src/share/classes/javax/security/auth/kerberos/ServicePermission.java

Print this page 







  45  * be either a ticket granting ticket, a service ticket or a secret
  46  * key from a key table.
  47  * <p>
  48  * A ServicePermission contains a service principal name and
  49  * a list of actions which specify the context the credential can be
  50  * used within.
  51  * <p>
  52  * The service principal name is the canonical name of the
  53  * {@code KereberosPrincipal} supplying the service, that is
  54  * the KerberosPrincipal represents a Kerberos service
  55  * principal. This name is treated in a case sensitive manner.
  56  * An asterisk may appear by itself, to signify any service principal.
  57  * <p>
  58  * Granting this permission implies that the caller can use a cached
  59  * credential (TGT, service ticket or secret key) within the context
  60  * designated by the action. In the case of the TGT, granting this
  61  * permission also implies that the TGT can be obtained by an
  62  * Authentication Service exchange.
  63  * <p>
  64  * The possible actions are:
  65  * <p>
  66  * <pre>
  67  *    initiate -              allow the caller to use the credential to
  68  *                            initiate a security context with a service
  69  *                            principal.
  70  *
  71  *    accept -                allow the caller to use the credential to
  72  *                            accept security context as a particular
  73  *                            principal.
  74  * </pre>
  75  *
  76  * For example, to specify the permission to access to the TGT to
  77  * initiate a security context the permission is constructed as follows:
  78  * <p>
  79  * <pre>
  80  *     ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate");
  81  * </pre>
  82  * <p>
  83  * To obtain a service ticket to initiate a context with the "host"
  84  * service the permission is constructed as follows:
  85  * <pre>
  86  *     ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate");
  87  * </pre>
  88  * <p>
  89  * For a Kerberized server the action is "accept". For example, the permission
  90  * necessary to access and use the secret key of the  Kerberized "host"
  91  * service (telnet and the likes)  would be constructed as follows:
  92  * <p>
  93  * <pre>
  94  *     ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept");
  95  * </pre>
  96  *
  97  * @since 1.4
  98  */
  99 
 100 public final class ServicePermission extends Permission
 101     implements java.io.Serializable {
 102 
 103     private static final long serialVersionUID = -1227585031618624935L;
 104 
 105     /**
 106      * Initiate a security context to the specified service
 107      */
 108     private final static int INITIATE   = 0x1;
 109 
 110     /**
 111      * Accept a security context
 112      */






  45  * be either a ticket granting ticket, a service ticket or a secret
  46  * key from a key table.
  47  * <p>
  48  * A ServicePermission contains a service principal name and
  49  * a list of actions which specify the context the credential can be
  50  * used within.
  51  * <p>
  52  * The service principal name is the canonical name of the
  53  * {@code KereberosPrincipal} supplying the service, that is
  54  * the KerberosPrincipal represents a Kerberos service
  55  * principal. This name is treated in a case sensitive manner.
  56  * An asterisk may appear by itself, to signify any service principal.
  57  * <p>
  58  * Granting this permission implies that the caller can use a cached
  59  * credential (TGT, service ticket or secret key) within the context
  60  * designated by the action. In the case of the TGT, granting this
  61  * permission also implies that the TGT can be obtained by an
  62  * Authentication Service exchange.
  63  * <p>
  64  * The possible actions are:
  65  *
  66  * <pre>
  67  *    initiate -              allow the caller to use the credential to
  68  *                            initiate a security context with a service
  69  *                            principal.
  70  *
  71  *    accept -                allow the caller to use the credential to
  72  *                            accept security context as a particular
  73  *                            principal.
  74  * </pre>
  75  *
  76  * For example, to specify the permission to access to the TGT to
  77  * initiate a security context the permission is constructed as follows:
  78  *
  79  * <pre>
  80  *     ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate");
  81  * </pre>
  82  * <p>
  83  * To obtain a service ticket to initiate a context with the "host"
  84  * service the permission is constructed as follows:
  85  * <pre>
  86  *     ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate");
  87  * </pre>
  88  * <p>
  89  * For a Kerberized server the action is "accept". For example, the permission
  90  * necessary to access and use the secret key of the  Kerberized "host"
  91  * service (telnet and the likes)  would be constructed as follows:
  92  *
  93  * <pre>
  94  *     ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept");
  95  * </pre>
  96  *
  97  * @since 1.4
  98  */
  99 
 100 public final class ServicePermission extends Permission
 101     implements java.io.Serializable {
 102 
 103     private static final long serialVersionUID = -1227585031618624935L;
 104 
 105     /**
 106      * Initiate a security context to the specified service
 107      */
 108     private final static int INITIATE   = 0x1;
 109 
 110     /**
 111      * Accept a security context
 112      */