idnits 2.17.1 draft-weltman-java-sasl-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Found some kind of copyright notice around line 29 but it does not match any copyright boilerplate known by this tool. Expected boilerplate is as follows today (2024-03-28) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 18 longer pages, the longest (page 2) being 91 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 7 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 24, 1998) is 9287 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 744 looks like a reference Summary: 8 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Draft Rob Weltman 2 John Gardiner Myers 3 Prasad Yendluri 4 Christine Ho 5 Netscape Communications Corp. 6 October 24, 1998 8 The Java SASL Application Program Interface 9 11 Status of this Memo 13 This document is an Internet Draft. Internet Drafts are working 14 documents of the Internet Engineering Task Force (IETF), its Areas, 15 and its Working Groups. Note that other groups may also distribute 16 working documents as Internet Drafts. 18 Internet Drafts are draft documents valid for a maximum of six 19 months. Internet Drafts may be updated, replaced, or obsoleted by 20 other documents at any time. It is not appropriate to use Internet 21 Drafts as reference material or to cite them other than as a 22 "working draft" or "work in progress". 24 To learn the current status of any Internet-Draft, please check the 25 1id-abstracts.txt listing contained in the Internet-Drafts Shadow 26 Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), 27 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 29 Copyright (C) The Internet Society (1998). All Rights Reserved. 31 Please see the Copyright section near the end of this document for 32 more information. 34 Abstract 36 This document defines a client-side java language interface for 37 using the Simple Authentication and Security Layer (SASL) mechanisms 38 for adding authentication support to connection-based protocols. The 39 interface promotes sharing of SASL mechanism drivers and security 40 layers between applications using different protocols. It 41 complements but does not replace [1], which defines and exemplifies 42 use of the SASL protocol in a language-independent way. 44 JAVA SASL API October 1998 46 1 Overview of the SASL classes........................................4 48 1.1 Interfaces......................................................4 50 1.2 Classes.........................................................6 52 2 Overview of SASL API Use............................................6 54 3 The java SASL classes...............................................6 56 3.1 public interface SASLClientMechanismDriver......................6 58 3.1.1 startAuthentication..........................................6 60 3.1.2 evaluateResponse.............................................8 62 3.1.3 isComplete...................................................8 64 3.1.4 getSecurityLayer.............................................8 66 3.1.5 getMechanismName.............................................8 68 3.2 public interface SASLClientCB...................................9 70 3.3 public interface SASLNamePasswordClientCB.......................9 72 3.3.1 promptNamePassword...........................................9 74 3.3.2 getID........................................................9 76 3.3.3 getPassword..................................................9 78 3.4 public interface SASLPasswordClientCB..........................10 80 3.4.1 promptPassword..............................................10 82 3.4.2 getPassword.................................................10 84 3.5 public interface SASLInfoClientCB..............................10 86 3.5.1 promptInfo..................................................11 88 3.6 public interface SASLWarningClientCB...........................11 90 3.6.1 promptWarning...............................................11 92 3.7 public interface SASLOkayCancelClientCB........................11 94 3.7.1 promptOkayCancel............................................11 96 3.8 public interface SASLGetLanguageClientCB.......................12 98 3.8.1 getLanguage.................................................12 100 3.9 public interface SASLSecurityLayer.............................12 102 3.9.1 encode......................................................12 104 3.9.2 decode......................................................13 106 3.10 public class SASLMechanismFactory..............................13 108 3.10.1 getMechanismDriver........................................13 110 3.10.2 getMechanisms.............................................13 112 3.11 public class SASLException.....................................14 114 3.11.1 Constructors..............................................14 116 4 Security Considerations............................................14 118 5 Appendix A - Sample java LDAP program using SASL...................16 119 JAVA SASL API October 1998 121 Introduction 123 See [1], section 3, for an introduction to and overview of the SASL 124 framework for authentication and negotiation of a security layer. 125 The following presents an outline of the concepts. 127 Mechanism Drivers 129 --------------- ------------------- ----------------- 130 | Application |-----| Protocol Driver |------| MD5 | 131 --------------- ------------------- | ----------------- 132 | 133 | ----------------- 134 |--| Kerberos v5 | 135 | ----------------- 136 | 137 | ----------------- 138 |--| PKCS-11 | 139 | ----------------- 140 | 141 | 142 | 143 | - - - - - - - - - 144 |--| xxxYYYxxx | 145 - - - - - - - - - 147 An application chooses a Protocol Driver specific to the protocol it 148 wants to use, and specifies one or more acceptable mechanisms. The 149 Protocol Driver controls the socket, and knows the format/packaging 150 of bytes sent down and received from the socket, but does not know 151 how to authenticate or to encrypt/ decrypt the bytes. It uses one of 152 the Mechanism Drivers to help it perform authentication. The 153 Protocol Driver examines each byte string received from the server 154 during the authentication in a protocol-specific way to determine if 155 the authentication process has been completed. If not, the byte 156 string is passed to the Mechanism Driver to be interpreted as a 157 server challenge; the Mechanism Driver returns an appropriate 158 response, which the Protocol Driver can encode in a protocol- 159 specific way and return to the server. 161 If the Protocol Driver concludes from the byte string received from 162 the server that authentication is complete, it may query the 163 Mechanism Driver if it considers the authentication process 164 complete, in order to thwart early completion messages inserted by 165 an intruder. 167 On completed authentication, the Protocol Driver receives from the 168 Mechanism Driver a Security Layer Driver object. From this point on, 169 the Protocol Driver passes byte arrays received from its socket to 170 the Security Layer Driver object for decoding before returning them 171 to the application, and passes application byte arrays to the 172 Security Layer Driver object for encryption before passing them down 173 the socket. 175 JAVA SASL API October 1998 177 A complication here is that some authentication methods may require 178 additional user/application input. That means that a Mechanism 179 Driver may need to call up to an application during the 180 authentication process. 182 In the following, a number of callback interfaces have been defined, 183 allowing an application to (if necessary) provide a user with 184 prompts and obtain additional information required to continue the 185 process. 187 Additional callback interfaces may be defined in the future. 188 Typically, a client will construct an object that implements all of 189 these interfaces. 191 Protocol Drivers are protocol-dependent, and may be built in to a 192 protocol package or an application. However, there should be a 193 generalized framework for registering and finding Mechanism Drivers. 194 This can be handled in a way similar to content and protocol 195 handlers in java: look for them in a predefined place in the general 196 class hierarchy, e.g. javax.security.mechanisms. So if a Protocol 197 Driver is asked to use "GSSAPI", it would attempt to instantiate 198 javax.security.mechanisms.gssapi.class. A non-standard place can 199 also be specified, e.g. "myclasses.mechanisms.GSSAPI". This 200 functionality is provided by a mechanism driver factory, which knows 201 where to find candidate classes for instantiation. 203 The Mechanism Drivers are protocol-independent, and don't deal 204 directly with network connections, just byte arrays, so they can be 205 implemented in a generalizable way for all protocols. 207 A Security Layer Driver typically inherits a State object from the 208 Mechanism Driver, where parameters and resolutions reached during 209 authentication have been stored. 211 Different Mechanism Drivers may require different parameters to 212 carry out the authentication process. This is handled in the 213 following with a java.util.Properties object. 215 1 Overview of the SASL classes 217 1.1 Interfaces 219 SASLClientMechanismDriver Interface for all SASL Mechanism 220 Drivers. 222 SASLSecurityLayer An object implementing this interface 223 translates buffers back and forth 224 during a session, after the 226 JAVA SASL API October 1998 228 authentication process has completed, to 229 provide a security layer. 231 SASLClientCB Base interface for classes which can be 232 used by a Mechanism Driver to obtain 233 additional client information during 234 negotiation of authentication with a 235 server. 237 SASLNamePasswordClientCB An interface to provide a Mechanism 238 Driver with a user name and during 239 negotiation of authentication with a 240 server. 242 SASLPasswordClientCB An interface to provide a Mechanism 243 Driver with a password or other single 244 textual credential item during 245 negotiation of authentication with a 246 server. 248 SASLInfoClientCB An interface that can be used by a 249 Mechanism Driver to present the user 250 with arbitrary textual information 251 during negotiation of authentication 252 with a server. 254 SASLWarningClientCB An interface that can be used by a 255 Mechanism Driver to present the user 256 with arbitrary textual information 257 during negotiation of authentication 258 with a server, and wait for user 259 confirmation. 261 SASLOkayCancelClientCB An interface that can be used by a 262 Mechanism Driver to present the user 263 with a choice of continuing or 264 cancelling during negotiation of 265 authentication with a server. 267 SASLGetLanguageCB An interface that can be used by a 268 Mechanism Driver to query for a language 269 to use in localization of client-visible 270 text. 272 JAVA SASL API October 1998 274 1.2 Classes 276 SASLMechanismFactory A class capable of instantiating a 277 Mechanism Driver. 279 SASLException Exception thrown on errors and 280 failures in the authentication 281 process. 283 2 Overview of SASL API Use 285 An application generally uses the SASL API as follows: 287 - Pass a list of acceptable or known Mechanism Drivers to a 288 SASLMechanismFactory. The factory returns an object 289 implementing SASLClientMechanismDriver on success. 291 - Create an object implementing the client authentication 292 callback interfaces, which can provide credentials when 293 required by the Mechanism Driver. 295 - Have the SASLClientMechanismDriver object begin the 296 authentication process by providing an initial server request. 298 - Requests/responses are exchanged with the server. If a response 299 indicates authentication has completed, the Mechanism Driver is 300 queried for validation, and a SASLSecurityLayer object is 301 obtained from it. If not, the Mechanism Driver is queried for 302 an appropriate next request to the server. This continues until 303 authentication has completed. 305 - For the rest of the session, requests to the server are encoded 306 first by the Security Layer, and responses from the server are 307 decoded by it before processing in the application. 309 The following sections describe the SASL classes in more detail. 311 3 The java SASL classes 313 3.1 public interface SASLClientMechanismDriver 315 An object implementing this interface can negotiate authentication 316 using one or more authentication methods. 318 3.1.1 startAuthentication 320 public byte[] 322 JAVA SASL API October 1998 324 startAuthentication(String id, 325 String protocol, 326 String serverName, 327 java.util.Properties props, 328 SASLClientCB authCB) 329 throws SASLException 331 This method prepares a byte array to use for the initial request to 332 authenticate. A SASLException is thrown if the driver cannot 333 initiate authentication with the supplied parameters. The return 334 value may be null, indicating there is no initial response to send 335 to the server. 337 Parameters are: 339 id Protocol-dependent identification, e.g. user name 340 or distinguished name. 342 protocol A protocol supported by the mechanism driver, e.g 343 "POP", "LDAP". 345 serverName Fully qualified name of server to authenticate 346 to. 348 props Additional configuration for the session, e.g. 350 security.policy.encryption.minimum Minimum key length; 351 default 0 (no 352 session 353 protection). 1 354 means integrity 355 protection only. 357 security.policy.encryption.maximum Maximum key length; 358 default 256. 360 security.policy.server_ 361 authentication True if server must 362 authenticate to 363 client; default 364 false. 366 security.ip.local For kerberos v4; no 367 default. 369 security.ip.remote 370 For kerberos v4; no 371 default. 373 security.maxbuffer Maximum size of 374 security layer 375 frames; default 0 376 (client will 377 not use the 378 security layer). 380 JAVA SASL API October 1998 382 authCB An optional object which can be invoked by the 383 mechanism driver to acquire additional 384 authentication information, such as user name and 385 password. 387 3.1.2 evaluateResponse 389 public byte[] 390 evaluateResponse(byte[] challenge) 391 throws SASLException 393 If a challenge is received from the server during the authentication 394 process, this method is called by the Protocol Driver to prepare an 395 appropriate next request to submit to the server. A SASLException is 396 thrown if no response can be generated for the challenge. 398 Parameters are: 400 challenge Received server challenge. 402 3.1.3 isComplete 404 public boolean 405 isComplete() 407 This method may be called at any time to determine if the 408 authentication process is finished. Typically, the protocol driver 409 will not do this until it has received something from the server 410 which indicates (in a protocol-specific manner) that the process has 411 completed. 413 3.1.4 getSecurityLayer 415 public SASLSecurityLayer 416 getSecurityLayer() throws SASLException 418 Once authentication is complete, the Protocol Driver calls this 419 method to obtain an object capable of encoding/decoding data content 420 for the rest of the session (or until there is a new round of 421 authentication). An exception is thrown if authentication is not yet 422 complete. 424 3.1.5 getMechanismName 426 public String 427 getMechanismName() 429 Report the name of this driver, e.g. "GSSAPI". 431 JAVA SASL API October 1998 433 3.2 public interface SASLClientCB 435 Base interface for objects which can be called by a Mechanism 436 Driver to provide more information for authentication. 438 3.3 public interface SASLNamePasswordClientCB 439 extends SASLClientCB 441 An object implementing this interface can be called by a Mechanism 442 Driver to provide more information for authentication. Typically 443 what is provided by the object is an ID and a password. 445 3.3.1 promptNamePassword 447 public boolean 448 promptNamePassword (String defaultID, 449 String serverFQDN, 450 String protocol, 451 String prompt) 453 Method to be implemented by client of the mechanism driver. It may 454 or may not pop up a UI and allow a user to enter the information. It 455 returns true unless the operation was cancelled. 457 Parameters are: 459 defaultID A default which may be used in selecting 460 credentials. 462 serverFQDN The fully qualified domain name of the host to 463 which authentication is being attempted. Used 464 with kerberos. 466 protocol "IMAP", "POP", etc. Used with kerberos. 468 prompt Textual information to be provided to the client 469 for obtaining an ID and password. It may be 470 localized. 472 3.3.2 getID 474 public String 475 getID () 477 Called by a mechanism driver to retrieve the ID (e.g. user name) 478 obtained by the object during promptNamePassword. 480 3.3.3 getPassword 482 public String 484 JAVA SASL API October 1998 486 getPassword () 488 Called by a mechanism driver to retrieve the password obtained by 489 the object during promptNamePassword. 491 3.4 public interface SASLPasswordClientCB 492 extends SASLClientCB 494 An object implementing this interface can be called by a Mechanism 495 Driver to provide more information for authentication. Typically 496 what is provided by the object is a password. 498 3.4.1 promptPassword 500 public boolean 501 promptPassword (String defaultID, 502 String serverFQDN, 503 String protocol, 504 String prompt) 506 Method to be implemented by client of the mechanism driver. It may 507 or may not pop up a UI and allow a user to enter the information. It 508 returns true unless the operation was cancelled. 510 Parameters are: 512 defaultID A default which may be used in selecting 513 credentials. 515 serverFQDN The fully qualified domain name of the host to 516 which authentication is being attempted. Used 517 with kerberos. 519 protocol "IMAP", "POP", etc. Used with kerberos. 521 prompt Textual information to be provided to the client 522 for obtaining a password. It may be localized. 524 3.4.2 getPassword 526 public String 527 getPassword () 529 Called by a mechanism driver to retrieve the password obtained by 530 the object during promptPassword. 532 3.5 public interface SASLInfoClientCB 533 extends SASLClientCB 535 An object implementing this interface can be called by a Mechanism 537 JAVA SASL API October 1998 539 Driver to present information to a user. No confirmation is 540 expected. 542 3.5.1 promptInfo 544 public void 545 promptInfo (String prompt) 547 Method to be implemented by client of the mechanism driver. It 548 presents the user with the supplied textual information. 550 Parameters are: 552 prompt Textual information to be provided to the client. 553 It may be localized. 555 3.6 public interface SASLWarningClientCB 556 extends SASLClientCB 558 An object implementing this interface can be called by a Mechanism 559 Driver to present information to a user. The user must take some 560 action to proceed. 562 3.6.1 promptWarning 564 public void 565 promptWarning (String prompt) 567 Method to be implemented by client of the mechanism driver. It 568 presents the user with the supplied textual information and waits 569 for the user to take some action to proceed. 571 Parameters are: 573 prompt Textual information to be provided to the client. 574 It may be localized. 576 3.7 public interface SASLOkayCancelClientCB 577 extends SASLClientCB 579 An object implementing this interface can be called by a Mechanism 580 Driver to present information to a user and return an indication 581 that an operation is to proceed or to be cancelled. 583 3.7.1 promptOkayCancel 585 public boolean 587 JAVA SASL API October 1998 589 promptOkayCancel (String prompt, 590 String okText, 591 String cancelText ) 593 Method to be implemented by client of the mechanism driver. It 594 presents the user with the supplied textual information. The return 595 value is true to continue operations, false to abort. This may be 596 implemented with OK and CANCEL buttons in a dialog. If okText and/or 597 cancelText are non-null and not empty, they may be used to label 598 buttons. 600 Parameters are: 602 prompt Textual information to be provided to the client. It 603 may be localized. 605 okText Optional label for OK button or selection. 607 cancelText Optional label for Cancel button or selection. 609 3.8 public interface SASLGetLanguageClientCB 610 extends SASLClientCB 612 An object implementing this interface can be called by a Mechanism 613 Driver to obtain a language to use for localization of user-visible 614 text. 616 3.8.1 getLanguage 618 public String 619 getLanguage () 621 Method to be implemented by client of the mechanism driver. It 622 returns a language to use in localizing user-visible text. 624 3.9 public interface SASLSecurityLayer 626 An object implementing this interface translates buffers back and 627 forth during a session, after the authentication process has 628 completed, to provide a security layer. 630 3.9.1 encode 632 public byte[] 633 encode(byte[] outVals) throws SASLException 635 Take a protocol-dependent byte array and encode it (encrypt, for 636 example) for sending to the server. 638 JAVA SASL API October 1998 640 3.9.2 decode 642 public byte[] 643 decode(byte[] inVals) throws SASLException 645 Take an encoded byte array received from the server and decode it. 647 Parameters are: 649 outVals A request to be encoded before sending to the 650 server. 652 inVals A response received from the server, to be 653 decoded. 655 3.10 public class SASLMechanismFactory 657 This class can provide a SASLClientMechanismDriver, or a list of 658 mechanisms. 660 3.10.1 getMechanismDriver 662 public static SASLClientMechanismDriver 663 getMechanismDriver(String mechanism, 664 String packageName) 665 throws SASLException 667 public static SASLClientMechanismDriver 668 getMechanismDriver(String[] mechanisms, 669 String packageName) 670 throws SASLException 672 Returns an object implementing a requested Mechanism Driver. A 673 SASLException is thrown if no corresponding Mechanism Driver can be 674 instantiated. 676 Parameters are: 678 mechanism A single mechanism name, e.g. "GSSAPI". 680 mechanisms A list of acceptable mechanisms. The first one 681 for which a Mechanism Driver can be instantiated 682 is returned. 684 packageName A package from which to instantiate the Mechanism 685 Driver, e.g. "myclasses.SASL.mechanisms". If 686 null, a system default is used. 688 3.10.2 getMechanisms 690 public static String[] 692 JAVA SASL API October 1998 694 getMechanisms() 696 public static String[] 697 getMechanisms(String packageName) 699 Returns a list of available mechanisms. 701 Parameters are: 703 packageName A package from which to instantiate the Mechanism 704 Driver, e.g. "myclasses.SASL.mechanisms". If 705 null, a system default is used. 707 3.11 public class SASLException 708 extends Exception 710 Exception thrown on errors and failures in authentication. 712 3.11.1 Constructors 714 public SASLException() 716 Constructs a default exception with no specific error information. 718 public SASLException(String message, int resultCode) 720 Constructs a default exception with a specified string as additional 721 information, and a result code. 723 Parameters are: 725 message Additional error information. 727 resultCode The result code to return. 729 4 Security Considerations 731 When SASL authentication is performed over unsecured connections, it 732 is possible for an active attacker to spoof the server's protocol- 733 specific indication that authentication is complete. Clients should 734 protect against this attack by verifying the completion of 735 authentication with the mechanism driver by calling the driver's 736 isComplete() method. 738 Additional security considerations are discussed in [1]. 740 JAVA SASL API October 1998 742 Bibliography 744 [1] J. Myers, "Simple Authentication and Security Layer (SASL)", 745 Authors' Addresses 747 Rob Weltman 748 Netscape Communications Corp. 749 501 E. Middlefield Rd. 750 Mail Stop MV-029 751 Mountain View, CA 94043-4042 752 USA 753 Email: rweltman@netscape.com 755 John Gardiner Myers 756 Netscape Communications Corp. 757 501 E. Middlefield Rd. 758 Mail Stop MV-029 759 Mountain View, CA 94043-4042 760 USA 761 Email: jgmyers@netscape.com 763 Prasad Yandluri 764 Netscape Communications Corp. 765 501 E. Middlefield Rd. 766 Mail Stop MV-029 767 Mountain View, CA 94043-4042 768 USA 769 Email: prasad@netscape.com 771 Christine Ho 772 Netscape Communications Corp. 773 501 E. Middlefield Rd. 774 Mail Stop MV-029 775 Mountain View, CA 94043-4042 776 USA 777 Email: chrisho@netscape.com 779 JAVA SASL API October 1998 781 5 Appendix A - Sample java LDAP program using SASL 783 /**************************************************************** 784 It might look like this in LDAP. The Protocol Driver is 785 implemented as part of the authenticate method of 786 LDAPConnection. 787 ****************************************************************/ 789 public class LDAPConnection { 790 public void authenticate( String dn, 791 String mechanism, 792 String packageName, 793 Properties props, 794 SASLClientCB getter ) 795 throws LDAPException { 796 SASLClientMechanismDriver driver; 797 try { 798 // Get a mechanism driver 799 driver = 800 SASLMechanismFactory.getMechanismDriver( mechanism, 801 packageName ); 802 // Get the initial request to start authentication 803 byte[] outVals = driver.startAuthentication( dn, 804 "LDAP", 805 getHost(), 806 props, 807 getter ); 808 getSocketOutput().writeRequest( outVals ); 809 // Get the server response 810 byte[] inVals = getSocketInput().readResponse(); 811 // Authentication done? 812 while ( !checkForCompletion( inVals ) ) { 813 // No, get an appropriate next request and send it off 814 outVals = driver.evaluateResponse( inVals ); 815 getSocketOutput().writeRequest( outVals ); 816 inVals = getSocketInput().readResponse(); 817 } 818 // Make sure authentication REALLY is complete 819 if ( !driver.isComplete() ) { 820 /* Authentication session hijacked! */ 821 throw new LDAPException(); 822 } 823 security = driver.getSecurityLayer(); 824 } catch ( SASLException e ) { 825 throw new LDAPException(); 826 } catch ( IOException e ) { 827 throw new LDAPException(); 828 } 829 } 831 private SASLSecurityLayer security = null; 832 } 834 JAVA SASL API October 1998 836 /**************************************************************** 837 This might be in an application 838 ****************************************************************/ 840 // Object to supply credentials when needed 841 class RequestedInfoGetter implements SASLNamePasswordClientCB, 842 SASLPasswordClientCB, 843 SASLInfoClientCB, 844 SASLWarningClientCB, 845 SASLGetLanguageClientCB, 846 SASLOkayCancelClientCB { 847 public RequestedInfoGetter() {} 849 public boolean promptNamePassword ( String defaultID, 850 String serverFQDN, 851 String protocol, 852 String prompt ) { 853 // Put up a dialog box, get user's selected ID and password 854 UserIDDialog dlg = new UserIDDialog(); 855 if ( dlg.doDialog( defaultID, prompt ) == OK ) { 856 _id = dlg.getID(); 857 _password = dlg.getPassword(); 858 return true; 859 } 860 return false; 861 } 863 public boolean promptPassword ( String defaultID, 864 String serverFQDN, 865 String protocol, 866 String prompt ) { 867 // Put up a dialog box, get user's selected password 868 PasswordDialog dlg = new PasswordDialog(); 869 if ( dlg.doDialog( defaultID, prompt ) == OK ) { 870 _password = dlg.getPassword(); 871 return true; 872 } 873 return false; 874 } 876 public void promptWarning ( String prompt ) { 877 // Put up a dialog box, wait for confirmation 878 WarningDialog dlg = new WarningDialog(); 879 dlg.doDialog( prompt ); 880 } 881 public void promptInfo ( String prompt ) { 882 // Put the text in the status box 883 statusWin.addText( prompt ); 884 } 885 public boolean promptOkayCancel ( String prompt, 886 String ok, String cancel ) { 887 // Put up a dialog box, wait for OK or Cancel 888 OkayCancelDialog dlg = new OkayCancelDialog(); 889 return dlg.doDialog( prompt ); 891 JAVA SASL API October 1998 893 } 895 public String getLanguage () { 896 // Get the language from the locale 897 String lang = locale.getLanguage(); 898 if ( (locale.getCountry() != null) && 899 (locale.getCountry().length() > 0) ) { 900 lang += "-" + locale.getCountry(); 901 if ( (locale.getVariant() != null) && 902 (locale.getVariant().length() > 0) ) { 903 lang += "-" + locale.getVariant(); 904 } 905 } 906 return lang; 907 } 909 public String getID() { return _id; } 910 public String getPassword() { return _password; } 912 private String _id; 913 private String _password; 914 } 916 JAVA SASL API October 1998 918 /*************************************************************** 919 And so the application code to do authentication 920 ***************************************************************/ 922 // Set up all SASL parameters; some may have reasonable defaults 923 Properties props = new Properties(); 924 props.add( "security.policy.encryption.minimum", "40"); 925 props.add( "security.policy.encryption.maximum", "128"); 926 props.add( "security.policy.server_authentication", "true"); 927 props.add( "security.maxbuffer", "4096"); 928 // The following two for kerberos v4, only 929 //props.add( "security.ip.local", "192.68.1.10"); 930 //props.add( "security.ip.remote", "192.68.1.50"); 932 // What we want to authenticate as 933 String dn = "cn=Directory Manager"; 935 // Create an object for possible use by the authentication 936 // process 937 RequestedInfoGetter getter = new RequestedInfoGetter(); 939 try { 940 // Note: getter methods may be called during authentication 941 // Note: "connection" includes the SASL Protocol Driver 942 // functionality, and it will internally manage a Mechanism 943 // Driver for GSSAPI, and then a Security Layer object for 944 // data translation 945 connection.authenticate( dn, "GSSAPI", props, getter ); 946 } catch ( LDAPException e ) { 947 // Abort, return, maybe try some other authentication 948 } 950 // Okay. From here on, everything goes through security, but the 951 // methods have the same signatures as if we were not using SASL