45 * be either a ticket granting ticket, a service ticket or a secret 46 * key from a key table. 47 * <p> 48 * A ServicePermission contains a service principal name and 49 * a list of actions which specify the context the credential can be 50 * used within. 51 * <p> 52 * The service principal name is the canonical name of the 53 * {@code KereberosPrincipal} supplying the service, that is 54 * the KerberosPrincipal represents a Kerberos service 55 * principal. This name is treated in a case sensitive manner. 56 * An asterisk may appear by itself, to signify any service principal. 57 * <p> 58 * Granting this permission implies that the caller can use a cached 59 * credential (TGT, service ticket or secret key) within the context 60 * designated by the action. In the case of the TGT, granting this 61 * permission also implies that the TGT can be obtained by an 62 * Authentication Service exchange. 63 * <p> 64 * The possible actions are: 65 * <p> 66 * <pre> 67 * initiate - allow the caller to use the credential to 68 * initiate a security context with a service 69 * principal. 70 * 71 * accept - allow the caller to use the credential to 72 * accept security context as a particular 73 * principal. 74 * </pre> 75 * 76 * For example, to specify the permission to access to the TGT to 77 * initiate a security context the permission is constructed as follows: 78 * <p> 79 * <pre> 80 * ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate"); 81 * </pre> 82 * <p> 83 * To obtain a service ticket to initiate a context with the "host" 84 * service the permission is constructed as follows: 85 * <pre> 86 * ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate"); 87 * </pre> 88 * <p> 89 * For a Kerberized server the action is "accept". For example, the permission 90 * necessary to access and use the secret key of the Kerberized "host" 91 * service (telnet and the likes) would be constructed as follows: 92 * <p> 93 * <pre> 94 * ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept"); 95 * </pre> 96 * 97 * @since 1.4 98 */ 99 100 public final class ServicePermission extends Permission 101 implements java.io.Serializable { 102 103 private static final long serialVersionUID = -1227585031618624935L; 104 105 /** 106 * Initiate a security context to the specified service 107 */ 108 private final static int INITIATE = 0x1; 109 110 /** 111 * Accept a security context 112 */ | 45 * be either a ticket granting ticket, a service ticket or a secret 46 * key from a key table. 47 * <p> 48 * A ServicePermission contains a service principal name and 49 * a list of actions which specify the context the credential can be 50 * used within. 51 * <p> 52 * The service principal name is the canonical name of the 53 * {@code KereberosPrincipal} supplying the service, that is 54 * the KerberosPrincipal represents a Kerberos service 55 * principal. This name is treated in a case sensitive manner. 56 * An asterisk may appear by itself, to signify any service principal. 57 * <p> 58 * Granting this permission implies that the caller can use a cached 59 * credential (TGT, service ticket or secret key) within the context 60 * designated by the action. In the case of the TGT, granting this 61 * permission also implies that the TGT can be obtained by an 62 * Authentication Service exchange. 63 * <p> 64 * The possible actions are: 65 * 66 * <pre> 67 * initiate - allow the caller to use the credential to 68 * initiate a security context with a service 69 * principal. 70 * 71 * accept - allow the caller to use the credential to 72 * accept security context as a particular 73 * principal. 74 * </pre> 75 * 76 * For example, to specify the permission to access to the TGT to 77 * initiate a security context the permission is constructed as follows: 78 * 79 * <pre> 80 * ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate"); 81 * </pre> 82 * <p> 83 * To obtain a service ticket to initiate a context with the "host" 84 * service the permission is constructed as follows: 85 * <pre> 86 * ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate"); 87 * </pre> 88 * <p> 89 * For a Kerberized server the action is "accept". For example, the permission 90 * necessary to access and use the secret key of the Kerberized "host" 91 * service (telnet and the likes) would be constructed as follows: 92 * 93 * <pre> 94 * ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept"); 95 * </pre> 96 * 97 * @since 1.4 98 */ 99 100 public final class ServicePermission extends Permission 101 implements java.io.Serializable { 102 103 private static final long serialVersionUID = -1227585031618624935L; 104 105 /** 106 * Initiate a security context to the specified service 107 */ 108 private final static int INITIATE = 0x1; 109 110 /** 111 * Accept a security context 112 */ |