public interface SaslServer
A server such an LDAP server gets an instance of this
class in order to perform authentication defined by a specific SASL
mechanism. Invoking methods on the SaslServer
instance
generates challenges according to the SASL
mechanism implemented by the SaslServer
.
As the authentication proceeds, the instance
encapsulates the state of a SASL server's authentication exchange.
Here's an example of how an LDAP server might use a SaslServer
.
It first gets an instance of a SaslServer
for the SASL mechanism
requested by the client:
It can then proceed to use the server for authentication. For example, suppose the LDAP server received an LDAP BIND request containing the name of the SASL mechanism and an (optional) initial response. It then might use the server as follows:SaslServer ss = Sasl.createSaslServer(mechanism, "ldap", myFQDN, props, callbackHandler);
while (!ss.isComplete()) { try { byte[] challenge = ss.evaluateResponse(response); if (ss.isComplete()) { status = ldap.sendBindResponse(mechanism, challenge, SUCCESS); } else { status = ldap.sendBindResponse(mechanism, challenge, SASL_BIND_IN_PROGRESS); response = ldap.readBindRequest(); } } catch (SaslException e) { status = ldap.sendErrorResponse(e); break; } } if (ss.isComplete() && status == SUCCESS) { String qop = (String) sc.getNegotiatedProperty(Sasl.QOP); if (qop != null && (qop.equalsIgnoreCase("auth-int") || qop.equalsIgnoreCase("auth-conf"))) { // Use SaslServer.wrap() and SaslServer.unwrap() for future // communication with client ldap.in = new SecureInputStream(ss, ldap.in); ldap.out = new SecureOutputStream(ss, ldap.out); } }
Sasl
,
SaslServerFactory
Modifier and Type | Method and Description |
---|---|
void |
dispose()
Disposes of any system resources or security-sensitive information
the SaslServer might be using.
|
byte[] |
evaluateResponse(byte[] response)
Evaluates the response data and generates a challenge.
|
String |
getAuthorizationID()
Reports the authorization ID in effect for the client of this
session.
|
String |
getMechanismName()
Returns the IANA-registered mechanism name of this SASL server.
|
Object |
getNegotiatedProperty(String propName)
Retrieves the negotiated property.
|
boolean |
isComplete()
Determines whether the authentication exchange has completed.
|
byte[] |
unwrap(byte[] incoming,
int offset,
int len)
Unwraps a byte array received from the client.
|
byte[] |
wrap(byte[] outgoing,
int offset,
int len)
Wraps a byte array to be sent to the client.
|
String getMechanismName()
byte[] evaluateResponse(byte[] response) throws SaslException
isComplete()
should be called
after each call to evaluateResponse()
,to determine if any further
response is needed from the client.response
- The non-null (but possibly empty) response sent
by the client.SaslException
- If an error occurred while processing
the response or generating a challenge.boolean isComplete()
evaluateResponse()
to determine whether the
authentication has completed successfully or should be continued.String getAuthorizationID()
IllegalStateException
- if this authentication session has not completedbyte[] unwrap(byte[] incoming, int offset, int len) throws SaslException
isComplete()
returns true) and only if
the authentication exchange has negotiated integrity and/or privacy
as the quality of protection; otherwise,
an IllegalStateException
is thrown.
incoming
is the contents of the SASL buffer as defined in RFC 2222
without the leading four octet field that represents the length.
offset
and len
specify the portion of incoming
to use.
incoming
- A non-null byte array containing the encoded bytes
from the client.offset
- The starting position at incoming
of the bytes to use.len
- The number of bytes from incoming
to use.SaslException
- if incoming
cannot be successfully
unwrapped.IllegalStateException
- if the authentication exchange has
not completed, or if the negotiated quality of protection
has neither integrity nor privacybyte[] wrap(byte[] outgoing, int offset, int len) throws SaslException
isComplete()
returns true) and only if
the authentication exchange has negotiated integrity and/or privacy
as the quality of protection; otherwise, a SaslException
is thrown.
The result of this method
will make up the contents of the SASL buffer as defined in RFC 2222
without the leading four octet field that represents the length.
offset
and len
specify the portion of outgoing
to use.
outgoing
- A non-null byte array containing the bytes to encode.offset
- The starting position at outgoing
of the bytes to use.len
- The number of bytes from outgoing
to use.SaslException
- if outgoing
cannot be successfully
wrapped.IllegalStateException
- if the authentication exchange has
not completed, or if the negotiated quality of protection has
neither integrity nor privacy.Object getNegotiatedProperty(String propName)
isComplete()
returns true); otherwise, an
IllegalStateException
is thrown.propName
- the propertyIllegalStateException
- if this authentication exchange has not completedvoid dispose() throws SaslException
SaslException
- If a problem was encountered while disposing
the resources. Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2022, Oracle and/or its affiliates. All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.