Implementing the GSS with Initiators and Acceptors

Listings 17-1 and 17-2 contain the code for both the initiator and acceptor. There are two major differences between the initiator and acceptor in the listings: the credential set and the peer that is initiating the security context. The credential set is different simply because the initiator will use the credentials of the client or other initiating authentication such as JAAS. The acceptor credentials could be a delegation of the initiator's credentials, or the server's principal and credentials, depending on the resources' permissions. Server principals are normally needed when the client principals are restrictive , such as when accessing an organization's database.

As mentioned before, it is up to the application to use any additional functionality to transport the messages such as Java sockets. The GSS-API handles the following, but not the transport mechanisms other than byte arrays and Java streams:

• Establishing the authentication mechanism

• Establishing the principals and credentials in the form of the authentication mechanism

• Establishing the security context of peers through tokens transported in streams or transported in byte arrays, which establishes the security material

• Wrapping and unwrapping each message with the security material in the form of streams and byte arrays

• Supporting further checks and quality of protection with the message property ( MessageProp ) class

• Supporting the MIC for alternative message integrity other than the wrap and unwrap

• Finally disposing of any system resources when completed

The preceding is the basic functionality of the GSS-API, and the how the Java stream or byte array is transported is independent of the GSS-API itself. The GSS-API could be transported through files, sockets, or even JSSE.

The initiator starts the security context by establishing the user 's credential, the server's name for identification, and the authentication mechanism for creating the security context. After the security context is created, the context tokens must be passed between the initiator and the acceptor, which is normally accomplished in a context loop. The initiator creates an initialization token with the initSecContext method and writes the token to the acceptor. The acceptor, in turn , reads the token and checks to see if the token is acceptable with the acceptSecContext method.

If the token is not acceptable, a GSSException is thrown. If the token is acceptable from the acceptor, the acceptSecContext method modifies the token with the server's credentials and the acceptor sends the token back to the initiator to confirm initialization. After the token has been processed by the initiator and the acceptor methods for initializing and accepting the token, the isEstablished flag in both security contexts is set to true to state that the security context has authenticated and is ready to wrap and unwrap messages.

Once the security context has been authenticated, only the security context between the peers can wrap and unwrap the messages. In other words, only the security contexts that are authenticated can access, or unwrap, the encrypted message. Once a message is wrapped, the token with the message in it is passed to the peer. Part of the wrap is not only the message but also information about the message and the security's context passed between peers. Only the established peers can unwrap the message. By providing the confidentiality, the GSS-API provides authorization for authenticated security contexts to access the plaintext message after it is wrapped.