Java SASL API: Class Sasl

Overview

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: INNER | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

javax.security.sasl
Class Sasl

java.lang.Object
  |
  +--javax.security.sasl.Sasl

public class Sasl
extends Object

A static class for creating SASL clients and servers.

This class defines the policy of how to locate, load, and instantiate SASL clients and servers.

For example, an application or library gets a SASL client by doing something like:

 SaslClient sc = Sasl.createSaslClient(mechanisms,
     authorizationId, protocol, serverName, props, callbackHandler);

It can then proceed to use the instance to create an authentication connection.

Similarly, a server gets a SASL server by using code that looks as follows:

 SaslServer ss = Sasl.createSaslServer(mechanism,
     protocol, serverName, props, callbackHandler);

IMPLEMENTATION NOTE FOR THE JAVA 2 PLATFORM:
To use the create methods, the caller needs the following permissions:

java.util.PropertyPermission("javax.security.sasl.client.pkgs", "read");

java.util.PropertyPermission("javax.security.sasl.server.pkgs", "read");

To use the set factory methods, the caller needs the following permission:

java.lang.RuntimePermission("setFactory");

Field Summary

static String CLIENT_PKGS
          The name of the property that specifies the SaslClientFactorys to use.

static String MAX_BUFFER
          The name of a property that specifies the maximum size of the receive buffer in bytes of SaslClient/SaslServer.

static String POLICY_FORWARD_SECRECY
          The name of a property that specifies whether mechanisms that implement forward secrecy between sessions are required.

static String POLICY_NOACTIVE
          The name of a property that specifies whether mechanisms susceptible to active (non-dictionary) attacks are not permitted.

static String POLICY_NOANONYMOUS
          The name of a property that specifies whether mechanisms that accept anonymous login are not permitted.

static String POLICY_NODICTIONARY
          The name of a property that specifies whether mechanisms susceptible to passive dictionary attacks are not permitted.

static String POLICY_NOPLAINTEXT
          The name of a property that specifies whether mechanisms susceptible to simple plain passive attacks (e.g., "PLAIN") are not permitted.

static String POLICY_PASS_CREDENTIALS
          The name of a property that specifies whether mechanisms that pass client credentials are required.

static String QOP
          The name of a property that specifies the quality-of-protection to use.

static String RAW_SEND_SIZE
          The name of a property that specifies the maximum size of the raw send buffer in bytes of SaslClient/SaslServer.

static String SERVER_AUTH
          The name of a property that specifies whether the server must authenticate to the client.

static String SERVER_PKGS
          The name of the property that specifies the SaslServerFactorys to use.

static String STRENGTH
          The name of a property that specifies the cipher strength to use.

Method Summary

static SaslClient createSaslClient(String[] mechanisms, String authorizationId, String protocol, String serverName, Hashtable props, javax.security.auth.callback.CallbackHandler cbh)
          Creates a SaslClient using the parameters supplied.

static SaslServer createSaslServer(String mechanism, String protocol, String serverName, Hashtable props, javax.security.auth.callback.CallbackHandler cbh)
          Creates a SaslServer for the specified mechanism.

static Enumeration getSaslClientFactories(Hashtable props)
          Gets an enumeration of known factories for producing SaslClient.

static Enumeration getSaslServerFactories(Hashtable props)
          Gets an enumeration of known factories for producing SaslServer.

static void setSaslClientFactory(SaslClientFactory fac)
          Sets the default SaslClientFactory to use.

static void setSaslServerFactory(SaslServerFactory fac)
          Sets the default SaslServerFactory to use.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CLIENT_PKGS

public static final String CLIENT_PKGS

The name of the property that specifies the SaslClientFactorys to use. The property contains a list of client package names, separated by '|'. Each package must contain a class named ClientFactory that implements the SaslClientFactory interface. Its value is "javax.security.sasl.client.pkgs".

SERVER_PKGS

public static final String SERVER_PKGS

The name of the property that specifies the SaslServerFactorys to use. The property contains a list of server package names, separated by '|'. Each package must contain a class named ServerFactory that implements the SaslServerFactory interface. Its value is "javax.security.sasl.server.pkgs".

QOP

public static final String QOP

The name of a property that specifies the quality-of-protection to use. The property contains a comma-separated, ordered list of quality-of-protection values that the client or server is willing to support. A qop value is one of

"auth" - authentication only
"auth-int" - authentication plus integrity protection
"auth-conf" - authentication plus integrity and confidentiality protection

The order of the list specifies the preference order of the client or server. If this property is absent, the default qop is "auth". The value of this constant is "javax.security.sasl.qop".

STRENGTH

public static final String STRENGTH

The name of a property that specifies the cipher strength to use. The property contains a comma-separated, ordered list of cipher strength values that the client or server is willing to support. A strength value is one of

"low"
"medium"
"high"

The order of the list specifies the preference order of the client or server. An implementation should allow configuration of the meaning of these values. An application may use the Java Cryptography Extension (JCE) with JCE-aware mechanisms to control the selection of cipher suites that match the strength values.
If this property is absent, the default strength is "high,medium,low". The value of this constant is "javax.security.sasl.strength".

SERVER_AUTH

public static final String SERVER_AUTH

The name of a property that specifies whether the server must authenticate to the client. The property contains "true" if the server must authenticate the to client; "false" otherwise. The default is "false".
The value of this constant is "javax.security.sasl.server.authentication".

MAX_BUFFER

public static final String MAX_BUFFER

The name of a property that specifies the maximum size of the receive buffer in bytes of SaslClient/SaslServer. The property contains the string representation of an integer.
If this property is absent, the default size is defined by the mechanism.
The value of this constant is "javax.security.sasl.maxbuffer".

RAW_SEND_SIZE

public static final String RAW_SEND_SIZE

The name of a property that specifies the maximum size of the raw send buffer in bytes of SaslClient/SaslServer. The property contains the string representation of an integer. The value of this property is negotiated between the client and server during the authentication exchange.
The value of this constant is "javax.security.sasl.rawsendsize".

POLICY_NOPLAINTEXT

public static final String POLICY_NOPLAINTEXT

The name of a property that specifies whether mechanisms susceptible to simple plain passive attacks (e.g., "PLAIN") are not permitted. The property contains "true" if such mechanisms are not permitted; "false" if such mechanisms are permitted. The default is "false".
The value of this constant is "javax.security.sasl.policy.noplaintext".

POLICY_NOACTIVE

public static final String POLICY_NOACTIVE

The name of a property that specifies whether mechanisms susceptible to active (non-dictionary) attacks are not permitted. The property contains "true" if mechanisms susceptible to active attacks are not permitted; "false" if such mechanisms are permitted. The default is "false".
The value of this constant is "javax.security.sasl.policy.noactive".

POLICY_NODICTIONARY

public static final String POLICY_NODICTIONARY

The name of a property that specifies whether mechanisms susceptible to passive dictionary attacks are not permitted. The property contains "true" if mechanisms susceptible to dictionary attacks are not permitted; "false" if such mechanisms are permitted. The default is "false".
The value of this constant is "javax.security.sasl.policy.nodictionary".

POLICY_NOANONYMOUS

public static final String POLICY_NOANONYMOUS

The name of a property that specifies whether mechanisms that accept anonymous login are not permitted. The property contains "true" if mechanisms that accept anonymous login are not permitted; "false" if such mechanisms are permitted. The default is "false".
The value of this constant is "javax.security.sasl.policy.noanonymous".

POLICY_FORWARD_SECRECY

public static final String POLICY_FORWARD_SECRECY

The name of a property that specifies whether mechanisms that implement forward secrecy between sessions are required. Forward secrecy means that breaking into one session will not automatically provide information for breaking into future sessions. The property contains "true" if mechanisms that implement forward secrecy between sessions are required; "false" if such mechanisms are not required. The default is "false".
The value of this constant is "javax.security.sasl.policy.forward".

POLICY_PASS_CREDENTIALS

public static final String POLICY_PASS_CREDENTIALS

The name of a property that specifies whether mechanisms that pass client credentials are required. The property contains "true" if mechanisms that pass client credentials are required; "false" if such mechanisms are not required. The default is "false".
The value of this constant is "javax.security.sasl.policy.credentials".

Method Detail

createSaslClient

public static SaslClient createSaslClient(String[] mechanisms,
                                          String authorizationId,
                                          String protocol,
                                          String serverName,
                                          Hashtable props,
                                          javax.security.auth.callback.CallbackHandler cbh)
                                   throws SaslException

Creates a SaslClient using the parameters supplied. The algorithm for selecting a SaslClient is as follows.

If a factory has been installed via setSaslClientFactory(), invoke createSaslClient() on it. If the method invocation returns a non-null SaslClient instance, return the SaslClient instance; otherwise continue.
Create a list of fully qualified class names using the package names listed in the CLIENT_PKGS ("javax.security.sasl.client.pkgs") property in props and the class name, ClientFactory. Each class named on this list names a SaslClientFactory implementation. Starting with the first class on the list, create an instance of SaslClientFactory using the class's public no-argument constructor and invoke createSaslClient() on it. If the method invocation returns a non-null SaslClient instance, return it; otherwise repeat using the next class on the list until a non-null SaslClient is produced or the list exhausted.
Repeat previous step using the CLIENT_PKGS ("javax.security.sasl.client.pkgs") System property instead of the property in props.
As per the Java 2, Standard Edition, v 1.3 service provider guidelines, check for the existence of one of more files named META-INF/services/javax.security.sasl.SaslClientFactory in the classpath and installed JAR files. Each file lists the fully qualified class names of the factories (i.e., implementations of SaslClientFactory) found in the JAR or classpath. Construct a complete list of fully qualified class names using these files and repeat Step 2 using this list. If there are more than one of these files, the order in which they are processed is undefined.
If no non-null SaslClient instance is produced, return null.

Parameters:: mechanisms - The non-null list of mechanism names to try. Each is the IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").; authorizationId - The possibly null protocol-dependent identification to be used for authorization. If null or empty, the server derives an authorization ID from the client's authentication credentials. When the SASL authentication completes successfully, the specified entity is granted access.; protocol - The non-null string name of the protocol for which the authentication is being performed (e.g., "ldap").; serverName - The non-null fully-qualified host name of the server to to authenticate to.; props - The possibly null set of properties used to select the SASL mechanism and to configure the authentication exchange of the selected mechanism. For example, if props contains the Sasl.POLICY_NOPLAINTEXT property with the value "true", then the selected SASL mechanism must not be susceptible to simple plain passive attacks. In addition to the standard properties declared in this class, other, possibly mechanism-specific, properties can be included. Properties not relevant to the selected mechanism are ignored.; cbh - The possibly null callback handler to used by the SASL mechanisms to get further information from the application/library to complete the authentication. For example, a SASL mechanism might require the authentication ID, password and realm from the caller. The authentication ID is requested by using a NameCallback. The password is requested by using a PasswordCallback. The realm is requested by using a RealmChoiceCallback if there is a list of realms to choose from, and by using a RealmCallback if the realm must be entered.
Returns:: A possibly null SaslClient created using the parameters supplied. If null, cannot find a SaslClientFactory that will produce one.
Throws:: SaslException - If cannot create a SaslClient because of an error.
See Also:: CLIENT_PKGS

getSaslClientFactories

public static Enumeration getSaslClientFactories(Hashtable props)

Gets an enumeration of known factories for producing SaslClient. This method uses the same sources for locating factories as createSaslClient().

Parameters:: props - A possible null set of properties that may contain the Sasl.CLIENT_PKGS property.
Returns:: An enumeration of known factories for producing SaslClient.
See Also:: createSaslClient(java.lang.String[], java.lang.String, java.lang.String, java.lang.String, java.util.Hashtable, javax.security.auth.callback.CallbackHandler)

setSaslClientFactory

public static void setSaslClientFactory(SaslClientFactory fac)

Sets the default SaslClientFactory to use. This method sets fac to be the default factory. It can only be called with a non-null value once per VM. If a factory has been set already, this method throws IllegalStateException.

Parameters:: fac - The possibly null factory to set. If null, doesn't do anything.
Throws:: IllegalStateException - If factory already set.; SecurityException - If a security manager exists and the caller does not have permission to set a factory.

createSaslServer

public static SaslServer createSaslServer(String mechanism,
                                          String protocol,
                                          String serverName,
                                          Hashtable props,
                                          javax.security.auth.callback.CallbackHandler cbh)
                                   throws SaslException

Creates a SaslServer for the specified mechanism. It returns null if no SaslServer can be created for the specified mechanism.

The algorithm for selecting a SaslServer is as follows.

If a factory has been installed via setSaslServerFactory(), invoke createSaslServer() on it. If the method invocation returns a non-null SaslServer instance, return the SaslServer instance; otherwise continue.
Create a list of fully qualified class names using the package names listed in the SERVER_PKGS ("javax.security.sasl.server.pkgs") property in props and the class name, ServerFactory. Each class named on this list names a SaslServerFactory implementation. Starting with the first class on the list, create an instance of SaslServerFactory using the class's public no-argument constructor and invoke createSaslServer() on it. If the method invocation returns a non-null SaslServer instance, return it; otherwise repeat using the next class on the list until a non-null SaslServer is produced or the list exhausted.
Repeat previous step using the SERVER_PKGS ("javax.security.sasl.server.pkgs") System property instead of the property in props.
As per the Java 2, Standard Edition, v 1.3 service provider guidelines, check for the existence of one of more files named META-INF/services/javax.security.sasl.SaslServerFactory in the classpath and installed JAR files. Each file lists the fully qualified class names of the factories (i.e., implementations of SaslServerFactory). Construct a complete list of fully qualified class names using these files and repeat Step 2 using this list. If there are more than one of these files, the order in which they are processed is undefined.
If no non-null SaslServer instance is produced, return null.

Parameters:: mechanism - The non-null mechanism name. It must be an IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").; protocol - The non-null string name of the protocol for which the authentication is being performed (e.g., "ldap").; serverName - The non-null fully qualified host name of the server.; props - The possibly null set of properties used to select the SASL mechanism and to configure the authentication exchange of the selected mechanism. For example, if props contains the Sasl.POLICY_NOPLAINTEXT property with the value "true", then the selected SASL mechanism must not be susceptible to simple plain passive attacks. In addition to the standard properties declared in this class, other, possibly mechanism-specific, properties can be included. Properties not relevant to the selected mechanism are ignored.; cbh - The possibly null callback handler to used by the SASL mechanisms to get further information from the application/library to complete the authentication. For example, a SASL mechanism might require the authentication ID, password and realm from the caller. The authentication ID is requested by using a NameCallback. The password is requested by using a PasswordCallback. The realm is requested by using a RealmChoiceCallback if there is a list of realms to choose from, and by using a RealmCallback if the realm must be entered.
Returns:: A possibly null SaslServer created using the parameters supplied. If null, cannot find a SaslServerFactory that will produce one.
Throws:: SaslException - If cannot create a SaslServer because of an error.
See Also:: SERVER_PKGS

getSaslServerFactories

public static Enumeration getSaslServerFactories(Hashtable props)

Gets an enumeration of known factories for producing SaslServer. This method uses the same sources for locating factories as createSaslServer().

Parameters:: props - A possible null set of properties that may contain the Sasl.SERVER_PKGS property.
Returns:: An enumeration of known factories for producing SaslServer.
See Also:: createSaslServer(java.lang.String, java.lang.String, java.lang.String, java.util.Hashtable, javax.security.auth.callback.CallbackHandler)

setSaslServerFactory

public static void setSaslServerFactory(SaslServerFactory fac)

Sets the default SaslServerFactory to use. This method sets fac to be the default factory. It can only be called with a non-null value once per VM. If a factory has been set already, this method throws IllegalStateException.

Parameters:: fac - The possibly null factory to set. If null, doesn't do anything.
Throws:: IllegalStateException - If factory already set.; SecurityException - If a security manager exists and the caller does not have permission to set a factory.