001/*
002 * Copyright 2011-2016 UnboundID Corp.
003 * All Rights Reserved.
004 */
005/*
006 * Copyright (C) 2011-2016 UnboundID Corp.
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021package com.unboundid.ldap.sdk;
022
023
024
025import java.io.Serializable;
026import java.util.ArrayList;
027import java.util.Arrays;
028import java.util.Collection;
029import java.util.Collections;
030import java.util.Iterator;
031import java.util.LinkedHashSet;
032import java.util.List;
033import java.util.Set;
034
035import com.unboundid.asn1.ASN1OctetString;
036import com.unboundid.util.Mutable;
037import com.unboundid.util.StaticUtils;
038import com.unboundid.util.ThreadSafety;
039import com.unboundid.util.ThreadSafetyLevel;
040import com.unboundid.util.Validator;
041
042
043
044/**
045 * This class provides a data structure that may be used to hold a number of
046 * properties that may be used during processing for a SASL GSSAPI bind
047 * operation.
048 */
049@Mutable()
050@ThreadSafety(level=ThreadSafetyLevel.NOT_THREADSAFE)
051public final class GSSAPIBindRequestProperties
052       implements Serializable
053{
054  /**
055   * The serial version UID for this serializable class.
056   */
057  private static final long serialVersionUID = 6872295509330315713L;
058
059
060
061  // The password for the GSSAPI bind request.
062  private ASN1OctetString password;
063
064  // Indicates whether to enable JVM-level debugging for GSSAPI processing.
065  private boolean enableGSSAPIDebugging;
066
067  // Indicates whether to attempt to refresh the configuration before the JAAS
068  // login method is called.
069  private boolean refreshKrb5Config;
070
071  // Indicates whether to attempt to renew the client's existing ticket-granting
072  // ticket if authentication uses an existing Kerberos session.
073  private boolean renewTGT;
074
075  // Indicates whether to require that the credentials be obtained from the
076  // ticket cache such that authentication will fail if the client does not have
077  // an existing Kerberos session.
078  private boolean requireCachedCredentials;
079
080  // Indicates whether to allow the to obtain the credentials to be obtained
081  // from a keytab.
082  private boolean useKeyTab;
083
084  // Indicates whether to allow the client to use credentials that are outside
085  // of the current subject.
086  private boolean useSubjectCredentialsOnly;
087
088  // Indicates whether to enable the use of a ticket cache.
089  private boolean useTicketCache;
090
091  // The SASL quality of protection value(s) allowed for the DIGEST-MD5 bind
092  // request.
093  private List<SASLQualityOfProtection> allowedQoP;
094
095  // The names of any system properties that should not be altered by GSSAPI
096  // processing.
097  private Set<String> suppressedSystemProperties;
098
099  // The authentication ID string for the GSSAPI bind request.
100  private String authenticationID;
101
102  // The authorization ID string for the GSSAPI bind request, if available.
103  private String authorizationID;
104
105  // The path to the JAAS configuration file to use for bind processing.
106  private String configFilePath;
107
108  // The name that will be used to identify this client in the JAAS framework.
109  private String jaasClientName;
110
111  // The KDC address for the GSSAPI bind request, if available.
112  private String kdcAddress;
113
114  // The path to the keytab file to use if useKeyTab is true.
115  private String keyTabPath;
116
117  // The realm for the GSSAPI bind request, if available.
118  private String realm;
119
120  // The server name to use when creating the SASL client.
121  private String saslClientServerName;
122
123  // The protocol that should be used in the Kerberos service principal for
124  // the server system.
125  private String servicePrincipalProtocol;
126
127  // The path to the Kerberos ticket cache to use.
128  private String ticketCachePath;
129
130
131
132  /**
133   * Creates a new set of GSSAPI bind request properties with the provided
134   * information.
135   *
136   * @param  authenticationID  The authentication ID for the GSSAPI bind
137   *                           request.  It may be {@code null} if an existing
138   *                           Kerberos session should be used.
139   * @param  password          The password for the GSSAPI bind request.  It may
140   *                           be {@code null} if an existing Kerberos session
141   *                           should be used.
142   */
143  public GSSAPIBindRequestProperties(final String authenticationID,
144                                     final String password)
145  {
146    this(authenticationID, null,
147         (password == null ? null : new ASN1OctetString(password)), null, null,
148         null);
149  }
150
151
152
153  /**
154   * Creates a new set of GSSAPI bind request properties with the provided
155   * information.
156   *
157   * @param  authenticationID  The authentication ID for the GSSAPI bind
158   *                           request.  It may be {@code null} if an existing
159   *                           Kerberos session should be used.
160   * @param  password          The password for the GSSAPI bind request.  It may
161   *                           be {@code null} if an existing Kerberos session
162   *                           should be used.
163   */
164  public GSSAPIBindRequestProperties(final String authenticationID,
165                                     final byte[] password)
166  {
167    this(authenticationID, null,
168         (password == null ? null : new ASN1OctetString(password)), null, null,
169         null);
170  }
171
172
173
174  /**
175   * Creates a new set of GSSAPI bind request properties with the provided
176   * information.
177   *
178   * @param  authenticationID  The authentication ID for the GSSAPI bind
179   *                           request.  It may be {@code null} if an existing
180   *                           Kerberos session should be used.
181   * @param  authorizationID   The authorization ID for the GSSAPI bind request.
182   *                           It may be {@code null} if the authorization ID
183   *                           should be the same as the authentication ID.
184   * @param  password          The password for the GSSAPI bind request.  It may
185   *                           be {@code null} if an existing Kerberos session
186   *                           should be used.
187   * @param  realm             The realm to use for the authentication.  It may
188   *                           be {@code null} to attempt to use the default
189   *                           realm from the system configuration.
190   * @param  kdcAddress        The address of the Kerberos key distribution
191   *                           center.  It may be {@code null} to attempt to use
192   *                           the default KDC from the system configuration.
193   * @param  configFilePath    The path to the JAAS configuration file to use
194   *                           for the authentication processing.  It may be
195   *                           {@code null} to use the default JAAS
196   *                           configuration.
197   */
198  GSSAPIBindRequestProperties(final String authenticationID,
199                              final String authorizationID,
200                              final ASN1OctetString password,
201                              final String realm,
202                              final String kdcAddress,
203                              final String configFilePath)
204  {
205    this.authenticationID = authenticationID;
206    this.authorizationID  = authorizationID;
207    this.password         = password;
208    this.realm            = realm;
209    this.kdcAddress       = kdcAddress;
210    this.configFilePath   = configFilePath;
211
212    servicePrincipalProtocol   = "ldap";
213    enableGSSAPIDebugging      = false;
214    jaasClientName             = "GSSAPIBindRequest";
215    refreshKrb5Config          = false;
216    renewTGT                   = false;
217    useKeyTab                  = false;
218    useSubjectCredentialsOnly  = true;
219    useTicketCache             = true;
220    requireCachedCredentials   = false;
221    saslClientServerName       = null;
222    keyTabPath                 = null;
223    ticketCachePath            = null;
224    suppressedSystemProperties = Collections.emptySet();
225    allowedQoP                 = Collections.unmodifiableList(Arrays.asList(
226         SASLQualityOfProtection.AUTH));
227  }
228
229
230
231  /**
232   * Retrieves the authentication ID for the GSSAPI bind request, if defined.
233   *
234   * @return  The authentication ID for the GSSAPI bind request, or {@code null}
235   *          if an existing Kerberos session should be used.
236   */
237  public String getAuthenticationID()
238  {
239    return authenticationID;
240  }
241
242
243
244  /**
245   * Sets the authentication ID for the GSSAPI bind request.
246   *
247   * @param  authenticationID  The authentication ID for the GSSAPI bind
248   *                           request.  It may be {@code null} if an existing
249   *                           Kerberos session should be used.
250   */
251  public void setAuthenticationID(final String authenticationID)
252  {
253    this.authenticationID = authenticationID;
254  }
255
256
257
258  /**
259   * Retrieves the authorization ID for the GSSAPI bind request, if defined.
260   *
261   * @return  The authorizationID for the GSSAPI bind request, or {@code null}
262   *          if the authorization ID should be the same as the authentication
263   *          ID.
264   */
265  public String getAuthorizationID()
266  {
267    return authorizationID;
268  }
269
270
271
272  /**
273   * Specifies the authorization ID for the GSSAPI bind request.
274   *
275   * @param  authorizationID  The authorization ID for the GSSAPI bind request.
276   *                          It may be {@code null} if the authorization ID
277   *                          should be the same as the authentication ID.
278   */
279  public void setAuthorizationID(final String authorizationID)
280  {
281    this.authorizationID = authorizationID;
282  }
283
284
285
286  /**
287   * Retrieves the password that should be used for the GSSAPI bind request, if
288   * defined.
289   *
290   * @return  The password that should be used for the GSSAPI bind request, or
291   *          {@code null} if an existing Kerberos session should be used.
292   */
293  public ASN1OctetString getPassword()
294  {
295    return password;
296  }
297
298
299
300  /**
301   * Specifies the password that should be used for the GSSAPI bind request.
302   *
303   * @param  password  The password that should be used for the GSSAPI bind
304   *                   request.  It may be {@code null} if an existing
305   *                   Kerberos session should be used.
306   */
307  public void setPassword(final String password)
308  {
309    if (password == null)
310    {
311      this.password = null;
312    }
313    else
314    {
315      this.password = new ASN1OctetString(password);
316    }
317  }
318
319
320
321  /**
322   * Specifies the password that should be used for the GSSAPI bind request.
323   *
324   * @param  password  The password that should be used for the GSSAPI bind
325   *                   request.  It may be {@code null} if an existing
326   *                   Kerberos session should be used.
327   */
328  public void setPassword(final byte[] password)
329  {
330    if (password == null)
331    {
332      this.password = null;
333    }
334    else
335    {
336      this.password = new ASN1OctetString(password);
337    }
338  }
339
340
341
342  /**
343   * Specifies the password that should be used for the GSSAPI bind request.
344   *
345   * @param  password  The password that should be used for the GSSAPI bind
346   *                   request.  It may be {@code null} if an existing
347   *                   Kerberos session should be used.
348   */
349  public void setPassword(final ASN1OctetString password)
350  {
351    this.password = password;
352  }
353
354
355
356  /**
357   * Retrieves the realm to use for the GSSAPI bind request, if defined.
358   *
359   * @return  The realm to use for the GSSAPI bind request, or {@code null} if
360   *          the request should attempt to use the default realm from the
361   *          system configuration.
362   */
363  public String getRealm()
364  {
365    return realm;
366  }
367
368
369
370  /**
371   * Specifies the realm to use for the GSSAPI bind request.
372   *
373   * @param  realm  The realm to use for the GSSAPI bind request.  It may be
374   *                {@code null} if the request should attempt to use the
375   *                default realm from the system configuration.
376   */
377  public void setRealm(final String realm)
378  {
379    this.realm = realm;
380  }
381
382
383
384  /**
385   * Retrieves the list of allowed qualities of protection that may be used for
386   * communication that occurs on the connection after the authentication has
387   * completed, in order from most preferred to least preferred.
388   *
389   * @return  The list of allowed qualities of protection that may be used for
390   *          communication that occurs on the connection after the
391   *          authentication has completed, in order from most preferred to
392   *          least preferred.
393   */
394  public List<SASLQualityOfProtection> getAllowedQoP()
395  {
396    return allowedQoP;
397  }
398
399
400
401  /**
402   * Specifies the list of allowed qualities of protection that may be used for
403   * communication that occurs on the connection after the authentication has
404   * completed, in order from most preferred to least preferred.
405   *
406   * @param  allowedQoP  The list of allowed qualities of protection that may be
407   *                     used for communication that occurs on the connection
408   *                     after the authentication has completed, in order from
409   *                     most preferred to least preferred.  If this is
410   *                     {@code null} or empty, then a list containing only the
411   *                     {@link SASLQualityOfProtection#AUTH} quality of
412   *                     protection value will be used.
413   */
414  public void setAllowedQoP(final List<SASLQualityOfProtection> allowedQoP)
415  {
416    if ((allowedQoP == null) || allowedQoP.isEmpty())
417    {
418      this.allowedQoP = Collections.unmodifiableList(Arrays.asList(
419           SASLQualityOfProtection.AUTH));
420    }
421    else
422    {
423      this.allowedQoP = Collections.unmodifiableList(
424           new ArrayList<SASLQualityOfProtection>(allowedQoP));
425    }
426  }
427
428
429
430  /**
431   * Specifies the list of allowed qualities of protection that may be used for
432   * communication that occurs on the connection after the authentication has
433   * completed, in order from most preferred to least preferred.
434   *
435   * @param  allowedQoP  The list of allowed qualities of protection that may be
436   *                     used for communication that occurs on the connection
437   *                     after the authentication has completed, in order from
438   *                     most preferred to least preferred.  If this is
439   *                     {@code null} or empty, then a list containing only the
440   *                     {@link SASLQualityOfProtection#AUTH} quality of
441   *                     protection value will be used.
442   */
443  public void setAllowedQoP(final SASLQualityOfProtection... allowedQoP)
444  {
445    setAllowedQoP(StaticUtils.toList(allowedQoP));
446  }
447
448
449
450  /**
451   * Retrieves the address to use for the Kerberos key distribution center,
452   * if defined.
453   *
454   * @return  The address to use for the Kerberos key distribution center, or
455   *          {@code null} if request should attempt to determine the KDC
456   *          address from the system configuration.
457   */
458  public String getKDCAddress()
459  {
460    return kdcAddress;
461  }
462
463
464
465  /**
466   * Specifies the address to use for the Kerberos key distribution center.
467   *
468   * @param  kdcAddress  The address to use for the Kerberos key distribution
469   *                     center.  It may be {@code null} if the request should
470   *                     attempt to determine the KDC address from the system
471   *                     configuration.
472   */
473  public void setKDCAddress(final String kdcAddress)
474  {
475    this.kdcAddress = kdcAddress;
476  }
477
478
479
480  /**
481   * Retrieves the name that will be used to identify this client in the JAAS
482   * framework.
483   *
484   * @return  The name that will be used to identify this client in the JAAS
485   *          framework.
486   */
487  public String getJAASClientName()
488  {
489    return jaasClientName;
490  }
491
492
493
494  /**
495   * Specifies the name that will be used to identify this client in the JAAS
496   * framework.
497   *
498   * @param  jaasClientName  The name that will be used to identify this client
499   *                         in the JAAS framework.  It must not be
500   *                         {@code null} or empty.
501   */
502  public void setJAASClientName(final String jaasClientName)
503  {
504    Validator.ensureNotNull(jaasClientName);
505
506    this.jaasClientName = jaasClientName;
507  }
508
509
510
511  /**
512   * Retrieves the path to a JAAS configuration file that should be used when
513   * processing the GSSAPI bind request, if defined.
514   *
515   * @return  The path to a JAAS configuration file that should be used when
516   *          processing the GSSAPI bind request, or {@code null} if a JAAS
517   *          configuration file should be automatically constructed for the
518   *          bind request.
519   */
520  public String getConfigFilePath()
521  {
522    return configFilePath;
523  }
524
525
526
527  /**
528   * Specifies the path to a JAAS configuration file that should be used when
529   * processing the GSSAPI bind request.
530   *
531   * @param  configFilePath  The path to a JAAS configuration file that should
532   *                         be used when processing the GSSAPI bind request.
533   *                         It may be {@code null} if a configuration file
534   *                         should be automatically constructed for the bind
535   *                         request.
536   */
537  public void setConfigFilePath(final String configFilePath)
538  {
539    this.configFilePath = configFilePath;
540  }
541
542
543
544  /**
545   * Retrieves the server name that should be used when creating the Java
546   * {@code SaslClient}, if one is defined.
547   *
548   * @return  The server name that should be used when creating the Java
549   *          {@code SaslClient}, or {@code null} if none is defined and the
550   *          {@code SaslClient} should use the address specified when
551   *          establishing the connection.
552   */
553  public String getSASLClientServerName()
554  {
555    return saslClientServerName;
556  }
557
558
559
560  /**
561   * Specifies the server name that should be used when creating the Java
562   * {@code SaslClient}.
563   *
564   * @param  saslClientServerName  The server name that should be used when
565   *                               creating the Java {@code SaslClient}.  It may
566   *                               be {@code null} to indicate that the
567   *                               {@code SaslClient} should use the address
568   *                               specified when establishing the connection.
569   */
570  public void setSASLClientServerName(final String saslClientServerName)
571  {
572    this.saslClientServerName = saslClientServerName;
573  }
574
575
576
577  /**
578   * Retrieves the protocol specified in the service principal that the
579   * directory server uses for its communication with the KDC.  The service
580   * principal is usually something like "ldap/directory.example.com", where
581   * "ldap" is the protocol and "directory.example.com" is the fully-qualified
582   * address of the directory server system, but some servers may allow
583   * authentication with a service principal with a protocol other than "ldap".
584   *
585   * @return  The protocol specified in the service principal that the directory
586   *          server uses for its communication with the KDC.
587   */
588  public String getServicePrincipalProtocol()
589  {
590    return servicePrincipalProtocol;
591  }
592
593
594
595  /**
596   * Specifies the protocol specified in the service principal that the
597   * directory server uses for its communication with the KDC.  This should
598   * generally be "ldap", but some servers may allow a service principal with a
599   * protocol other than "ldap".
600   *
601   * @param  servicePrincipalProtocol  The protocol specified in the service
602   *                                   principal that the directory server uses
603   *                                   for its communication with the KDC.
604   */
605  public void setServicePrincipalProtocol(final String servicePrincipalProtocol)
606  {
607    Validator.ensureNotNull(servicePrincipalProtocol);
608
609    this.servicePrincipalProtocol = servicePrincipalProtocol;
610  }
611
612
613
614  /**
615   * Indicates whether to refresh the configuration before the JAAS
616   * {@code login} method is called.
617   *
618   * @return  {@code true} if the GSSAPI implementation should refresh the
619   *          configuration before the JAAS {@code login} method is called, or
620   *          {@code false} if not.
621   */
622  public boolean refreshKrb5Config()
623  {
624    return refreshKrb5Config;
625  }
626
627
628
629  /**
630   * Specifies whether to refresh the configuration before the JAAS
631   * {@code login} method is called.
632   *
633   * @param  refreshKrb5Config  Indicates whether to refresh the configuration
634   *                            before the JAAS {@code login} method is called.
635   */
636  public void setRefreshKrb5Config(final boolean refreshKrb5Config)
637  {
638    this.refreshKrb5Config = refreshKrb5Config;
639  }
640
641
642
643  /**
644   * Indicates whether to allow the client to use credentials that are outside
645   * of the current subject, obtained via some system-specific mechanism.
646   *
647   * @return  {@code true} if the client will only be allowed to use credentials
648   *          that are within the current subject, or {@code false} if the
649   *          client will be allowed to use credentials outside the current
650   *          subject.
651   */
652  public boolean useSubjectCredentialsOnly()
653  {
654    return useSubjectCredentialsOnly;
655  }
656
657
658
659  /**
660   * Specifies whether to allow the client to use credentials that are outside
661   * the current subject.  If this is {@code false}, then a system-specific
662   * mechanism may be used in an attempt to obtain credentials from an
663   * existing session.
664   *
665   * @param  useSubjectCredentialsOnly  Indicates whether to allow the client to
666   *                                    use credentials that are outside of the
667   *                                    current subject.
668   */
669  public void setUseSubjectCredentialsOnly(
670                   final boolean useSubjectCredentialsOnly)
671  {
672    this.useSubjectCredentialsOnly = useSubjectCredentialsOnly;
673  }
674
675
676
677  /**
678   * Indicates whether to use a keytab to obtain the user credentials.
679   *
680   * @return  {@code true} if the GSSAPI login attempt should use a keytab to
681   *          obtain the user credentials, or {@code false} if not.
682   */
683  public boolean useKeyTab()
684  {
685    return useKeyTab;
686  }
687
688
689
690  /**
691   * Specifies whether to use a keytab to obtain the user credentials.
692   *
693   * @param  useKeyTab  Indicates whether to use a keytab to obtain the user
694   *                    credentials.
695   */
696  public void setUseKeyTab(final boolean useKeyTab)
697  {
698    this.useKeyTab = useKeyTab;
699  }
700
701
702
703  /**
704   * Retrieves the path to the keytab file from which to obtain the user
705   * credentials.  This will only be used if {@link #useKeyTab} returns
706   * {@code true}.
707   *
708   * @return  The path to the keytab file from which to obtain the user
709   *          credentials, or {@code null} if the default keytab location should
710   *          be used.
711   */
712  public String getKeyTabPath()
713  {
714    return keyTabPath;
715  }
716
717
718
719  /**
720   * Specifies the path to the keytab file from which to obtain the user
721   * credentials.
722   *
723   * @param  keyTabPath  The path to the keytab file from which to obtain the
724   *                     user credentials.  It may be {@code null} if the
725   *                     default keytab location should be used.
726   */
727  public void setKeyTabPath(final String keyTabPath)
728  {
729    this.keyTabPath = keyTabPath;
730  }
731
732
733
734  /**
735   * Indicates whether to enable the use of a ticket cache to to avoid the need
736   * to supply credentials if the client already has an existing Kerberos
737   * session.
738   *
739   * @return  {@code true} if a ticket cache may be used to take advantage of an
740   *          existing Kerberos session, or {@code false} if Kerberos
741   *          credentials should always be provided.
742   */
743  public boolean useTicketCache()
744  {
745    return useTicketCache;
746  }
747
748
749
750  /**
751   * Specifies whether to enable the use of a ticket cache to to avoid the need
752   * to supply credentials if the client already has an existing Kerberos
753   * session.
754   *
755   * @param  useTicketCache  Indicates whether to enable the use of a ticket
756   *                         cache to to avoid the need to supply credentials if
757   *                         the client already has an existing Kerberos
758   *                         session.
759   */
760  public void setUseTicketCache(final boolean useTicketCache)
761  {
762    this.useTicketCache = useTicketCache;
763  }
764
765
766
767  /**
768   * Indicates whether GSSAPI authentication should only occur using an existing
769   * Kerberos session.
770   *
771   * @return  {@code true} if GSSAPI authentication should only use an existing
772   *          Kerberos session and should fail if the client does not have an
773   *          existing session, or {@code false} if the client will be allowed
774   *          to create a new session if one does not already exist.
775   */
776  public boolean requireCachedCredentials()
777  {
778    return requireCachedCredentials;
779  }
780
781
782
783  /**
784   * Specifies whether an GSSAPI authentication should only occur using an
785   * existing Kerberos session.
786   *
787   * @param  requireCachedCredentials  Indicates whether an existing Kerberos
788   *                                   session will be required for
789   *                                   authentication.  If {@code true}, then
790   *                                   authentication will fail if the client
791   *                                   does not already have an existing
792   *                                   Kerberos session.  This will be ignored
793   *                                   if {@code useTicketCache} is false.
794   */
795  public void setRequireCachedCredentials(
796                   final boolean requireCachedCredentials)
797  {
798    this.requireCachedCredentials = requireCachedCredentials;
799  }
800
801
802
803  /**
804   * Retrieves the path to the Kerberos ticket cache file that should be used
805   * during authentication, if defined.
806   *
807   * @return  The path to the Kerberos ticket cache file that should be used
808   *          during authentication, or {@code null} if the default ticket cache
809   *          file should be used.
810   */
811  public String getTicketCachePath()
812  {
813    return ticketCachePath;
814  }
815
816
817
818  /**
819   * Specifies the path to the Kerberos ticket cache file that should be used
820   * during authentication.
821   *
822   * @param  ticketCachePath  The path to the Kerberos ticket cache file that
823   *                          should be used during authentication.  It may be
824   *                          {@code null} if the default ticket cache file
825   *                          should be used.
826   */
827  public void setTicketCachePath(final String ticketCachePath)
828  {
829    this.ticketCachePath = ticketCachePath;
830  }
831
832
833
834  /**
835   * Indicates whether to attempt to renew the client's ticket-granting ticket
836   * (TGT) if an existing Kerberos session is used to authenticate.
837   *
838   * @return  {@code true} if the client should attempt to renew its
839   *          ticket-granting ticket if the authentication is processed using an
840   *          existing Kerberos session, or {@code false} if not.
841   */
842  public boolean renewTGT()
843  {
844    return renewTGT;
845  }
846
847
848
849  /**
850   * Specifies whether to attempt to renew the client's ticket-granting ticket
851   * (TGT) if an existing Kerberos session is used to authenticate.
852   *
853   * @param  renewTGT  Indicates whether to attempt to renew the client's
854   *                   ticket-granting ticket if an existing Kerberos session is
855   *                   used to authenticate.
856   */
857  public void setRenewTGT(final boolean renewTGT)
858  {
859    this.renewTGT = renewTGT;
860  }
861
862
863
864  /**
865   * Retrieves a set of system properties that will not be altered by GSSAPI
866   * processing.
867   *
868   * @return  A set of system properties that will not be altered by GSSAPI
869   *          processing.
870   */
871  public Set<String> getSuppressedSystemProperties()
872  {
873    return suppressedSystemProperties;
874  }
875
876
877
878  /**
879   * Specifies a set of system properties that will not be altered by GSSAPI
880   * processing.  This should generally only be used in cases in which the
881   * specified system properties are known to already be set correctly for the
882   * desired authentication processing.
883   *
884   * @param  suppressedSystemProperties  A set of system properties that will
885   *                                     not be altered by GSSAPI processing.
886   *                                     It may be {@code null} or empty to
887   *                                     indicate that no properties should be
888   *                                     suppressed.
889   */
890  public void setSuppressedSystemProperties(
891                   final Collection<String> suppressedSystemProperties)
892  {
893    if (suppressedSystemProperties == null)
894    {
895      this.suppressedSystemProperties = Collections.emptySet();
896    }
897    else
898    {
899      this.suppressedSystemProperties = Collections.unmodifiableSet(
900           new LinkedHashSet<String>(suppressedSystemProperties));
901    }
902  }
903
904
905
906  /**
907   * Indicates whether JVM-level debugging should be enabled for GSSAPI bind
908   * processing.  If this is enabled, then debug information may be written to
909   * standard error when performing GSSAPI processing that could be useful for
910   * debugging authentication problems.
911   *
912   * @return  {@code true} if JVM-level debugging should be enabled for GSSAPI
913   *          bind processing, or {@code false} if not.
914   */
915  public boolean enableGSSAPIDebugging()
916  {
917    return enableGSSAPIDebugging;
918  }
919
920
921
922  /**
923   * Specifies whether JVM-level debugging should be enabled for GSSAPI bind
924   * processing.  If this is enabled, then debug information may be written to
925   * standard error when performing GSSAPI processing that could be useful for
926   * debugging authentication problems.
927   *
928   * @param  enableGSSAPIDebugging  Specifies whether JVM-level debugging should
929   *                                be enabled for GSSAPI bind processing.
930   */
931  public void setEnableGSSAPIDebugging(final boolean enableGSSAPIDebugging)
932  {
933    this.enableGSSAPIDebugging = enableGSSAPIDebugging;
934  }
935
936
937
938  /**
939   * Retrieves a string representation of the GSSAPI bind request properties.
940   *
941   * @return  A string representation of the GSSAPI bind request properties.
942   */
943  @Override()
944  public String toString()
945  {
946    final StringBuilder buffer = new StringBuilder();
947    toString(buffer);
948    return buffer.toString();
949  }
950
951
952
953  /**
954   * Appends a string representation of the GSSAPI bind request properties to
955   * the provided buffer.
956   *
957   * @param  buffer  The buffer to which the information should be appended.
958   */
959  public void toString(final StringBuilder buffer)
960  {
961    buffer.append("GSSAPIBindRequestProperties(");
962    if (authenticationID != null)
963    {
964      buffer.append("authenticationID='");
965      buffer.append(authenticationID);
966      buffer.append("', ");
967    }
968
969    if (authorizationID != null)
970    {
971      buffer.append("authorizationID='");
972      buffer.append(authorizationID);
973      buffer.append("', ");
974    }
975
976    if (realm != null)
977    {
978      buffer.append("realm='");
979      buffer.append(realm);
980      buffer.append("', ");
981    }
982
983    buffer.append("qop='");
984    buffer.append(SASLQualityOfProtection.toString(allowedQoP));
985    buffer.append("', ");
986
987    if (kdcAddress != null)
988    {
989      buffer.append("kdcAddress='");
990      buffer.append(kdcAddress);
991      buffer.append("', ");
992    }
993
994    buffer.append(", refreshKrb5Config=");
995    buffer.append(refreshKrb5Config);
996    buffer.append(", useSubjectCredentialsOnly=");
997    buffer.append(useSubjectCredentialsOnly);
998    buffer.append(", useKeyTab=");
999    buffer.append(useKeyTab);
1000    buffer.append(", ");
1001
1002    if (keyTabPath != null)
1003    {
1004      buffer.append("keyTabPath='");
1005      buffer.append(keyTabPath);
1006      buffer.append("', ");
1007    }
1008
1009    if (useTicketCache)
1010    {
1011      buffer.append("useTicketCache=true, requireCachedCredentials=");
1012      buffer.append(requireCachedCredentials);
1013      buffer.append(", renewTGT=");
1014      buffer.append(renewTGT);
1015      buffer.append(", ");
1016
1017      if (ticketCachePath != null)
1018      {
1019        buffer.append("ticketCachePath='");
1020        buffer.append(ticketCachePath);
1021        buffer.append("', ");
1022      }
1023    }
1024    else
1025    {
1026      buffer.append("useTicketCache=false, ");
1027    }
1028
1029    buffer.append("jaasClientName='");
1030    buffer.append(jaasClientName);
1031    buffer.append("', ");
1032
1033    if (configFilePath != null)
1034    {
1035      buffer.append("configFilePath='");
1036      buffer.append(configFilePath);
1037      buffer.append("', ");
1038    }
1039
1040    if (saslClientServerName != null)
1041    {
1042      buffer.append("saslClientServerName='");
1043      buffer.append(saslClientServerName);
1044      buffer.append("', ");
1045    }
1046
1047    buffer.append("servicePrincipalProtocol='");
1048    buffer.append(servicePrincipalProtocol);
1049    buffer.append("', suppressedSystemProperties={");
1050
1051    final Iterator<String> propIterator = suppressedSystemProperties.iterator();
1052    while (propIterator.hasNext())
1053    {
1054      buffer.append('\'');
1055      buffer.append(propIterator.next());
1056      buffer.append('\'');
1057
1058      if (propIterator.hasNext())
1059      {
1060        buffer.append(", ");
1061      }
1062    }
1063
1064    buffer.append("}, enableGSSAPIDebugging=");
1065    buffer.append(enableGSSAPIDebugging);
1066    buffer.append(')');
1067  }
1068}