FileDocCategorySizeDatePackage
ServicePermission.javaAPI DocJava SE 6 API16452Tue Jun 10 00:26:28 BST 2008javax.security.auth.kerberos

ServicePermission

public final class ServicePermission extends Permission implements Serializable
This class is used to protect Kerberos services and the credentials necessary to access those services. There is a one to one mapping of a service principal and the credentials necessary to access the service. Therefore granting access to a service principal implicitly grants access to the credential necessary to establish a security context with the service principal. This applies regardless of whether the credentials are in a cache or acquired via an exchange with the KDC. The credential can be either a ticket granting ticket, a service ticket or a secret key from a key table.

A ServicePermission contains a service principal name and a list of actions which specify the context the credential can be used within.

The service principal name is the canonical name of the KereberosPrincipal supplying the service, that is the KerberosPrincipal represents a Kerberos service principal. This name is treated in a case sensitive manner. An asterisk may appear by itself, to signify any service principal.

Granting this permission implies that the caller can use a cached credential (TGT, service ticket or secret key) within the context designated by the action. In the case of the TGT, granting this permission also implies that the TGT can be obtained by an Authentication Service exchange.

The possible actions are:

initiate - allow the caller to use the credential to
initiate a security context with a service
principal.

accept - allow the caller to use the credential to
accept security context as a particular
principal.
For example, to specify the permission to access to the TGT to initiate a security context the permission is constructed as follows:

ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate");

To obtain a service ticket to initiate a context with the "host" service the permission is constructed as follows:

ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate");

For a Kerberized server the action is "accept". For example, the permission necessary to access and use the secret key of the Kerberized "host" service (telnet and the likes) would be constructed as follows:

ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept");
since
1.4

Fields Summary
private static final long
serialVersionUID
private static final int
INITIATE
Initiate a security context to the specified service
private static final int
ACCEPT
Accept a security context
private static final int
ALL
All actions
private static final int
NONE
No actions.
private transient int
mask
private String
actions
the actions string.
Constructors Summary
public ServicePermission(String servicePrincipal, String action)
Create a new ServicePermission with the specified servicePrincipal and action.

param
servicePrincipal the name of the service principal. An asterisk may appear by itself, to signify any service principal.

param
action the action string

 // Left null as long as possible, then
                            // created and re-used in the getAction function.

                                            
         
	super(servicePrincipal);
	init(servicePrincipal, getMask(action));
    
Methods Summary
public booleanequals(java.lang.Object obj)
Checks two ServicePermission objects for equality.

param
obj the object to test for equality with this object.
return
true if obj is a ServicePermission, and has the same service principal, and actions as this ServicePermission object.

	if (obj == this)
	    return true;

	if (! (obj instanceof ServicePermission))
	    return false;

	ServicePermission that = (ServicePermission) obj;
	return ((this.mask & that.mask) == that.mask) && 
	    this.getName().equals(that.getName());
		

    
private static java.lang.StringgetActions(int mask)
Returns the "canonical string representation" of the actions in the specified mask. Always returns present actions in the following order: initiate, accept.

param
mask a specific integer action mask to translate into a string
return
the canonical string representation of the actions

	StringBuilder sb = new StringBuilder();
        boolean comma = false;

	if ((mask & INITIATE) == INITIATE) {
	    if (comma) sb.append(',");
    	    else comma = true;
	    sb.append("initiate");
	}

	if ((mask & ACCEPT) == ACCEPT) {
	    if (comma) sb.append(',");
    	    else comma = true;
	    sb.append("accept");
	}

	return sb.toString();
    
public java.lang.StringgetActions()
Returns the canonical string representation of the actions. Always returns present actions in the following order: initiate, accept.

	if (actions == null)
	    actions = getActions(this.mask);

	return actions;
    
intgetMask()
Return the current action mask.

return
the actions mask.

	return mask;
    
private static intgetMask(java.lang.String action)
Convert an action string to an integer actions mask.

param
action the action string
return
the action mask


	if (action == null) {
	    throw new NullPointerException("action can't be null");
	}

	if (action.equals("")) {
	    throw new IllegalArgumentException("action can't be empty");
	}

	int mask = NONE;

	char[] a = action.toCharArray();

	int i = a.length - 1;
	if (i < 0)
	    return mask;

	while (i != -1) {
	    char c;

	    // skip whitespace
	    while ((i!=-1) && ((c = a[i]) == ' " ||
			       c == '\r" ||
			       c == '\n" ||
			       c == '\f" ||
			       c == '\t"))
		i--;

	    // check for the known strings
	    int matchlen;

	    if (i >= 7 && (a[i-7] == 'i" || a[i-7] == 'I") &&
			  (a[i-6] == 'n" || a[i-6] == 'N") &&
			  (a[i-5] == 'i" || a[i-5] == 'I") &&
			  (a[i-4] == 't" || a[i-4] == 'T") &&
			  (a[i-3] == 'i" || a[i-3] == 'I") &&
			  (a[i-2] == 'a" || a[i-2] == 'A") &&
			  (a[i-1] == 't" || a[i-1] == 'T") &&
			  (a[i] == 'e" || a[i] == 'E"))
	    {
		matchlen = 8;
		mask |= INITIATE;

	    } else if (i >= 5 && (a[i-5] == 'a" || a[i-5] == 'A") &&
				 (a[i-4] == 'c" || a[i-4] == 'C") &&
				 (a[i-3] == 'c" || a[i-3] == 'C") &&
				 (a[i-2] == 'e" || a[i-2] == 'E") &&
				 (a[i-1] == 'p" || a[i-1] == 'P") &&
				 (a[i] == 't" || a[i] == 'T"))
	    {
		matchlen = 6;
		mask |= ACCEPT;

	    } else {
		// parse error
		throw new IllegalArgumentException(
			"invalid permission: " + action);
	    }

	    // make sure we didn't just match the tail of a word
	    // like "ackbarfaccept".  Also, skip to the comma.
	    boolean seencomma = false;
	    while (i >= matchlen && !seencomma) {
		switch(a[i-matchlen]) {
		case ',":
		    seencomma = true;
		    /*FALLTHROUGH*/
		case ' ": case '\r": case '\n":
		case '\f": case '\t":
		    break;
		default:
		    throw new IllegalArgumentException(
			    "invalid permission: " + action);
		}
		i--;
	    }

	    // point i at the location of the comma minus one (or -1).
	    i -= matchlen;
	}

	return mask;
    
public inthashCode()
Returns the hash code value for this object.

return
a hash code value for this object.

	return (getName().hashCode() ^ mask);
    
public booleanimplies(java.security.Permission p)
Checks if this Kerberos service permission object "implies" the specified permission.

If none of the above are true, implies returns false.

param
p the permission to check against.
return
true if the specified permission is implied by this object, false if not.

	if (!(p instanceof ServicePermission))
	    return false;

	ServicePermission that = (ServicePermission) p;

	return ((this.mask & that.mask) == that.mask) &&
	    impliesIgnoreMask(that);
    
booleanimpliesIgnoreMask(javax.security.auth.kerberos.ServicePermission p)

	return ((this.getName().equals("*")) ||
		this.getName().equals(p.getName()));
    
private voidinit(java.lang.String servicePrincipal, int mask)
Initialize the ServicePermission object.


	if (servicePrincipal == null) 
		throw new NullPointerException("service principal can't be null");

	if ((mask & ALL) != mask) 
	    throw new IllegalArgumentException("invalid actions mask");

	this.mask = mask;
    
public java.security.PermissionCollectionnewPermissionCollection()
Returns a PermissionCollection object for storing ServicePermission objects.
ServicePermission objects must be stored in a manner that allows them to be inserted into the collection in any order, but that also enables the PermissionCollection implies method to be implemented in an efficient (and consistent) manner.

return
a new PermissionCollection object suitable for storing ServicePermissions.

	return new KrbServicePermissionCollection();
    
private voidreadObject(java.io.ObjectInputStream s)
readObject is called to restore the state of the ServicePermission from a stream.

	// Read in the action, then initialize the rest
	s.defaultReadObject();
	init(getName(),getMask(actions));
    
private voidwriteObject(java.io.ObjectOutputStream s)
WriteObject is called to save the state of the ServicePermission to a stream. The actions are serialized, and the superclass takes care of the name.

	// Write out the actions. The superclass takes care of the name
	// call getActions to make sure actions field is initialized
	if (actions == null)
	    getActions();
	s.defaultWriteObject();