QOP.
当与GSSContext接口的wrap和getMIC方法一起使用时,此类的实例用于指示所需的QOP,并请求是否将保密服务应用于调用方提供的数据(仅限wrap)。要请求默认QOP,QOP应使用0的值。
When used with the unwrap and verifyMIC methods of the GSSContext interface, an instance of this class will be used to indicate the applied QOP and confidentiality services over the supplied message. In the case of verifyMIC, the confidentiality state will always be "false". Upon return from these methods, this object will also contain any supplementary status values applicable to the processed token. The supplementary status values can indicate old tokens, out of sequence tokens, gap tokens or duplicate tokens.
当与GSSContext接口的unwrap和verifyMIC方法一起使用时,此类实例将用于指示所提供消息上应用的QOP和保密服务。在verifyMIC的情况下,保密状态将始终为“假”。从这些方法返回后,此对象还将包含适用于已处理令牌的任何补充状态值。补充状态值可以指示旧令牌、无序令牌、间隙令牌或重复令牌。
public MessageProp(boolean privState)
public MessageProp(布尔privState)
Constructor which sets QOP to 0 indicating that the default QOP is requested.
构造函数,它将QOP设置为0,表示请求了默认QOP。
Parameters:
参数:
privState The desired privacy state. "true" for privacy and "false" for integrity only.
privState所需的隐私状态。“真”表示隐私,“假”仅表示完整性。
public MessageProp(int qop, boolean privState)
public MessageProp(int-qop,boolean-privState)
Constructor which sets the values for the qop and privacy state.
构造函数,用于设置qop和隐私状态的值。
Parameters:
参数:
qop The desired QOP. Use 0 to request a default QOP.
qop所需的qop。使用0请求默认QOP。
privState The desired privacy state. "true" for privacy and "false" for integrity only.
privState所需的隐私状态。“真”表示隐私,“假”仅表示完整性。
public int getQOP()
公共int getQOP()
Retrieves the QOP value.
检索QOP值。
public boolean getPrivacy()
公共布尔getPrivacy()
Retrieves the privacy state.
检索隐私状态。
public int getMinorStatus()
public int getMinorStatus()
Retrieves the minor status that the underlying mechanism might have set.
检索基础机制可能已设置的次要状态。
public String getMinorString()
公共字符串getMinorString()
Returns a string explaining the mechanism specific error code. null will be returned when no mechanism error code has been set.
返回解释特定于机制的错误代码的字符串。未设置任何机制错误代码时,将返回null。
public void setQOP(int qopVal)
公共无效设置QOP(int qopVal)
Sets the QOP value.
设置QOP值。
Parameters:
参数:
qopVal The QOP value to be set. Use 0 to request a default QOP value.
qopVal要设置的QOP值。使用0请求默认QOP值。
public void setPrivacy(boolean privState)
public void setPrivacy(布尔privastate)
Sets the privacy state.
设置隐私状态。
Parameters:
参数:
privState The privacy state to set.
privState要设置的隐私状态。
public boolean isDuplicateToken()
公共布尔值isDuplicateToken()
Returns "true" if this is a duplicate of an earlier token.
如果这是早期令牌的副本,则返回“true”。
public boolean isOldToken()
公共布尔值isOldToken()
Returns "true" if the token's validity period has expired.
如果令牌的有效期已过期,则返回“true”。
public boolean isUnseqToken()
公共布尔值isUnseqToken()
Returns "true" if a later token has already been processed.
如果以后的令牌已被处理,则返回“true”。
public boolean isGapToken()
公共布尔值isGapToken()
Returns "true" if an expected per-message token was not received.
如果未收到预期的每消息令牌,则返回“true”。
public void setSupplementaryStates(boolean duplicate, boolean old, boolean unseq, boolean gap, int minorStatus, String minorString)
public void setupplementstates(布尔值重复、布尔值旧、布尔值unseq、布尔值间隙、int minorStatus、字符串minorString)
This method sets the state for the supplementary information flags and the minor status in MessageProp. It is not used by the application but by the GSS implementation to return this information to the caller of a per-message context method.
此方法在MessageProp中设置补充信息标志的状态和次要状态。应用程序不使用它,但GSS实现使用它将此信息返回给每消息上下文方法的调用方。
Parameters:
参数:
duplicate true if the token was a duplicate of an earlier token, false otherwise
如果令牌是早期令牌的副本,则为duplicate true,否则为false
old true if the token's validity period has expired, false otherwise
如果令牌的有效期已过期,则为旧true,否则为false
unseq true if a later token has already been processed, false otherwise
如果已经处理了后续令牌,则unseq true,否则为false
gap true if one or more predecessor tokens have not yet been successfully processed, false otherwise
如果一个或多个前置令牌尚未成功处理,则为gap true,否则为false
minorStatus the integer minor status code that the underlying mechanism wants to set
minorStatus底层机制想要设置的整数次要状态代码
minorString the textual representation of the minorStatus value
minorString minorStatus值的文本表示形式
The GSS-API accommodates the concept of caller-provided channel binding information. Channel bindings are used to strengthen the quality with which peer entity authentication is provided during context establishment. They enable the GSS-API callers to bind the establishment of the security context to relevant characteristics like addresses or to application specific data.
GSS-API包含调用方提供的通道绑定信息的概念。通道绑定用于增强上下文建立期间提供对等实体身份验证的质量。它们使GSS-API调用程序能够将安全上下文的建立绑定到相关特征(如地址)或特定于应用程序的数据。
The caller initiating the security context must determine the appropriate channel binding values to set in the GSSContext object. The acceptor must provide an identical binding in order to validate that received tokens possess correct channel-related characteristics.
发起安全上下文的调用方必须确定要在GSSContext对象中设置的适当通道绑定值。接受方必须提供相同的绑定,以验证接收到的令牌是否具有正确的通道相关特征。
Use of channel bindings is optional in GSS-API. Since channel-binding information may be transmitted in context establishment tokens, applications should therefore not use confidential data as channel-binding components.
在GSS-API中,通道绑定的使用是可选的。由于信道绑定信息可以在上下文建立令牌中传输,因此应用程序不应将机密数据用作信道绑定组件。
public ChannelBinding(InetAddress initAddr, InetAddress acceptAddr, byte[] appData)
公共通道绑定(InetAddress initAddr、InetAddress acceptddr、byte[]appData)
Create a ChannelBinding object with user supplied address information and data. "null" values can be used for any fields which the application does not want to specify.
使用用户提供的地址信息和数据创建ChannelBinding对象。“null”值可用于应用程序不希望指定的任何字段。
Parameters:
参数:
initAddr The address of the context initiator. "null" value can be supplied to indicate that the application does not want to set this value.
initAddr上下文启动器的地址。可以提供“null”值以指示应用程序不希望设置此值。
acceptAddrThe address of the context acceptor. "null" value can be supplied to indicate that the application does not want to set this value.
AcceptAddress上下文接受者的地址。可以提供“null”值以指示应用程序不希望设置此值。
appData Application supplied data to be used as part of the channel bindings. "null" value can be supplied to indicate that the application does not want to set this value.
appData应用程序提供的数据将用作通道绑定的一部分。可以提供“null”值以指示应用程序不希望设置此值。
public ChannelBinding(byte[] appData)
公共通道绑定(字节[]appData)
Creates a ChannelBinding object without any addressing information.
创建没有任何寻址信息的ChannelBinding对象。
Parameters:
参数:
appData Application supplied data to be used as part of the channel bindings.
appData应用程序提供的数据将用作通道绑定的一部分。
public InetAddress getInitiatorAddress()
公共InetAddress getInitiatorAddress()
Returns the initiator's address for this channel binding. "null" is returned if the address has not been set.
返回此通道绑定的启动器地址。如果未设置地址,则返回“null”。
public InetAddress getAcceptorAddress()
公共InetAddress getAcceptorAddress()
Returns the acceptor's address for this channel binding. "null" is returned if the address has not been set.
返回此通道绑定的接收器地址。如果未设置地址,则返回“null”。
public byte[] getApplicationData()
公共字节[]getApplicationData()
Returns application data being used as part of the ChannelBinding. "null" is returned if no application data has been specified for the channel binding.
返回用作ChannelBinding一部分的应用程序数据。如果没有为通道绑定指定应用程序数据,则返回“null”。
public boolean equals(Object obj)
公共布尔等于(对象obj)
Returns "true" if two channel bindings match. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method must return the same integer result when the hashCode() method is called on them.)
如果两个通道绑定匹配,则返回“true”。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
obj Another channel binding to compare with.
obj要与之比较的另一个通道绑定。
This class represents Universal Object Identifiers (Oids) and their associated operations.
此类表示通用对象标识符(OID)及其相关操作。
Oids are hierarchically globally-interpretable identifiers used within the GSS-API framework to identify mechanisms and name formats.
OID是GSS-API框架中用于标识机制和名称格式的分层全局可解释标识符。
The structure and encoding of Oids is defined in ISOIEC-8824 and ISOIEC-8825. For example the Oid representation of Kerberos V5 mechanism is "1.2.840.113554.1.2.2"
OID的结构和编码在ISOIEC-8824和ISOIEC-8825中定义。例如,Kerberos V5机制的Oid表示为“1.2.840.113554.1.2.2”
The GSSName name class contains public static Oid objects representing the standard name types defined in GSS-API.
GSSName name类包含表示GSS-API中定义的标准名称类型的公共静态Oid对象。
public Oid(String strOid) throws GSSException
公共Oid(字符串strOid)引发GSSExException
Creates an Oid object from a string representation of its integer components (e.g. "1.2.840.113554.1.2.2").
从整数组件的字符串表示形式(例如“1.2.840.113554.1.2.2”)创建Oid对象。
Parameters:
参数:
strOid The string representation for the oid.
strOid oid的字符串表示形式。
public Oid(InputStream derOid) throws GSSException
公共Oid(InputStream derOid)引发GSSExException
Creates an Oid object from its DER encoding. This refers to the full encoding including tag and length. The structure and encoding of Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is identical in functionality to its byte array counterpart.
从其DER编码创建Oid对象。这是指完整的编码,包括标记和长度。OID的结构和编码在ISOIEC-8824和ISOIEC-8825中定义。此方法在功能上与对应的字节数组相同。
Parameters:
参数:
derOid Stream containing the DER encoded oid.
包含DER编码oid的derOid流。
public Oid(byte[] DEROid) throws GSSException
公共Oid(字节[]DEROid)引发GSSExException
Creates an Oid object from its DER encoding. This refers to the full encoding including tag and length. The structure and encoding of Oids is defined in ISOIEC-8824 and ISOIEC-8825. This method is identical in functionality to its byte array counterpart.
从其DER编码创建Oid对象。这是指完整的编码,包括标记和长度。OID的结构和编码在ISOIEC-8824和ISOIEC-8825中定义。此方法在功能上与对应的字节数组相同。
Parameters:
参数:
derOid Byte array storing a DER encoded oid.
存储DER编码的oid的derOid字节数组。
public String toString()
公共字符串toString()
Returns a string representation of the oid's integer components in dot separated notation (e.g. "1.2.840.113554.1.2.2").
返回oid整数组件的点分隔表示法的字符串表示形式(例如“1.2.840.113554.1.2.2”)。
public boolean equals(Object Obj)
公共布尔等于(对象Obj)
Returns "true" if the two Oid objects represent the same oid value. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method must return the same integer result when the hashCode() method is called on them.)
如果两个Oid对象表示相同的Oid值,则返回“true”。(请注意,Java语言规范要求根据equals(Object)方法相等的两个对象在调用hashCode()方法时必须返回相同的整数结果。)
Parameters:
参数:
obj Another Oid object to compare with.
obj另一个要比较的Oid对象。
public byte[] getDER()
公共字节[]getDER()
Returns the full ASN.1 DER encoding for this oid object, which includes the tag and length.
返回此oid对象的完整ASN.1 DER编码,其中包括标记和长度。
public boolean containedIn(Oid[] oids)
包含的公共布尔值(Oid[]Oid)
A utility method to test if an Oid object is contained within the supplied Oid object array.
测试Oid对象是否包含在提供的Oid对象数组中的实用方法。
Parameters:
参数:
oids An array of oids to search.
OID要搜索的OID数组。
This exception is thrown whenever a fatal GSS-API error occurs including mechanism specific errors. It may contain both, the major and minor, GSS-API status codes. The mechanism implementers are responsible for setting appropriate minor status codes when throwing this exception. Aside from delivering the numeric error code(s) to the caller, this class performs the mapping from their numeric values to textual representations. All Java GSS-API methods are declared throwing this exception.
每当发生致命的GSS-API错误(包括特定于机制的错误)时,就会引发此异常。它可能包含主要和次要GSS-API状态代码。机制实现者负责在抛出此异常时设置适当的次要状态代码。除了将数字错误代码传递给调用方之外,此类还执行从数字值到文本表示的映射。所有JavaGSS-API方法都声明引发此异常。
All implementations are encouraged to use the Java internationalization techniques to provide local translations of the message strings.
鼓励所有实现使用Java国际化技术来提供消息字符串的本地翻译。
All valid major GSS-API error code values are declared as constants in this class.
所有有效的主要GSS-API错误代码值在此类中声明为常量。
public static final int BAD_BINDINGS
公共静态final int BAD_绑定
Channel bindings mismatch error.
通道绑定不匹配错误。
public static final int BAD_MECH
公共静态最终内部不良机械
Unsupported mechanism requested error.
不支持的机制请求错误。
public static final int BAD_NAME
公共静态final int BAD_NAME
Invalid name provided error.
提供的名称无效,出现错误。
public static final int BAD_NAMETYPE
公共静态最终整型错误\名称类型
Name of unsupported type provided error.
提供的不受支持类型的名称错误。
public static final int BAD_STATUS
公共静态最终int坏_状态
Invalid status code error - this is the default status value.
无效状态代码错误-这是默认状态值。
public static final int BAD_MIC
公共静态最终整数错误\u麦克风
Token had invalid integrity check error.
令牌具有无效的完整性检查错误。
public static final int CONTEXT_EXPIRED
公共静态final int CONTEXT_已过期
Specified security context expired error.
指定的安全上下文已过期错误。
public static final int CREDENTIALS_EXPIRED
公共静态最终整数凭据\u已过期
Expired credentials detected error.
检测到过期凭据错误。
public static final int DEFECTIVE_CREDENTIAL
公共静态最终整数有缺陷\u凭证
Defective credential error.
有缺陷的凭证错误。
public static final int DEFECTIVE_TOKEN
公共静态最终整数缺陷\u令牌
Defective token error.
有缺陷的令牌错误。
public static final int FAILURE
公共静态最终int失败
General failure, unspecified at GSS-API level.
一般故障,GSS-API级别未指定。
public static final int NO_CONTEXT
公共静态final int NO_上下文
Invalid security context error.
无效的安全上下文错误。
public static final int NO_CRED
公共静态最终整数不可信
Invalid credentials error.
无效凭据错误。
public static final int BAD_QOP
公共静态最终整数错误
Unsupported QOP value error.
不支持的QOP值错误。
public static final int UNAUTHORIZED
公共静态最终int未经授权
Operation unauthorized error.
未经授权的操作错误。
public static final int UNAVAILABLE
公共静态最终整数不可用
Operation unavailable error.
操作不可用错误。
public static final int DUPLICATE_ELEMENT
公共静态final int DUPLICATE_元素
Duplicate credential element requested error.
重复凭证元素请求错误。
public static final int NAME_NOT_MN
公共静态最终整型名称\u NOT \u MN
Name contains multi-mechanism elements error.
名称包含多个机制元素错误。
public static final int DUPLICATE_TOKEN
公共静态最终整数重复\u令牌
The token was a duplicate of an earlier token. This is a fatal error code that may occur during context establishment. It is not used to indicate supplementary status values. The MessageProp object is used for that purpose.
该令牌是早期令牌的副本。这是在建立上下文期间可能发生的致命错误代码。它不用于指示补充状态值。MessageProp对象用于此目的。
public static final int OLD_TOKEN
公共静态final int OLD_令牌
The token's validity period has expired. This is a fatal error code that may occur during context establishment. It is not used to indicate supplementary status values. The MessageProp object is used for that purpose.
令牌的有效期已过期。这是在建立上下文期间可能发生的致命错误代码。它不用于指示补充状态值。MessageProp对象用于此目的。
public static final int UNSEQ_TOKEN
公共静态最终int UNSEQ_令牌
A later token has already been processed. This is a fatal error code that may occur during context establishment. It is not used to indicate supplementary status values. The MessageProp object is used for that purpose.
稍后的令牌已被处理。这是在建立上下文期间可能发生的致命错误代码。它不用于指示补充状态值。MessageProp对象用于此目的。
public static final int GAP_TOKEN
公共静态最终整数间隔\u令牌
An expected per-message token was not received. This is a fatal error code that may occur during context establishment. It is not used to indicate supplementary status values. The MessageProp object is used for that purpose.
未收到预期的每消息令牌。这是在建立上下文期间可能发生的致命错误代码。它不用于指示补充状态值。MessageProp对象用于此目的。
public GSSException(int majorCode)
公共GSSException(国际主要代码)
Creates a GSSException object with a specified major code.
使用指定的主代码创建GSSException对象。
Parameters:
参数:
majorCode The GSS error code causing this exception to be thrown.
majorCode导致引发此异常的GSS错误代码。
public GSSException(int majorCode, int minorCode, String minorString)
公共GSSExException(int majorCode、int minorCode、String minorString)
Creates a GSSException object with the specified major code, minor code, and minor code textual explanation. This constructor is to be used when the exception is originating from the security mechanism. It allows to specify the GSS code and the mechanism code.
使用指定的主要代码、次要代码和次要代码文本解释创建GSSException对象。当异常源于安全机制时,将使用此构造函数。它允许指定GSS代码和机构代码。
Parameters:
参数:
majorCode The GSS error code causing this exception to be thrown.
majorCode导致引发此异常的GSS错误代码。
minorCode The mechanism error code causing this exception to be thrown.
minorCode导致引发此异常的机制错误代码。
minorString The textual explanation of the mechanism error code.
minorString机制错误代码的文本解释。
public int getMajor()
公共int getMajor()
Returns the major code representing the GSS error code that caused this exception to be thrown.
返回表示引发此异常的GSS错误代码的主代码。
public int getMinor()
公共int getMinor()
Returns the mechanism error code that caused this exception. The minor code is set by the underlying mechanism. Value of 0 indicates that mechanism error code is not set.
返回导致此异常的机制错误代码。次要代码由底层机制设置。值0表示未设置机构错误代码。
public String getMajorString()
公共字符串getMajorString()
Returns a string explaining the GSS major error code causing this exception to be thrown.
返回一个字符串,解释导致引发此异常的GSS主要错误代码。
public String getMinorString()
公共字符串getMinorString()
Returns a string explaining the mechanism specific error code. null will be returned when no mechanism error code has been set.
返回解释特定于机制的错误代码的字符串。未设置任何机制错误代码时,将返回null。
public void setMinor(int minorCode, String message)
公共void setMinor(int minorCode,字符串消息)
Used internally by the GSS-API implementation and the underlying mechanisms to set the minor code and its textual representation.
GSS-API实现和底层机制在内部用于设置次要代码及其文本表示。
Parameters:
参数:
minorCode The mechanism specific error code.
minorCode机制特定的错误代码。
message A textual explanation of the mechanism error code.
消息机制错误代码的文本解释。
public String toString()
公共字符串toString()
Returns a textual representation of both the major and minor status codes.
返回主要和次要状态代码的文本表示形式。
public String getMessage()
公共字符串getMessage()
Returns a detailed message of this exception. Overrides Throwable.getMessage. It is customary in Java to use this method to obtain exception information.
返回此异常的详细消息。覆盖Throwable.getMessage。Java中习惯使用此方法来获取异常信息。
import org.ietf.jgss.*;
导入org.ietf.jgss.*;
/** * This is a partial sketch for a simple client program that acts * as a GSS context initiator. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java bindings * * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanism that it will need and * is present as a library package (org.ietf.jgss) either as part of * the standard JRE or in the CLASSPATH the application specifies. */
/** * This is a partial sketch for a simple client program that acts * as a GSS context initiator. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java bindings * * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanism that it will need and * is present as a library package (org.ietf.jgss) either as part of * the standard JRE or in the CLASSPATH the application specifies. */
public class SimpleClient {
公共类SimpleClient{
private String serviceName; // name of peer (ie. server) private GSSCredential clientCred = null; private GSSContext context = null; private Oid mech; // underlying mechanism to use
private String serviceName; // name of peer (ie. server) private GSSCredential clientCred = null; private GSSContext context = null; private Oid mech; // underlying mechanism to use
private GSSManager mgr = GSSManager.getInstance();
private GSSManager mgr = GSSManager.getInstance();
... ...
... ...
private void clientActions() { initializeGSS(); establishContext(); doCommunication(); }
private void clientActions() { initializeGSS(); establishContext(); doCommunication(); }
/** * Acquire credentials for the client. */ private void initializeGSS() {
/** * Acquire credentials for the client. */ private void initializeGSS() {
try {
试一试{
clientCred = mgr.createCredential(null /*default princ*/, GSSCredential.INDEFINITE_LIFETIME /* max lifetime */, mech /* mechanism to use */, GSSCredential.INITIATE_ONLY /* init context */);
clientCred = mgr.createCredential(null /*default princ*/, GSSCredential.INDEFINITE_LIFETIME /* max lifetime */, mech /* mechanism to use */, GSSCredential.INITIATE_ONLY /* init context */);
print("GSSCredential created for " + cred.getName().toString()); print("Credential lifetime (sec)=" + cred.getRemainingLifetime()); } catch (GSSException e) { print("GSS-API error in credential acquisition: " + e.getMessage()); ... ... }
print("GSSCredential created for " + cred.getName().toString()); print("Credential lifetime (sec)=" + cred.getRemainingLifetime()); } catch (GSSException e) { print("GSS-API error in credential acquisition: " + e.getMessage()); ... ... }
... ... }
... ... }
/** * Does the security context establishment with the * server. */ private void establishContext() {
/** * Does the security context establishment with the * server. */ private void establishContext() {
byte[] inToken = new byte[0]; byte[] outToken = null;
byte[] inToken = new byte[0]; byte[] outToken = null;
try {
试一试{
GSSName peer = mgr.createName(serviceName,
GSSName peer=mgr.createName(serviceName,
GSSName.NT_HOSTBASED_SERVICE);
GSSName.NT_基于主机的服务);
context = mgr.createContext(peer, mech, gssCred, GSSContext.INDEFINITE_LIFETIME/*lifetime*/);
context = mgr.createContext(peer, mech, gssCred, GSSContext.INDEFINITE_LIFETIME/*lifetime*/);
// Will need to support confidentiality context.requestConf(true);
// Will need to support confidentiality context.requestConf(true);
while (!context.isEstablished()) {
while (!context.isEstablished()) {
outToken = context.initSecContext(inToken, 0, inToken.length);
outToken=context.initSecContext(inToken,0,inToken.length);
if (outToken != null) writeGSSToken(outToken);
if (outToken != null) writeGSSToken(outToken);
if (!context.isEstablished()) inToken = readGSSToken(); }
if (!context.isEstablished()) inToken = readGSSToken(); }
GSSName peer = context.getSrcName(); print("Security context established with " + peer + " using underlying mechanism " + mech.toString()); } catch (GSSException e) { print("GSS-API error during context establishment: " + e.getMessage()); ... ... }
GSSName peer = context.getSrcName(); print("Security context established with " + peer + " using underlying mechanism " + mech.toString()); } catch (GSSException e) { print("GSS-API error during context establishment: " + e.getMessage()); ... ... }
... ... }
... ... }
/** * Sends some data to the server and reads back the * response. */ private void doCommunication() { byte[] inToken = null; byte[] outToken = null; byte[] buffer;
/** * Sends some data to the server and reads back the * response. */ private void doCommunication() { byte[] inToken = null; byte[] outToken = null; byte[] buffer;
// Container for multiple input-output arguments to and // from the per-message routines (e.g., wrap/unwrap). MessageProp messgInfo = new MessageProp();
// Container for multiple input-output arguments to and // from the per-message routines (e.g., wrap/unwrap). MessageProp messgInfo = new MessageProp();
try {
试一试{
/* * Now send some bytes to the server to be * processed. They will be integrity protected but * not encrypted for privacy. */
/* * Now send some bytes to the server to be * processed. They will be integrity protected but * not encrypted for privacy. */
buffer = readFromFile();
buffer = readFromFile();
// Set privacy to false and use the default QOP messgInfo.setPrivacy(false);
// Set privacy to false and use the default QOP messgInfo.setPrivacy(false);
outToken = context.wrap(buffer, 0, buffer.length, messgInfo);
outToken=context.wrap(buffer,0,buffer.length,messgInfo);
writeGSSToken(outToken);
writeGSSToken(outToken);
/* * Now read the response from the server. */
/* * Now read the response from the server. */
inToken = readGSSToken(); buffer = context.unwrap(inToken, 0, inToken.length, messgInfo); // All ok if no exception was thrown!
inToken = readGSSToken(); buffer = context.unwrap(inToken, 0, inToken.length, messgInfo); // All ok if no exception was thrown!
GSSName peer = context.getSrcName();
GSSName peer = context.getSrcName();
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + messgInfo.getPrivacy()); print("Duplicate Token? " + messgInfo.isDuplicateToken()); print("Old Token? " + messgInfo.isOldToken()); print("Unsequenced Token? " + messgInfo.isUnseqToken()); print("Gap Token? " + messgInfo.isGapToken());
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + messgInfo.getPrivacy()); print("Duplicate Token? " + messgInfo.isDuplicateToken()); print("Old Token? " + messgInfo.isOldToken()); print("Unsequenced Token? " + messgInfo.isUnseqToken()); print("Gap Token? " + messgInfo.isGapToken());
... ...
... ...
} catch (GSSException e) { print("GSS-API error in per-message calls: " + e.getMessage()); ... ...
} catch (GSSException e) { print("GSS-API error in per-message calls: " + e.getMessage()); ... ...
}
}
...
...
...
...
} // end of doCommunication method
} // end of doCommunication method
... ...
... ...
} // end of class SimpleClient
} // end of class SimpleClient
import org.ietf.jgss.*;
导入org.ietf.jgss.*;
/** * This is a partial sketch for a simple server program that acts * as a GSS context acceptor. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java bindings * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanisms that it will need and * is present as a library package (org.ietf.jgss) either as part of * the standard JRE or in the CLASSPATH the application specifies. */
/** * This is a partial sketch for a simple server program that acts * as a GSS context acceptor. It illustrates how to use the Java * bindings for the GSS-API specified in * Generic Security Service API Version 2 : Java bindings * * This code sketch assumes the existence of a GSS-API * implementation that supports the mechanisms that it will need and * is present as a library package (org.ietf.jgss) either as part of * the standard JRE or in the CLASSPATH the application specifies. */
import org.ietf.jgss.*;
导入org.ietf.jgss.*;
public class SimpleServer {
公共类SimpleServer{
private String serviceName; private GSSName name; private GSSCredential cred;
private String serviceName; private GSSName name; private GSSCredential cred;
private GSSManager mgr;
私人物料供应经理;;
... ...
... ...
/** * Wait for client connections, establish security contexts and * provide service. */ private void loop() {
/** * Wait for client connections, establish security contexts and * provide service. */ private void loop() {
... ...
... ...
mgr = GSSManager.getInstance();
mgr = GSSManager.getInstance();
name = mgr.createName(serviceName, GSSName.NT_HOSTBASED_SERVICE);
name=mgr.createName(serviceName,GSSName.NT\u基于主机的\u服务);
cred = mgr.createCredential(name, GSSCredential.INDEFINITE_LIFETIME, null, GSSCredential.ACCEPT_ONLY);
cred=mgr.createCredential(名称,GSSCredential.unfinite_生存期,null,仅GSSCredential.ACCEPT_);
// Loop infinitely while (true) {
//无限循环(true){
Socket s = serverSock.accept();
Socket s = serverSock.accept();
// Start a new thread to serve this connection Thread serverThread = new ServerThread(s); serverThread.start();
// Start a new thread to serve this connection Thread serverThread = new ServerThread(s); serverThread.start();
} }
} }
/** * Inner class ServerThread whose run() method provides the * secure service to a connection. */
/** * Inner class ServerThread whose run() method provides the * secure service to a connection. */
private class ServerThread extends Thread {
私有类ServerThread扩展线程{
... ...
... ...
/** * Deals with the connection from one client. It also * handles all GSSException's thrown while talking to * this client. */ public void run() {
/** * Deals with the connection from one client. It also * handles all GSSException's thrown while talking to * this client. */ public void run() {
byte[] inToken = null; byte[] outToken = null; byte[] buffer;
byte[] inToken = null; byte[] outToken = null; byte[] buffer;
GSSName peer;
GSSName对等体;
// Container for multiple input-output arguments to and // from the per-message routines (ie. wrap/unwrap). MessageProp supplInfo = new MessageProp();
// Container for multiple input-output arguments to and // from the per-message routines (ie. wrap/unwrap). MessageProp supplInfo = new MessageProp();
GSSContext secContext = null;
GSSContext secContext=null;
try {
试一试{
// Now do the context establishment loop
//现在执行上下文建立循环
GSSContext context = mgr.createContext(cred);
GSSContext context = mgr.createContext(cred);
while (!context.isEstablished()) {
while (!context.isEstablished()) {
inToken = readGSSToken();
inToken = readGSSToken();
outToken = context.acceptSecContext(inToken, 0, inToken.length);
outToken=context.acceptSecContext(inToken,0,inToken.length);
if (outToken != null) writeGSSToken(outToken);
if (outToken != null) writeGSSToken(outToken);
}
}
// SimpleServer wants confidentiality to be // available. Check for it. if (!context.getConfState()){ ... ... }
// SimpleServer wants confidentiality to be // available. Check for it. if (!context.getConfState()){ ... ... }
GSSName peer = context.getSrcName(); Oid mech = context.getMech(); print("Security context established with " + peer.toString() + " using underlying mechanism " + mech.toString() + " from Provider " + context.getProvider().getName());
GSSName peer = context.getSrcName(); Oid mech = context.getMech(); print("Security context established with " + peer.toString() + " using underlying mechanism " + mech.toString() + " from Provider " + context.getProvider().getName());
// Now read the bytes sent by the client to be // processed. inToken = readGSSToken();
// Now read the bytes sent by the client to be // processed. inToken = readGSSToken();
// Unwrap the message
//打开邮件
buffer = context.unwrap(inToken, 0, inToken.length, supplInfo); // All ok if no exception was thrown!
buffer = context.unwrap(inToken, 0, inToken.length, supplInfo); // All ok if no exception was thrown!
// Print other supplementary per-message status // information
// Print other supplementary per-message status // information
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + supplInfo.getPrivacy()); print("Duplicate Token? " + supplInfo.isDuplicateToken()); print("Old Token? " + supplInfo.isOldToken()); print("Unsequenced Token? " + supplInfo.isUnseqToken()); print("Gap Token? " + supplInfo.isGapToken());
print("Message from " + peer.toString() + " arrived."); print("Was it encrypted? " + supplInfo.getPrivacy()); print("Duplicate Token? " + supplInfo.isDuplicateToken()); print("Old Token? " + supplInfo.isOldToken()); print("Unsequenced Token? " + supplInfo.isUnseqToken()); print("Gap Token? " + supplInfo.isGapToken());
/* * Now process the bytes and send back an encrypted * response. */
/* * Now process the bytes and send back an encrypted * response. */
buffer = serverProcess(buffer);
buffer = serverProcess(buffer);
// Encipher it and send it across
//对它进行加密并发送出去
supplInfo.setPrivacy(true); // privacy requested supplInfo.setQOP(0); // default QOP outToken = context.wrap(buffer, 0, buffer.length, supplInfo); writeGSSToken(outToken);
supplInfo.setPrivacy(true); // privacy requested supplInfo.setQOP(0); // default QOP outToken = context.wrap(buffer, 0, buffer.length, supplInfo); writeGSSToken(outToken);
} catch (GSSException e) { print("GSS-API Error: " + e.getMessage()); // Alternatively, could call e.getMajorMessage() // and e.getMinorMessage() print("Abandoning security context.");
} catch (GSSException e) { print("GSS-API Error: " + e.getMessage()); // Alternatively, could call e.getMajorMessage() // and e.getMinorMessage() print("Abandoning security context.");
... ...
... ...
}
}
... ...
... ...
} // end of run method in ServerThread
} // end of run method in ServerThread
} // end of inner class ServerThread
} // end of inner class ServerThread
... ...
... ...
} // end of class SimpleServer
} // end of class SimpleServer
The Java language security model allows platform providers to have policy based fine-grained access control over any resource that an application wants. When using a Java security manager (such as, but not limited to, the case of applets running in browsers) the application code is in a sandbox by default.
Java语言安全模型允许平台提供者对应用程序需要的任何资源进行基于策略的细粒度访问控制。使用Java安全管理器时(例如但不限于浏览器中运行的小程序),默认情况下应用程序代码位于沙箱中。
Administrators of the platform JRE determine what permissions, if any, are to be given to source from different codebases. Thus the administrator has to be aware of any special requirements that the GSS provider might have for system resources. For instance, a Kerberos provider might wish to make a network connection to the KDC to obtain initial credentials. This would not be allowed under the sandbox unless the administrator had granted permissions for this. Also note that this granting and checking of permissions happens transparently to the application and is outside the scope of this document.
平台JRE的管理员决定从不同的代码库向源代码授予哪些权限(若有)。因此,管理员必须了解GSS提供商可能对系统资源的任何特殊要求。例如,Kerberos提供程序可能希望与KDC建立网络连接以获取初始凭据。除非管理员授予此权限,否则沙箱下不允许此操作。还要注意,这种权限的授予和检查对应用程序是透明的,不在本文档的范围之内。
The Java language allows administrators to pre-configure a list of security service providers in the <JRE>/lib/security/java.security file. At runtime, the system approaches these providers in order of preference when looking for security related services. Applications have a means to modify this list through methods in the "Security" class in the "java.security" package. However, since these modifications would be visible in the entire JVM and thus affect all code executing in it, this operation is not available in the sandbox and requires special permissions to perform. Thus when a GSS application has special needs that are met by a particular security provider, it has two choices:
Java语言允许管理员在<JRE>/lib/security/Java.security文件中预先配置安全服务提供商列表。在运行时,系统在查找与安全相关的服务时,会按优先顺序接近这些提供者。应用程序可以通过“java.Security”包中“Security”类中的方法修改此列表。但是,由于这些修改将在整个JVM中可见,从而影响在其中执行的所有代码,因此此操作在沙箱中不可用,需要特殊权限才能执行。因此,当GSS应用程序具有特定安全提供商满足的特殊需求时,它有两种选择:
1) To install the provider on a JVM wide basis using the java.security.Security class and then depend on the system to find the right provider automatically when the need arises. (This would require the application to be granted a "insertProvider SecurityPermission".)
1) 使用java.security.security类在JVM范围内安装提供程序,然后在需要时依靠系统自动找到正确的提供程序。(这将要求向应用程序授予“insertProvider SecurityPermission”。)
2) To pass an instance of the provider to the local instance of GSSManager so that only factory calls going through that GSSManager use the desired provider. (This would not require any permissions.)
2) 将提供程序的实例传递给GSSManager的本地实例,以便只有通过该GSSManager的工厂调用才能使用所需的提供程序。(这不需要任何权限。)
This proposed API leverages earlier work performed by the IETF's CAT WG as outlined in both RFC 2743 and RFC 2744. Many conceptual definitions, implementation directions, and explanations have been included from these documents.
该提议的API利用了IETF的CAT WG在RFC 2743和RFC 2744中概述的早期工作。这些文档中包含了许多概念定义、实施方向和解释。
We would like to thank Mike Eisler, Lin Ling, Ram Marti, Michael Saltz and other members of Sun's development team for their helpful input, comments and suggestions.
我们要感谢Mike Eisler、Lin Ling、Ram Marti、Michael Saltz和Sun开发团队的其他成员,感谢他们提供的有用的输入、意见和建议。
We would also like to thank Joe Salowey, and Michael Smith for many insightful ideas and suggestions that have contributed to this document.
我们还要感谢Joe Salowey和Michael Smith为本文件提供了许多有见地的想法和建议。
[GSSAPIv2] Linn, J., "Generic Security Service Application Program Interface, Version 2", RFC 2078, January 1997.
[GSSAPIv2]Linn,J.,“通用安全服务应用程序接口,第2版”,RFC 2078,1997年1月。
[GSSAPIv2-UPDATE] Linn, J., "Generic Security Service Application Program Interface, Version 2, Update 1", RFC 2743, January 2000.
[GSSAPIv2更新]Linn,J.,“通用安全服务应用程序接口,第2版,更新1”,RFC 2743,2000年1月。
[GSSAPI-Cbind] Wray, J., "Generic Security Service API Version 2 : C-bindings", RFC 2744, January 2000.
[GSSAPI Cbind]Wray,J.,“通用安全服务API第2版:C-绑定”,RFC 2744,2000年1月。
[KERBV5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, June 1996.
[KERBV5]Linn,J.,“Kerberos版本5 GSS-API机制”,RFC 1964,1996年6月。
[SPKM] Adams, C., "The Simple Public-Key GSS-API Mechanism", RFC 2025, October 1996.
[SPKM]Adams,C.,“简单公钥GSS-API机制”,RFC 20251996年10月。
Address comments related to this memorandum to:
将与本备忘录相关的意见发送至:
<cat-ietf@mit.edu>
<cat-ietf@mit.edu>
Jack Kabat ValiCert, Inc. 339 N. Bernardo Avenue Mountain View, CA 94043, USA
杰克·卡巴特·瓦利塞特公司,美国加利福尼亚州伯纳多大道北侧山景城339号,邮编94043
Phone: +1-650-567-5496 EMail: jackk@valicert.com
Phone: +1-650-567-5496 EMail: jackk@valicert.com
Mayank Upadhyay Sun Microsystems, Inc. 901 San Antonio Road, MS CUP02-102 Palo Alto, CA 94303
Mayank Upadhyay Sun Microsystems,Inc.加利福尼亚州帕洛阿尔托市圣安东尼奥路901号CUP02-102邮编94303
Phone: +1-408-517-5956 EMail: mdu@eng.sun.com
Phone: +1-408-517-5956 EMail: mdu@eng.sun.com
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。