RFC 5653
Generic Security Service API Version 2: Java Bindings Update
7. Detailed GSS-API Class Description
This section lists a detailed description of all the public methods that each of the GSS-API classes and interfaces must provide.7.1. public abstract class GSSManager
The GSSManager class is an abstract class that serves as a factory for three GSS interfaces: GSSName, GSSCredential, and GSSContext. It also provides methods for applications to determine what mechanisms are available from the GSS implementation and what name types these mechanisms support. An instance of the default GSSManager subclass may be obtained through the static method getInstance(), but applications are free to instantiate other subclasses of GSSManager. All but one method in this class are declared abstract. This means that subclasses have to provide the complete implementation for those methods. The only exception to this is the static method getInstance(), which will have platform-specific code to return an instance of the default subclass. Platform providers of GSS are required not to add any constructors to this class, private, public, or protected. This will ensure that all subclasses invoke only the default constructor provided to the base class by the compiler. A subclass extending the GSSManager abstract class may be implemented as a modular provider-based layer that utilizes some well-known service provider specification. The GSSManager API provides the application with methods to set provider preferences on such an implementation. These methods also allow the implementation to throw a well-defined exception in case provider-based configuration is not supported. Applications that expect to be portable should be aware of this and recover cleanly by catching the exception. It is envisioned that there will be three most common ways in which providers will be used: 1) The application does not care about what provider is used (the default case). 2) The application wants a particular provider to be used preferentially, either for a particular mechanism or all the time, irrespective of the mechanism. 3) The application wants to use the locally configured providers as far as possible, but if support is missing for one or more mechanisms, then it wants to fall back on its own provider.
The GSSManager class has two methods that enable these modes of usage: addProviderAtFront() and addProviderAtEnd(). These methods have the effect of creating an ordered list of <provider, oid> pairs where each pair indicates a preference of provider for a given oid. The use of these methods does not require any knowledge of whatever service provider specification the GSSManager subclass follows. It is hoped that these methods will serve the needs of most applications. Additional methods may be added to an extended GSSManager that could be part of a service provider specification that is standardized later.7.1.1. Example Code
GSSManager mgr = GSSManager.getInstance(); // What mechs are available to us? Oid[] supportedMechs = mgr.getMechs(); // Set a preference for the provider to be used when support // is needed for the mechanisms: // "1.2.840.113554.1.2.2" and "1.3.6.1.5.5.1.1". Oid krb = new Oid("1.2.840.113554.1.2.2"); Oid spkm1 = new Oid("1.3.6.1.5.5.1.1"); Provider p = (Provider) (new com.foo.security.Provider()); mgr.addProviderAtFront(p, krb); mgr.addProviderAtFront(p, spkm1); // What name types does this spkm implementation support? Oid[] nameTypes = mgr.getNamesForMech(spkm1);7.1.2. getInstance
public static GSSManager getInstance() Returns the default GSSManager implementation.
7.1.3. getMechs
public abstract Oid[] getMechs() Returns an array of Oid objects indicating the mechanisms available to GSS-API callers. A "null" value is returned when no mechanism are available (an example of this would be when mechanism are dynamically configured, and currently no mechanisms are installed).7.1.4. getNamesForMech
public abstract Oid[] getNamesForMech(Oid mech) throws GSSException Returns name type Oid's supported by the specified mechanism. Parameters: mech: The Oid object for the mechanism to query.7.1.5. getMechsForName
public abstract Oid[] getMechsForName(Oid nameType) Returns an array of Oid objects corresponding to the mechanisms that support the specific name type. "null" is returned when no mechanisms are found to support the specified name type. Parameters: nameType: The Oid object for the name type.7.1.6. createName
public abstract GSSName createName(String nameStr, Oid nameType) throws GSSException Factory method to convert a contiguous string name from the specified namespace to a GSSName object. In general, the GSSName object created will not be an MN; two examples that are exceptions to this are when the namespace type parameter indicates NT_EXPORT_NAME or when the GSS-API implementation is not multi-mechanism. Parameters: nameStr: The string representing a printable form of the name to create.
nameType: The Oid specifying the namespace of the printable
name is supplied. Note that nameType serves to
describe and qualify the interpretation of the input
nameStr, it does not necessarily imply a type for
the output GSSName implementation. The "null" value
can be used to specify that a mechanism-specific
default printable syntax should be assumed by each
mechanism that examines nameStr.
7.1.7. createName
public abstract GSSName createName(byte[] name, Oid nameType)
throws GSSException
Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object. In general, the
GSSName object created will not be an MN; two examples that are
exceptions to this are when the namespace type parameter indicates
NT_EXPORT_NAME or when the GSS-API implementation is not multi-
mechanism.
Parameters:
name: The byte array containing the name to create.
nameType: The Oid specifying the namespace of the name
supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation of
the input name byte array; it does not necessarily
imply a type for the output GSSName implementation.
The "null" value can be used to specify that a
mechanism-specific default syntax should be assumed
by each mechanism that examines the byte array.
7.1.8. createName
public abstract GSSName createName(String nameStr, Oid nameType,
Oid mech) throws GSSException
Factory method to convert a contiguous string name from the specified
namespace to a GSSName object that is a mechanism name (MN). In
other words, this method is a utility that does the equivalent of two
steps: the createName described in section 7.1.6, and then also the
GSSName.canonicalize() described in section 7.2.5.
Parameters:
nameStr: The string representing a printable form of the name
to create.
nameType: The Oid specifying the namespace of the printable
name supplied. Note that nameType serves to
describe and qualify the interpretation of the input
nameStr; it does not necessarily imply a type for
the output GSSName implementation. The "null" value
can be used to specify that a mechanism-specific
default printable syntax should be assumed when the
mechanism examines nameStr.
mech: Oid specifying the mechanism for which this name
should be created.
7.1.9. createName
public abstract GSSName createName(byte[] name, Oid nameType,
Oid mech) throws GSSException
Factory method to convert a contiguous byte array containing a name
from the specified namespace to a GSSName object that is an MN. In
other words, this method is a utility that does the equivalent of two
steps: the createName described in section 7.1.7, and then also the
GSSName.canonicalize() described in section 7.2.5.
Parameters:
name: The byte array representing the name to create.
nameType: The Oid specifying the namespace of the name
supplied in the byte array. Note that nameType
serves to describe and qualify the interpretation of
the input name byte array, it does not necessarily
imply a type for the output GSSName implementation.
The "null" value can be used to specify that a
mechanism-specific default syntax should be assumed
by each mechanism that examines the byte array.
mech: Oid specifying the mechanism for which this name
should be created.
7.1.10. createCredential
public abstract GSSCredential createCredential(int usage) throws GSSException Factory method for acquiring default credentials. This will cause the GSS-API to use system-specific defaults for the set of mechanisms, name, and a DEFAULT lifetime. Parameters: usage: The intended usage for this credential object. The value of this parameter must be one of: GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2)7.1.11. createCredential
public abstract GSSCredential createCredential(GSSName aName, int lifetime, Oid mech, int usage) throws GSSException Factory method for acquiring a single mechanism credential. Parameters: aName: Name of the principal for whom this credential is to be acquired. Use "null" to specify the default principal. lifetime: The number of seconds that credentials should remain valid. Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials have the maximum permitted lifetime. Use GSSCredential.DEFAULT_LIFETIME to request default credential lifetime. mech: The oid of the desired mechanism. Use "(Oid) null" to request the default mechanism(s).
usage: The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2)
7.1.12. createCredential
public abstract GSSCredential createCredential(GSSName aName,
int lifetime, Oid[] mechs, int usage)
throws GSSException
Factory method for acquiring credentials over a set of mechanisms.
Acquires credentials for each of the mechanisms specified in the
array called mechs. To determine the list of mechanisms' for which
the acquisition of credentials succeeded, the caller should use the
GSSCredential.getMechs() method.
Parameters:
aName: Name of the principal for whom this credential is to
be acquired. Use "null" to specify the default
principal.
lifetime: The number of seconds that credentials should remain
valid. Use GSSCredential.INDEFINITE_LIFETIME to
request that the credentials have the maximum
permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request default
credential lifetime.
mechs: The array of mechanisms over which the credential is
to be acquired. Use "(Oid[]) null" for requesting a
system-specific default set of mechanisms.
usage: The intended usage for this credential object. The
value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2)
7.1.13. createContext
public abstract GSSContext createContext(GSSName peer, Oid mech,
GSSCredential myCred, int lifetime)
throws GSSException
Factory method for creating a context on the initiator's side.
Context flags may be modified through the mutator methods prior to
calling GSSContext.initSecContext().
Parameters:
peer: Name of the target peer.
mech: Oid of the desired mechanism. Use "(Oid) null" to
request the default mechanism.
myCred: Credentials of the initiator. Use "null" to act as
a default initiator principal.
lifetime: The request lifetime, in seconds, for the context.
Use GSSContext.INDEFINITE_LIFETIME and
GSSContext.DEFAULT_LIFETIME to request indefinite or
default context lifetime.
7.1.14. createContext
public abstract GSSContext createContext(GSSCredential myCred)
throws GSSException
Factory method for creating a context on the acceptor' side. The
context's properties will be determined from the input token supplied
to the accept method.
Parameters:
myCred: Credentials for the acceptor. Use "null" to act as
a default acceptor principal.
7.1.15. createContext
public abstract GSSContext createContext(byte[] interProcessToken)
throws GSSException
Factory method for creating a previously exported context. The
context properties will be determined from the input token and can't
be modified through the set methods.
Parameters:
interProcessToken: The token previously emitted from the export
method.
7.1.16. addProviderAtFront
public abstract void addProviderAtFront(Provider p, Oid mech) throws GSSException This method is used to indicate to the GSSManager that the application would like a particular provider to be used ahead of all others when support is desired for the given mechanism. When a value of "null" is used instead of an Oid for the mechanism, the GSSManager must use the indicated provider ahead of all others no matter what the mechanism is. Only when the indicated provider does not support the needed mechanism should the GSSManager move on to a different provider. Calling this method repeatedly preserves the older settings but lowers them in preference thus forming an ordered list of provider and Oid pairs that grows at the top. Calling addProviderAtFront with a null Oid will remove all previous preferences that were set for this provider in the GSSManager instance. Calling addProviderAtFront with a non-null Oid will remove any previous preference that was set using this mechanism and this provider together. If the GSSManager implementation does not support an SPI with a pluggable provider architecture, it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable. Parameters: p: The provider instance that should be used whenever support is needed for mech. mech: The mechanism for which the provider is being set.7.1.17. Example Code
Suppose an application desired that the provider A always be checked first when any mechanism is needed, it would call: GSSManager mgr = GSSManager.getInstance(); // mgr may at this point have its own pre-configured list // of provider preferences. The following will prepend to // any such list: mgr.addProviderAtFront(A, null);
Now if it also desired that the mechanism of Oid m1 always be
obtained from the provider B before the previously set A was checked,
it would call:
mgr.addProviderAtFront(B, m1);
The GSSManager would then first check with B if m1 was needed. In
case B did not provide support for m1, the GSSManager would continue
on to check with A. If any mechanism m2 is needed where m2 is
different from m1, then the GSSManager would skip B and check with A
directly.
Suppose, at a later time, the following call is made to the same
GSSManager instance:
mgr.addProviderAtFront(B, null)
then the previous setting with the pair (B, m1) is subsumed by this
and should be removed. Effectively, the list of preferences now
becomes {(B, null), (A, null), ... //followed by the pre-configured
list.
Please note, however, that the following call:
mgr.addProviderAtFront(A, m3)
does not subsume the previous setting of (A, null), and the list will
effectively become {(A, m3), (B, null), (A, null), ...}
7.1.18. addProviderAtEnd
public abstract void addProviderAtEnd(Provider p, Oid mech)
throws GSSException
This method is used to indicate to the GSSManager that the
application would like a particular provider to be used if no other
provider can be found that supports the given mechanism. When a
value of "null" is used instead of an Oid for the mechanism, the
GSSManager must use the indicated provider for any mechanism.
Calling this method repeatedly preserves the older settings, but
raises them above newer ones in preference thus forming an ordered
list of providers and Oid pairs that grows at the bottom. Thus, the
older provider settings will be utilized first before this one is.
If there are any previously existing preferences that conflict with
the preference being set here, then the GSSManager should ignore this
request.
If the GSSManager implementation does not support an SPI with a
pluggable provider architecture, it should throw a GSSException with
the status code GSSException.UNAVAILABLE to indicate that the
operation is unavailable.
Parameters:
p: The provider instance that should be used whenever
support is needed for mech.
mech: The mechanism for which the provider is being set.
7.1.19. Example Code
Suppose an application desired that when a mechanism of Oid m1 is
needed, the system default providers always be checked first, and
only when they do not support m1 should a provider A be checked. It
would then make the call:
GSSManager mgr = GSSManager.getInstance();
mgr.addProviderAtEnd(A, m1);
Now, if it also desired that for all mechanisms the provider B be
checked after all configured providers have been checked, it would
then call:
mgr.addProviderAtEnd(B, null);
Effectively, the list of preferences now becomes {..., (A, m1), (B,
null)}.
Suppose, at a later time, the following call is made to the same
GSSManager instance:
mgr.addProviderAtEnd(B, m2)
then the previous setting with the pair (B, null) subsumes this;
therefore, this request should be ignored. The same would happen if
a request is made for the already existing pairs of (A, m1) or (B,
null).
Please note, however, that the following call:
mgr.addProviderAtEnd(A, null)
is not subsumed by the previous setting of (A, m1) and the list will
effectively become {..., (A, m1), (B, null), (A, null)}.
7.2. public interface GSSName
This interface encapsulates a single GSS-API principal entity. Different name formats and their definitions are identified with Universal Object Identifiers (Oids). The format of the names can be derived based on the unique oid of its namespace type.7.2.1. Example Code
Included below are code examples utilizing the GSSName interface. The code below creates a GSSName, converts it to a mechanism name (MN), performs a comparison, obtains a printable representation of the name, exports it and then re-imports to obtain a new GSSName. GSSManager mgr = GSSManager.getInstance(); // create a host-based service name GSSName name = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE); Oid krb5 = new Oid("1.2.840.113554.1.2.2"); GSSName mechName = name.canonicalize(krb5); // the above two steps are equivalent to the following GSSName mechName = mgr.createName("service@host", GSSName.NT_HOSTBASED_SERVICE, krb5); // perform name comparison if (name.equals(mechName)) print("Names are equals."); // obtain textual representation of name and its printable // name type print(mechName.toString() + mechName.getStringNameType().toString()); // export and re-import the name byte[] exportName = mechName.export(); // create a new name object from the exported buffer GSSName newName = mgr.createName(exportName, GSSName.NT_EXPORT_NAME);
7.2.2. Static Constants
public static final Oid NT_HOSTBASED_SERVICE Oid indicating a host-based service name form. It is used to represent services associated with host computers. This name form is constructed using two elements, "service" and "hostname", as follows: service@hostname Values for the "service" element are registered with the IANA. It represents the following value: { iso(1) member-body(2) Unites States(840) mit(113554) infosys(1) gssapi(2) generic(1) service_name(4) } public static final Oid NT_USER_NAME Name type to indicate a named user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) user_name(1) } public static final Oid NT_MACHINE_UID_NAME Name type to indicate a numeric user identifier corresponding to a user on a local system (e.g., Uid). It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) machine_uid_name(2) } public static final Oid NT_STRING_UID_NAME Name type to indicate a string of digits representing the numeric user identifier of a user on a local system. It represents the following value: { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) generic(1) string_uid_name(3) } public static final Oid NT_ANONYMOUS Name type for representing an anonymous entity. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-anonymous-name(3) } public static final Oid NT_EXPORT_NAME Name type used to indicate an exported name produced by the export method. It represents the following value: { iso(1), org(3), dod(6), internet(1), security(5), nametypes(6), gss-api-exported-name(4) }
7.2.3. equals
public boolean equals(GSSName another) throws GSSException Compares two GSSName objects to determine whether they refer to the same entity. This method may throw a GSSException when the names cannot be compared. If either of the names represents an anonymous entity, the method will return "false". Parameters: another: GSSName object with which to compare.7.2.4. equals
public boolean equals(Object another) A variation of the equals method, described in section 7.2.3, that is provided to override the Object.equals() method that the implementing class will inherit. The behavior is exactly the same as that in section 7.2.3 except that no GSSException is thrown; instead, "false" will be returned in the situation where an error occurs. (Note that the Java language specification requires that two objects that are equal according to the equals(Object) method must return the same integer result when the hashCode() method is called on them.) Parameters: another: GSSName object with which to compare.7.2.5. canonicalize
public GSSName canonicalize(Oid mech) throws GSSException Creates a mechanism name (MN) from an arbitrary internal name. This is equivalent to using the factory methods described in sections 7.1.8 or 7.1.9 that take the mechanism name as one of their parameters. Parameters: mech: The oid for the mechanism for which the canonical form of the name is requested.
7.2.6. export
public byte[] export() throws GSSException Returns a canonical contiguous byte representation of a mechanism name (MN), suitable for direct, byte-by-byte comparison by authorization functions. If the name is not an MN, implementations may throw a GSSException with the NAME_NOT_MN status code. If an implementation chooses not to throw an exception, it should use some system-specific default mechanism to canonicalize the name and then export it. The format of the header of the output buffer is specified in RFC 2743 [GSSAPIv2-UPDATE].7.2.7. toString
public String toString() Returns a textual representation of the GSSName object. To retrieve the printed name format, which determines the syntax of the returned string, the getStringNameType method can be used.7.2.8. getStringNameType
public Oid getStringNameType() throws GSSException Returns the oid representing the type of name returned through the toString method. Using this oid, the syntax of the printable name can be determined.7.2.9. isAnonymous
public boolean isAnonymous() Tests if this name object represents an anonymous entity. Returns "true" if this is an anonymous name.7.2.10. isMN
public boolean isMN() Tests if this name object contains only one mechanism element and is thus a mechanism name as defined by RFC 2743 [GSSAPIv2-UPDATE].7.3. public interface GSSCredential implements Cloneable
This interface encapsulates the GSS-API credentials for an entity. A credential contains all the necessary cryptographic information to enable the creation of a context on behalf of the entity that it
represents. It may contain multiple, distinct, mechanism-specific credential elements, each containing information for a specific security mechanism, but all referring to the same entity. A credential may be used to perform context initiation, acceptance, or both. GSS-API implementations must impose a local access-control policy on callers to prevent unauthorized callers from acquiring credentials to which they are not entitled. GSS-API credential creation is not intended to provide a "login to the network" function, as such a function would involve the creation of new credentials rather than merely acquiring a handle to existing credentials. Such functions, if required, should be defined in implementation-specific extensions to the API. If credential acquisition is time-consuming for a mechanism, the mechanism may choose to delay the actual acquisition until the credential is required (e.g., by GSSContext). Such mechanism- specific implementation decisions should be invisible to the calling application; thus, the query methods immediately following the creation of a credential object must return valid credential data, and may therefore incur the overhead of a deferred credential acquisition. Applications will create a credential object passing the desired parameters. The application can then use the query methods to obtain specific information about the instantiated credential object (equivalent to the gss_inquire routines). When the credential is no longer needed, the application should call the dispose (equivalent to gss_release_cred) method to release any resources held by the credential object and to destroy any cryptographically sensitive information. Classes implementing this interface also implement the Cloneable interface. This indicates that the class will support the clone() method that will allow the creation of duplicate credentials. This is useful when called just before the add() call to retain a copy of the original credential.
7.3.1. Example Code
This example code demonstrates the creation of a GSSCredential implementation for a specific entity, querying of its fields, and its release when it is no longer needed. GSSManager mgr = GSSManager.getInstance(); // start by creating a name object for the entity GSSName name = mgr.createName("userName", GSSName.NT_USER_NAME); // now acquire credentials for the entity GSSCredential cred = mgr.createCredential(name, GSSCredential.ACCEPT_ONLY); // display credential information - name, remaining lifetime, // and the mechanisms it has been acquired over print(cred.getName().toString()); print(cred.getRemainingLifetime()); Oid[] mechs = cred.getMechs(); if (mechs != null) { for (int i = 0; i < mechs.length; i++) print(mechs[i].toString()); } // release system resources held by the credential cred.dispose();7.3.2. Static Constants
public static final int INITIATE_AND_ACCEPT Credential usage flag requesting that it be able to be used for both context initiation and acceptance. The value of this constant is 0. public static final int INITIATE_ONLY Credential usage flag requesting that it be able to be used for context initiation only. The value of this constant is 1. public static final int ACCEPT_ONLY Credential usage flag requesting that it be able to be used for context acceptance only. The value of this constant is 2. public static final int DEFAULT_LIFETIME A lifetime constant representing the default credential lifetime.
The value of this constant is 0. public static final int INDEFINITE_LIFETIME A lifetime constant representing indefinite credential lifetime. The value of this constant is the maximum integer value in Java - Integer.MAX_VALUE.7.3.3. dispose
public void dispose() throws GSSException Releases any sensitive information that the GSSCredential object may be containing. Applications should call this method as soon as the credential is no longer needed to minimize the time any sensitive information is maintained.7.3.4. getName
public GSSName getName() throws GSSException Retrieves the name of the entity that the credential asserts.7.3.5. getName
public GSSName getName(Oid mechOID) throws GSSException Retrieves a mechanism name of the entity that the credential asserts. Equivalent to calling canonicalize() on the name returned by section 7.3.4. Parameters: mechOID: The mechanism for which information should be returned.7.3.6. getRemainingLifetime
public int getRemainingLifetime() throws GSSException Returns the remaining lifetime in seconds for a credential. The remaining lifetime is the minimum lifetime for any of the underlying credential mechanisms. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire. A return value of 0 indicates that the credential is already expired.
7.3.7. getRemainingInitLifetime
public int getRemainingInitLifetime(Oid mech) throws GSSException Returns the remaining lifetime in seconds for the credential to remain capable of initiating security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context initiation. A return value of 0 indicates that the credential is already expired. Parameters: mechOID: The mechanism for which information should be returned.7.3.8. getRemainingAcceptLifetime
public int getRemainingAcceptLifetime(Oid mech) throws GSSException Returns the remaining lifetime in seconds for the credential to remain capable of accepting security contexts under the specified mechanism. A return value of GSSCredential.INDEFINITE_LIFETIME indicates that the credential does not expire for context acceptance. A return value of 0 indicates that the credential is already expired. Parameters: mechOID: The mechanism for which information should be returned.7.3.9. getUsage
public int getUsage() throws GSSException Returns the credential usage flag as a union over all mechanisms. The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).7.3.10. getUsage
public int getUsage(Oid mechOID) throws GSSException Returns the credential usage flag for the specified mechanism only. The return value will be one of GSSCredential.INITIATE_AND_ACCEPT(0), GSSCredential.INITIATE_ONLY(1), or GSSCredential.ACCEPT_ONLY(2).
Parameters:
mechOID: The mechanism for which information should be
returned.
7.3.11. getMechs
public Oid[] getMechs() throws GSSException
Returns an array of mechanisms supported by this credential.
7.3.12. add
public void add(GSSName aName, int initLifetime, int acceptLifetime,
Oid mech, int usage) throws GSSException
Adds a mechanism-specific credential-element to an existing
credential. This method allows the construction of credentials one
mechanism at a time.
This routine is envisioned to be used mainly by context acceptors
during the creation of acceptance credentials, which are to be used
with a variety of clients using different security mechanisms.
This routine adds the new credential element "in-place". To add the
element in a new credential, first call clone() to obtain a copy of
this credential, then call its add() method.
Parameters:
aName: Name of the principal for whom this credential
is to be acquired. Use "null" to specify the
default principal.
initLifetime: The number of seconds that credentials should
remain valid for initiating of security
contexts. Use
GSSCredential.INDEFINITE_LIFETIME to request
that the credentials have the maximum permitted
lifetime. Use GSSCredential.DEFAULT_LIFETIME
to request default credential lifetime.
acceptLifetime: The number of seconds that credentials should
remain valid for accepting of security
contexts.
Use GSSCredential.INDEFINITE_LIFETIME to
request that the credentials have the maximum
permitted lifetime. Use
GSSCredential.DEFAULT_LIFETIME to request
default credential lifetime.
mech: The mechanisms over which the credential is to
be acquired.
usage: The intended usage for this credential object.
The value of this parameter must be one of:
GSSCredential.INITIATE_AND_ACCEPT(0),
GSSCredential.INITIATE_ONLY(1), or
GSSCredential.ACCEPT_ONLY(2)
7.3.13. equals
public boolean equals(Object another)
Tests if this GSSCredential refers to the same entity as the supplied
object. The two credentials must be acquired over the same
mechanisms and must refer to the same principal. Returns "true" if
the two GSSCredentials refer to the same entity; "false" otherwise.
(Note that the Java language specification [JLS] requires that two
objects that are equal according to the equals(Object) method must
return the same integer result when the hashCode() method is called
on them.)
Parameters:
another: Another GSSCredential object for comparison.
(page 53 continued on part 4)
