com.sun.enterprise.iiop.security.SecurityMechanismSelector Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of payara-embedded-web Show documentation
Show all versions of payara-embedded-web Show documentation
Embedded-Web Distribution of the Payara Project
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 1997-2013 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
// Portions Copyright 2018-2021 Payara Foundation and/or its affiliates
package com.sun.enterprise.iiop.security;
import com.sun.corba.ee.org.omg.CSI.ITTAnonymous;
import com.sun.corba.ee.org.omg.CSI.ITTDistinguishedName;
import com.sun.corba.ee.org.omg.CSI.ITTPrincipalName;
import com.sun.corba.ee.org.omg.CSI.ITTX509CertChain;
import com.sun.corba.ee.org.omg.CSIIOP.*;
import com.sun.corba.ee.spi.ior.IOR;
import com.sun.corba.ee.spi.ior.iiop.IIOPAddress;
import com.sun.corba.ee.spi.ior.iiop.IIOPProfileTemplate;
import com.sun.corba.ee.spi.transport.SocketInfo;
import com.sun.enterprise.common.iiop.security.AnonCredential;
import com.sun.enterprise.common.iiop.security.GSSUPName;
import com.sun.enterprise.common.iiop.security.SecurityContext;
import com.sun.enterprise.deployment.EjbDescriptor;
import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
import com.sun.enterprise.security.SecurityServicesUtil;
import com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.auth.login.common.LoginException;
import com.sun.enterprise.security.auth.login.common.PasswordCredential;
import com.sun.enterprise.security.auth.login.common.X509CertificateCredential;
import com.sun.enterprise.security.auth.realm.Realm;
import com.sun.enterprise.security.common.ClientSecurityContext;
import com.sun.enterprise.security.ssl.SSLUtils;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.Utility;
import com.sun.logging.LogDomains;
import org.glassfish.api.admin.ProcessEnvironment;
import org.glassfish.api.admin.ProcessEnvironment.ProcessType;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.enterprise.iiop.api.GlassFishORBHelper;
import org.glassfish.enterprise.iiop.api.ProtocolManager;
import org.glassfish.enterprise.iiop.impl.GlassFishORBManager;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.ORBLocator;
import org.ietf.jgss.Oid;
import org.jvnet.hk2.annotations.Service;
import org.omg.CORBA.ORB;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.Logger;
import static com.sun.enterprise.security.common.SecurityConstants.USERNAME_PASSWORD;
import static com.sun.logging.LogDomains.SECURITY_LOGGER;
import static java.util.logging.Level.FINE;
// GSS Related Functionality
/**
* This class is responsible for making various decisions for selecting security information to be
* sent in the IIOP message based on target configuration and client policies. Note: This class can
* be called concurrently by multiple client threads. However, none of its methods need to be
* synchronized because the methods either do not modify state or are idempotent.
*
* @author Nithya Subramanian
*
*/
@Service
@Singleton
public final class SecurityMechanismSelector implements PostConstruct {
private static final Logger _logger = LogDomains.getLogger(SecurityMechanismSelector.class, SECURITY_LOGGER);
public static final String CLIENT_CONNECTION_CONTEXT = "ClientConnContext";
private Set corbaIORDescSet;
private boolean sslRequired;
private static final LocalStringManagerImpl localStrings = new LocalStringManagerImpl(SecServerRequestInterceptor.class);
// A reference to POAProtocolMgr will be obtained dynamically
// and set if not null. So set it to null here.
private ProtocolManager protocolMgr;
@Inject
private SSLUtils sslUtils;
private GlassFishORBHelper orbHelper;
// private CompoundSecMech mechanism = null;
private ORB orb;
private CSIV2TaggedComponentInfo ctc;
@Inject
private ProcessEnvironment processEnv;
/**
* Read the client and server preferences from the config files.
*/
public SecurityMechanismSelector() {
}
@Override
public void postConstruct() {
try {
orbHelper = Lookups.getGlassFishORBHelper();
// Initialize client security config
String s = (orbHelper.getCSIv2Props()).getProperty(ORBLocator.ORB_SSL_CLIENT_REQUIRED);
if (s != null && s.equals("true")) {
sslRequired = true;
}
// initialize corbaIORDescSet with security config for CORBA objects
corbaIORDescSet = new HashSet();
EjbIORConfigurationDescriptor iorDesc = new EjbIORConfigurationDescriptor();
EjbIORConfigurationDescriptor iorDesc2 = new EjbIORConfigurationDescriptor();
String serverSslReqd = (orbHelper.getCSIv2Props()).getProperty(ORBLocator.ORB_SSL_SERVER_REQUIRED);
if (serverSslReqd != null && serverSslReqd.equals("true")) {
iorDesc.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
iorDesc.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
iorDesc2.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
iorDesc2.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
}
String clientAuthReq = (orbHelper.getCSIv2Props()).getProperty(ORBLocator.ORB_CLIENT_AUTH_REQUIRED);
if (clientAuthReq != null && clientAuthReq.equals("true")) {
// Need auth either by SSL or username-password.
// This sets SSL clientauth to required.
iorDesc.setEstablishTrustInClient(EjbIORConfigurationDescriptor.REQUIRED);
// This sets username-password auth to required.
iorDesc2.setAuthMethodRequired(true);
getCorbaIORDescSet().add(iorDesc2);
}
getCorbaIORDescSet().add(iorDesc);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.Exception", e);
}
}
public ConnectionContext getClientConnectionContext() {
Hashtable h = ConnectionExecutionContext.getContext();
ConnectionContext scc = (ConnectionContext) h.get(CLIENT_CONNECTION_CONTEXT);
return scc;
}
public void setClientConnectionContext(ConnectionContext scc) {
Hashtable h = ConnectionExecutionContext.getContext();
h.put(CLIENT_CONNECTION_CONTEXT, scc);
}
/**
* This method determines if SSL should be used to connect to the target based on client and target
* policies. It will return null if SSL should not be used or an SocketInfo containing the SSL port
* if SSL should be used.
*/
public SocketInfo getSSLPort(IOR ior, ConnectionContext ctx) {
SocketInfo info = null;
CompoundSecMech mechanism = null;
try {
mechanism = selectSecurityMechanism(ior);
} catch (SecurityMechanismException sme) {
throw new RuntimeException(sme.getMessage());
}
ctx.setIOR(ior);
ctx.setMechanism(mechanism);
TLS_SEC_TRANS ssl = null;
if (mechanism != null) {
ssl = getCtc().getSSLInformation(mechanism);
}
if (ssl == null) {
if (isSslRequired()) {
// Attempt to create SSL connection to host, ORBInitialPort
IIOPProfileTemplate templ = (IIOPProfileTemplate) ior.getProfile().getTaggedProfileTemplate();
IIOPAddress addr = templ.getPrimaryAddress();
info = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector1", "SSL", addr.getHost(),
orbHelper.getORBPort(orbHelper.getORB()));
return info;
} else {
return null;
}
}
int targetRequires = ssl.target_requires;
int targetSupports = ssl.target_supports;
/*
* If target requires any of Integrity, Confidentiality or EstablishTrustInClient, then SSL is used.
*/
if (isSet(targetRequires, Integrity.value) || isSet(targetRequires, Confidentiality.value)
|| isSet(targetRequires, EstablishTrustInClient.value)) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Target requires SSL");
}
ctx.setSSLUsed(true);
String type = "SSL";
if (isSet(targetRequires, EstablishTrustInClient.value)) {
type = "SSL_MUTUALAUTH";
ctx.setSSLClientAuthenticationOccurred(true);
}
if (ssl.addresses.length == 0 && GlassFishORBManager.disableSSLCheck()) {
return null;
}
short sslport = ssl.addresses[0].port;
int ssl_port = Utility.shortToInt(sslport);
String host_name = ssl.addresses[0].host_name;
info = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector2", type, host_name, ssl_port);
return info;
} else if (isSet(targetSupports, Integrity.value) || isSet(targetSupports, Confidentiality.value)
|| isSet(targetSupports, EstablishTrustInClient.value)) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Target supports SSL");
}
if (isSslRequired()) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Client is configured to require SSL for the target");
}
ctx.setSSLUsed(true);
if (ssl.addresses.length == 0 && GlassFishORBManager.disableSSLCheck()) {
return null;
}
short sslport = ssl.addresses[0].port;
String host_name = ssl.addresses[0].host_name;
int ssl_port = Utility.shortToInt(sslport);
info = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector3", "SSL", host_name, ssl_port);
return info;
} else {
return null;
}
} else if (isSslRequired()) {
throw new RuntimeException("SSL required by client but not supported by server.");
} else {
return null;
}
}
/*
* public String[] getServerTrustedHosts() { return serverTrustedHosts; } public void
* setServerTrustedHosts(String[] val) { this.serverTrustedHosts = val; }
*/
public ORB getOrb() {
return orb;
}
public void setOrb(ORB val) {
this.orb = val;
}
public synchronized CSIV2TaggedComponentInfo getCtc() {
if (ctc == null) {
ctc = new CSIV2TaggedComponentInfo(orbHelper.getORB());
}
return ctc;
}
public java.util.List getSSLPorts(IOR ior, ConnectionContext ctx) {
CompoundSecMech mechanism = null;
try {
mechanism = selectSecurityMechanism(ior);
} catch (SecurityMechanismException sme) {
throw new RuntimeException(sme.getMessage());
}
ctx.setIOR(ior);
ctx.setMechanism(mechanism);
TLS_SEC_TRANS ssl = null;
if (mechanism != null) {
ssl = getCtc().getSSLInformation(mechanism);
}
if (ssl == null) {
if (isSslRequired()) {
// Attempt to create SSL connection to host, ORBInitialPort
IIOPProfileTemplate templ = (IIOPProfileTemplate) ior.getProfile().getTaggedProfileTemplate();
IIOPAddress addr = templ.getPrimaryAddress();
SocketInfo info = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector1", "SSL", addr.getHost(),
orbHelper.getORBPort(orbHelper.getORB()));
// SocketInfo[] sInfos = new SocketInfo[]{info};
List sInfos = new ArrayList();
sInfos.add(info);
return sInfos;
} else {
return null;
}
}
int targetRequires = ssl.target_requires;
int targetSupports = ssl.target_supports;
/*
* If target requires any of Integrity, Confidentiality or EstablishTrustInClient, then SSL is used.
*/
if (isSet(targetRequires, Integrity.value) || isSet(targetRequires, Confidentiality.value)
|| isSet(targetRequires, EstablishTrustInClient.value)) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Target requires SSL");
}
ctx.setSSLUsed(true);
String type = "SSL";
if (isSet(targetRequires, EstablishTrustInClient.value)) {
type = "SSL_MUTUALAUTH";
ctx.setSSLClientAuthenticationOccurred(true);
}
// SocketInfo[] socketInfos = new SocketInfo[ssl.addresses.size];
List socketInfos = new ArrayList();
for (int addressIndex = 0; addressIndex < ssl.addresses.length; addressIndex++) {
short sslport = ssl.addresses[addressIndex].port;
int ssl_port = Utility.shortToInt(sslport);
String host_name = ssl.addresses[addressIndex].host_name;
SocketInfo sInfo = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector2", type, host_name, ssl_port);
socketInfos.add(sInfo);
}
if (GlassFishORBManager.disableSSLCheck() && socketInfos.isEmpty()) {
return null;
}
return socketInfos;
} else if (isSet(targetSupports, Integrity.value) || isSet(targetSupports, Confidentiality.value)
|| isSet(targetSupports, EstablishTrustInClient.value)) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Target supports SSL");
}
if (isSslRequired()) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Client is configured to require SSL for the target");
}
ctx.setSSLUsed(true);
// SocketInfo[] socketInfos = new SocketInfo[ssl.addresses.size];
List socketInfos = new ArrayList();
for (int addressIndex = 0; addressIndex < ssl.addresses.length; addressIndex++) {
short sslport = ssl.addresses[addressIndex].port;
int ssl_port = Utility.shortToInt(sslport);
String host_name = ssl.addresses[addressIndex].host_name;
SocketInfo sInfo = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector3", "SSL", host_name,
ssl_port);
socketInfos.add(sInfo);
}
if (GlassFishORBManager.disableSSLCheck() && socketInfos.isEmpty()) {
return null;
}
return socketInfos;
} else {
return null;
}
} else if (isSslRequired()) {
throw new RuntimeException("SSL required by client but not supported by server.");
} else {
return null;
}
}
/**
* Select the security context to be used by the CSIV2 layer based on whether the current component
* is an application client or a web/EJB component.
*/
public SecurityContext selectSecurityContext(IOR ior)
throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
SecurityContext context = null;
ConnectionContext cc = new ConnectionContext();
// print CSIv2 mechanism definition in IOR
if (traceIORs()) {
_logger.info("\nCSIv2 Mechanism List:" + getSecurityMechanismString(ctc, ior));
}
getSSLPort(ior, cc);
setClientConnectionContext(cc);
CompoundSecMech mechanism = cc.getMechanism();
if (mechanism == null) {
return null;
}
boolean sslUsed = cc.getSSLUsed();
boolean clientAuthOccurred = cc.getSSLClientAuthenticationOccurred();
// Standalone client
if (isNotServerOrACC()) {
context = getSecurityContextForAppClient(null, sslUsed, clientAuthOccurred, mechanism);
return context;
}
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "SSL used:" + sslUsed + " SSL Mutual auth:" + clientAuthOccurred);
}
ComponentInvocation ci = null;
if (isACC()) {
context = getSecurityContextForAppClient(ci, sslUsed, clientAuthOccurred, mechanism);
} else {
context = getSecurityContextForWebOrEJB(ci, sslUsed, clientAuthOccurred, mechanism);
}
return context;
}
/**
* Create the security context to be used by the CSIV2 layer to marshal in the service context of
* the IIOP message from an appclient or standalone client.
*
* @return the security context.
*/
public SecurityContext getSecurityContextForAppClient(ComponentInvocation ci, boolean sslUsed, boolean clientAuthOccurred,
CompoundSecMech mechanism)
throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
return sendUsernameAndPassword(ci, sslUsed, clientAuthOccurred, mechanism);
}
/**
* Create the security context to be used by the CSIV2 layer to marshal in the service context of
* the IIOP message from an web component or EJB invoking another EJB.
*
* @return the security context.
*/
public SecurityContext getSecurityContextForWebOrEJB(ComponentInvocation ci, boolean sslUsed, boolean clientAuthOccurred,
CompoundSecMech mechanism) throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
SecurityContext ctx = null;
if (!sslUsed) {
ctx = propagateIdentity(false, ci, mechanism);
} else {
ctx = propagateIdentity(clientAuthOccurred, ci, mechanism);
}
return ctx;
}
Object getSSLSocketInfo(Object ior) {
ConnectionContext ctx = new ConnectionContext();
List socketInfo = getSSLPorts((com.sun.corba.ee.spi.ior.IOR) ior, ctx);
setClientConnectionContext(ctx);
return socketInfo;
}
private boolean isMechanismSupported(SAS_ContextSec sas) {
byte[][] mechanisms = sas.supported_naming_mechanisms;
byte[] mechSupported = GSSUtils.getMechanism();
if (mechanisms == null) {
return false;
}
for (int i = 0; i < mechanisms.length; i++) {
if (Arrays.equals(mechSupported, mechanisms[i])) {
return true;
}
}
return false;
}
public boolean isIdentityTypeSupported(SAS_ContextSec sas) {
int ident_token = sas.supported_identity_types;
// the identity token matches atleast one of the types we support
int value = ident_token & CSIV2TaggedComponentInfo.SUPPORTED_IDENTITY_TOKEN_TYPES;
if (value != 0)
return true;
else
return false;
}
/**
* Get the security context to send username and password in the service context.
*
* @param whether username/password will be sent over plain IIOP or over IIOP/SSL.
* @return the security context.
* @exception SecurityMechanismException if there was an error.
*/
private SecurityContext sendUsernameAndPassword(ComponentInvocation ci, boolean sslUsed, boolean clientAuthOccurred,
CompoundSecMech mechanism) throws SecurityMechanismException {
SecurityContext ctx = null;
if (mechanism == null) {
return null;
}
AS_ContextSec asContext = mechanism.as_context_mech;
if (isSet(asContext.target_requires, EstablishTrustInClient.value)
|| (isSet(mechanism.target_requires, EstablishTrustInClient.value) && !clientAuthOccurred)) {
ctx = getUsernameAndPassword(ci, mechanism);
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Sending Username/Password");
}
} else {
return null;
}
return ctx;
}
/**
* Get the security context to propagate principal/distinguished name in the service context.
*
* @param clientAuth whether SSL client authentication has happened.
* @return the security context.
* @exception SecurityMechanismException if there was an error.
*/
private SecurityContext propagateIdentity(boolean clientAuth, ComponentInvocation ci, CompoundSecMech mechanism)
throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
SecurityContext ctx = null;
if (mechanism == null) {
return null;
}
AS_ContextSec asContext = mechanism.as_context_mech;
SAS_ContextSec sasContext = mechanism.sas_context_mech;
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "SAS CONTEXT's target_requires=" + sasContext.target_requires);
_logger.log(Level.FINE, "SAS CONTEXT's target_supports=" + sasContext.target_supports);
}
if (isSet(asContext.target_requires, EstablishTrustInClient.value)) {
ctx = getUsernameAndPassword(ci, mechanism);
if (ctx.authcls == null) { // run as mode cannot send password
String errmsg = localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password",
"Cannot propagate username/password required by target when using run as identity");
_logger.log(Level.SEVERE, "iiop.runas_error", errmsg);
throw new SecurityMechanismException(errmsg);
}
} else if (isSet(sasContext.target_supports, IdentityAssertion.value)
|| isSet(sasContext.target_requires, IdentityAssertion.value)) {
// called from the client side. thus before getting the identity. check the
// mechanisms and the identity token supported
if (!isIdentityTypeSupported(sasContext)) {
String errmsg = localStrings.getLocalString("securitymechanismselector.invalid_identity_type",
"The given identity token is unsupported.");
throw new InvalidIdentityTokenException(errmsg);
}
if (sasContext.target_supports == IdentityAssertion.value) {
if (!isMechanismSupported(sasContext)) {
String errmsg = localStrings.getLocalString("securitymechanismselector.invalid_mechanism",
"The given mechanism type is unsupported.");
_logger.log(Level.SEVERE, "iiop.unsupported_type_error", errmsg);
throw new InvalidMechanismException(errmsg);
}
}
// propagate principal/certificate/distinguished name
ctx = getIdentity();
} else if (isSet(asContext.target_supports, EstablishTrustInClient.value)) {
if (clientAuth) { // client auth done we can send password
ctx = getUsernameAndPassword(ci, mechanism);
if (ctx.authcls == null) {
return null; // runas mode dont have username/password
// dont really need to send it too
}
} else { // not sending anything for unauthenticated client
return null;
}
} else {
return null; // will never come here
}
return ctx;
}
/**
* Get the username and password either from the JAAS subject or from thread local storage. For
* appclients if login has'nt happened this method would trigger login and popup a user interface to
* gather authentication information.
*
* @return the security context.
*/
private SecurityContext getUsernameAndPassword(ComponentInvocation ci, CompoundSecMech mechanism)
throws SecurityMechanismException {
try {
Subject s = null;
if (isNotServerOrACC()) {
// Standalone client ... Changed the security context
// from which to fetch the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
return null;
}
s = sc.getSubject();
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "SUBJECT:" + s);
}
} else {
if (isACC()) {
// get the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
s = LoginContextDriver.doClientLogin(USERNAME_PASSWORD,
SecurityServicesUtil.getInstance().getCallbackHandler());
} else {
s = sc.getSubject();
}
} else {
// web/ejb
s = getSubjectFromSecurityCurrent();
// TODO check if username/password is available
// if not throw exception
}
}
SecurityContext ctx = new SecurityContext();
final Subject sub = s;
ctx.subject = s;
// determining if run-as has been used
Set privateCredSet = AccessController.doPrivileged(new PrivilegedAction() {
@Override
public Set run() {
return sub.getPrivateCredentials(PasswordCredential.class);
}
});
if (privateCredSet.isEmpty()) { // this is runas case dont set
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "no private credential run as mode");
}
ctx.authcls = null; // the auth class
ctx.identcls = GSSUPName.class;
} else {
/**
* lookup the realm name that is required by the server and set it up in the PasswordCredential
* class.
*/
AS_ContextSec asContext = mechanism.as_context_mech;
final byte[] target_name = asContext.target_name;
byte[] _realm = null;
if (target_name == null || target_name.length == 0) {
_realm = Realm.getDefaultRealm().getBytes();
} else {
_realm = GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, target_name);
}
final String realm_name = new String(_realm);
final Iterator it = privateCredSet.iterator();
for (; it.hasNext();) {
AccessController.doPrivileged(new PrivilegedAction