Class KerberosServiceRequestToken

java.lang.Object
org.springframework.security.authentication.AbstractAuthenticationToken
org.springframework.security.kerberos.authentication.KerberosServiceRequestToken
All Implemented Interfaces:
Serializable, Principal, Authentication, CredentialsContainer, KerberosAuthentication

public class KerberosServiceRequestToken extends AbstractAuthenticationToken implements KerberosAuthentication

Holds the Kerberos/SPNEGO token for requesting a kerberized service and is also the output of KerberosServiceAuthenticationProvider.

Will mostly be created in SpnegoAuthenticationProcessingFilter and authenticated in KerberosServiceAuthenticationProvider.

This token cannot be re-authenticated, as you will get a Kerberos Reply error.
Since:
1.0
See Also:
  • Constructor Details

    • KerberosServiceRequestToken

      public KerberosServiceRequestToken(Object principal, KerberosTicketValidation ticketValidation, Collection<? extends GrantedAuthority> authorities, byte[] token)
      Creates an authenticated token, normally used as an output of an authentication provider.
      Parameters:
      principal - the user principal (mostly of instance UserDetails)
      ticketValidation - result of ticket validation
      authorities - the authorities which are granted to the user
      token - the Kerberos/SPNEGO token
      See Also:
    • KerberosServiceRequestToken

      public KerberosServiceRequestToken(byte[] token)
      Creates an unauthenticated instance which should then be authenticated by KerberosServiceAuthenticationProvider.
      Parameters:
      token - Kerberos/SPNEGO token
      See Also:
  • Method Details

    • equals

      public boolean equals(Object obj)
      equals() is based only on the Kerberos token
      Specified by:
      equals in interface Principal
      Overrides:
      equals in class AbstractAuthenticationToken
    • hashCode

      public int hashCode()
      Calculates hashcode based on the Kerberos token
      Specified by:
      hashCode in interface Principal
      Overrides:
      hashCode in class AbstractAuthenticationToken
    • getCredentials

      public Object getCredentials()
      Description copied from interface: Authentication
      The credentials that prove the principal is correct. This is usually a password, but could be anything relevant to the AuthenticationManager. Callers are expected to populate the credentials.
      Specified by:
      getCredentials in interface Authentication
      Returns:
      the credentials that prove the identity of the Principal
    • getPrincipal

      public Object getPrincipal()
      Description copied from interface: Authentication
      The identity of the principal being authenticated. In the case of an authentication request with username and password, this would be the username. Callers are expected to populate the principal for an authentication request.

      The AuthenticationManager implementation will often return an Authentication containing richer information as the principal for use by the application. Many of the authentication providers will create a UserDetails object as the principal.

      Specified by:
      getPrincipal in interface Authentication
      Returns:
      the Principal being authenticated or the authenticated principal after authentication.
    • getToken

      public byte[] getToken()
      Returns the Kerberos token
      Returns:
      the token data
    • getTicketValidation

      public KerberosTicketValidation getTicketValidation()
      Gets the ticket validation
      Returns:
      the ticket validation (which will be null if the token is unauthenticated)
    • hasResponseToken

      public boolean hasResponseToken()
      Determines whether an authenticated token has a response token
      Returns:
      whether a response token is available
    • getEncodedResponseToken

      public String getEncodedResponseToken()
      Gets the (Base64) encoded response token assuming one is available.
      Returns:
      encoded response token
    • decrypt

      public byte[] decrypt(byte[] data, int offset, int length) throws PrivilegedActionException
      Unwraps an encrypted message using the gss context
      Parameters:
      data - the data
      offset - data offset
      length - data length
      Returns:
      the decrypted message
      Throws:
      PrivilegedActionException - if jaas throws and error
    • decrypt

      public byte[] decrypt(byte[] data) throws PrivilegedActionException
      Unwraps an encrypted message using the gss context
      Parameters:
      data - the data
      Returns:
      the decrypted message
      Throws:
      PrivilegedActionException - if jaas throws and error
    • encrypt

      public byte[] encrypt(byte[] data, int offset, int length) throws PrivilegedActionException
      Wraps an message using the gss context
      Parameters:
      data - the data
      offset - data offset
      length - data length
      Returns:
      the encrypted message
      Throws:
      PrivilegedActionException - if jaas throws and error
    • encrypt

      public byte[] encrypt(byte[] data) throws PrivilegedActionException
      Wraps an message using the gss context
      Parameters:
      data - the data
      Returns:
      the encrypted message
      Throws:
      PrivilegedActionException - if jaas throws and error
    • getJaasSubjectHolder

      public JaasSubjectHolder getJaasSubjectHolder()
      Specified by:
      getJaasSubjectHolder in interface KerberosAuthentication