Path: blob/master/src/java.security.jgss/share/classes/org/ietf/jgss/GSSManager.java
41155 views
/*1* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package org.ietf.jgss;2627import java.security.Provider;2829/**30* This class serves as a factory for other important31* GSS-API classes and also provides information about the mechanisms that32* are supported. It can create instances of classes33* implementing the following three GSS-API interfaces: {@link34* GSSName GSSName}, {@link GSSCredential GSSCredential}, and {@link35* GSSContext GSSContext}. It also has methods to query for the list36* of available mechanisms and the nametypes that each mechanism37* supports.<p>38*39* An instance of the default <code>GSSManager</code> subclass40* may be obtained through the static method {@link #getInstance()41* getInstance}, but applications are free to instantiate other subclasses42* of <code>GSSManager</code>. The default <code>GSSManager</code> instance43* will support the Kerberos v5 GSS-API mechanism in addition to any44* others. This mechanism is identified by the Oid "1.2.840.113554.1.2.2"45* and is defined in RFC 1964.<p>46*47* A subclass extending the <code>GSSManager</code> abstract class may be48* implemented as a modular provider based layer that utilizes some well49* known service provider specification. The <code>GSSManager</code> API50* allows the application to set provider preferences on51* such an implementation. These methods also allow the implementation to52* throw a well-defined exception in case provider based configuration is53* not supported. Applications that expect to be portable should be aware54* of this and recover cleanly by catching the exception.<p>55*56* It is envisioned that there will be three most common ways in which57* providers will be used:58* <ol>59* <li> The application does not care about what provider is used (the60* default case).61* <li> The application wants a particular provider to be used62* preferentially, either for a particular mechanism or all the63* time, irrespective of mechanism.64* <li> The application wants to use the locally configured providers65* as far as possible but if support is missing for one or more66* mechanisms then it wants to fall back on its own provider.67*</ol><p>68*69* The <code>GSSManager</code> class has two methods that enable these modes of70* usage: {@link #addProviderAtFront(Provider, Oid) addProviderAtFront} and71* {@link #addProviderAtEnd(Provider, Oid) addProviderAtEnd}. These methods72* have the effect of creating an ordered list of <i><provider,73* oid></i> pairs where each pair indicates a preference of provider74* for a given oid.<p>75*76* It is important to note that there are certain interactions77* between the different GSS-API objects that are created by a78* GSSManager, where the provider that is used for a particular mechanism79* might need to be consistent across all objects. For instance, if a80* GSSCredential contains elements from a provider <i>p</i> for a mechanism81* <i>m</i>, it should generally be passed in to a GSSContext that will use82* provider <i>p</i> for the mechanism <i>m</i>. A simple rule of thumb83* that will maximize portability is that objects created from different84* GSSManager's should not be mixed, and if possible, a different85* GSSManager instance should be created if the application wants to invoke86* the <code>addProviderAtFront</code> method on a GSSManager that has87* already created an object.<p>88*89* Here is some sample code showing how the GSSManager might be used:90* <pre>91* GSSManager manager = GSSManager.getInstance();92*93* Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");94* Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");95*96* // Identify who the client wishes to be97* GSSName userName = manager.createName("duke", GSSName.NT_USER_NAME);98*99* // Identify the name of the server. This uses a Kerberos specific100* // name format.101* GSSName serverName = manager.createName("nfs/foo.sun.com",102* krb5PrincipalNameType);103*104* // Acquire credentials for the user105* GSSCredential userCreds = manager.createCredential(userName,106* GSSCredential.DEFAULT_LIFETIME,107* krb5Mechanism,108* GSSCredential.INITIATE_ONLY);109*110* // Instantiate and initialize a security context that will be111* // established with the server112* GSSContext context = manager.createContext(serverName,113* krb5Mechanism,114* userCreds,115* GSSContext.DEFAULT_LIFETIME);116* </pre><p>117*118* The server side might use the following variation of this source:119*120* <pre>121* // Acquire credentials for the server122* GSSCredential serverCreds = manager.createCredential(serverName,123* GSSCredential.DEFAULT_LIFETIME,124* krb5Mechanism,125* GSSCredential.ACCEPT_ONLY);126*127* // Instantiate and initialize a security context that will128* // wait for an establishment request token from the client129* GSSContext context = manager.createContext(serverCreds);130* </pre>131*132* @author Mayank Upadhyay133* @see GSSName134* @see GSSCredential135* @see GSSContext136* @since 1.4137*/138public abstract class GSSManager {139140/**141* Constructor for subclasses to call.142*/143public GSSManager() {}144145/**146* Returns the default GSSManager implementation.147*148* @return a GSSManager implementation149*/150public static GSSManager getInstance() {151return new sun.security.jgss.GSSManagerImpl();152}153154/**155* Returns a list of mechanisms that are available to GSS-API callers156* through this GSSManager. The default GSSManager obtained from the157* {@link #getInstance() getInstance()} method includes the Oid158* "1.2.840.113554.1.2.2" in its list. This Oid identifies the Kerberos159* v5 GSS-API mechanism that is defined in RFC 1964.160*161* @return an array of Oid objects corresponding to the mechanisms that162* are available. A <code>null</code> value is returned when no163* mechanism are available (an example of this would be when mechanism164* are dynamically configured, and currently no mechanisms are165* installed).166*/167public abstract Oid[] getMechs();168169/**170* Returns then name types supported by the indicated mechanism.<p>171*172* The default GSSManager instance includes support for the Kerberos v5173* mechanism. When this mechanism ("1.2.840.113554.1.2.2") is indicated,174* the returned list will contain at least the following nametypes:175* {@link GSSName#NT_HOSTBASED_SERVICE GSSName.NT_HOSTBASED_SERVICE},176* {@link GSSName#NT_EXPORT_NAME GSSName.NT_EXPORT_NAME}, and the177* Kerberos v5 specific Oid "1.2.840.113554.1.2.2.1". The namespace for178* the Oid "1.2.840.113554.1.2.2.1" is defined in RFC 1964.179*180* @return an array of Oid objects corresponding to the name types that181* the mechanism supports.182* @param mech the Oid of the mechanism to query183*184* @see #getMechsForName(Oid)185*186* @throws GSSException containing the following187* major error codes:188* {@link GSSException#BAD_MECH GSSException.BAD_MECH}189* {@link GSSException#FAILURE GSSException.FAILURE}190*/191public abstract Oid[] getNamesForMech(Oid mech)192throws GSSException;193194/**195* Returns a list of mechanisms that support the indicated name type.<p>196*197* The Kerberos v5 mechanism ("1.2.840.113554.1.2.2") will always be198* returned in this list when the indicated nametype is one of199* {@link GSSName#NT_HOSTBASED_SERVICE GSSName.NT_HOSTBASED_SERVICE},200* {@link GSSName#NT_EXPORT_NAME GSSName.NT_EXPORT_NAME}, or201* "1.2.840.113554.1.2.2.1".202*203* @return an array of Oid objects corresponding to the mechanisms that204* support the specified name type. <code>null</code> is returned when no205* mechanisms are found to support the specified name type.206* @param nameType the Oid of the name type to look for207*208* @see #getNamesForMech(Oid)209*/210public abstract Oid[] getMechsForName(Oid nameType);211212/**213* Factory method to convert a string name from the214* specified namespace to a GSSName object. In general, the215* <code>GSSName</code> object created will contain multiple216* representations of the name, one for each mechanism that is217* supported; two examples that are exceptions to this are when218* the namespace type parameter indicates NT_EXPORT_NAME or when the219* GSS-API implementation is not multi-mechanism. It is220* not recommended to use this method with a NT_EXPORT_NAME type because221* representing a previously exported name consisting of arbitrary bytes222* as a String might cause problems with character encoding schemes. In223* such cases it is recommended that the bytes be passed in directly to224* the overloaded form of this method {@link #createName(byte[],225* Oid) createName}.226*227* @param nameStr the string representing a printable form of the name to228* create.229* @param nameType the Oid specifying the namespace of the printable name230* supplied. <code>null</code> can be used to specify231* that a mechanism specific default printable syntax should232* be assumed by each mechanism that examines nameStr.233* It is not advisable to use the nametype NT_EXPORT_NAME with this234* method.235* @return a GSSName representing the indicated principal236*237* @see GSSName238* @see GSSName#NT_EXPORT_NAME239*240* @throws GSSException containing the following241* major error codes:242* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},243* {@link GSSException#BAD_NAME GSSException.BAD_NAME},244* {@link GSSException#BAD_MECH GSSException.BAD_MECH},245* {@link GSSException#FAILURE GSSException.FAILURE}246*/247public abstract GSSName createName(String nameStr, Oid nameType)248throws GSSException;249250/**251* Factory method to convert a byte array containing a252* name from the specified namespace to a GSSName object. In general,253* the <code>GSSName</code> object created will contain multiple254* representations of the name, one for each mechanism that is255* supported; two examples that are exceptions to this are when the256* namespace type parameter indicates NT_EXPORT_NAME or when the257* GSS-API implementation is not multi-mechanism. The bytes that are258* passed in are interpreted by each underlying mechanism according to259* some encoding scheme of its choice for the given nametype.260*261* @param name the byte array containing the name to create262* @param nameType the Oid specifying the namespace of the name supplied263* in the byte array. <code>null</code> can be used to specify that a264* mechanism specific default syntax should be assumed by each mechanism265* that examines the byte array.266* @return a GSSName representing the indicated principal267*268* @see GSSName269* @see GSSName#NT_EXPORT_NAME270*271* @throws GSSException containing the following272* major error codes:273* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},274* {@link GSSException#BAD_NAME GSSException.BAD_NAME},275* {@link GSSException#BAD_MECH GSSException.BAD_MECH},276* {@link GSSException#FAILURE GSSException.FAILURE}277*/278public abstract GSSName createName(byte name[], Oid nameType)279throws GSSException;280281/**282* Factory method to convert a string name from the283* specified namespace to a GSSName object and canonicalize it at the284* same time for a mechanism. In other words, this method is285* a utility that does the equivalent of two steps: the {@link286* #createName(String, Oid) createName} and then also the {@link287* GSSName#canonicalize(Oid) GSSName.canonicalize}.288*289* @param nameStr the string representing a printable form of the name to290* create.291* @param nameType the Oid specifying the namespace of the printable name292* supplied. <code>null</code> can be used to specify293* that a mechanism specific default printable syntax should294* be assumed by each mechanism that examines nameStr.295* It is not advisable to use the nametype NT_EXPORT_NAME with this296* method.297* @param mech Oid specifying the mechanism for which the name should be298* canonicalized299* @return a GSSName representing the indicated principal300*301* @see GSSName#canonicalize(Oid)302* @see GSSName#NT_EXPORT_NAME303*304* @throws GSSException containing the following305* major error codes:306* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},307* {@link GSSException#BAD_NAME GSSException.BAD_NAME},308* {@link GSSException#BAD_MECH GSSException.BAD_MECH},309* {@link GSSException#FAILURE GSSException.FAILURE}310*/311public abstract GSSName createName(String nameStr, Oid nameType,312Oid mech) throws GSSException;313314/**315* Factory method to convert a byte array containing a316* name from the specified namespace to a GSSName object and canonicalize317* it at the same time for a mechanism. In other words, this method is a318* utility that does the equivalent of two steps: the {@link319* #createName(byte[], Oid) createName} and then also {@link320* GSSName#canonicalize(Oid) GSSName.canonicalize}.321*322* @param name the byte array containing the name to create323* @param nameType the Oid specifying the namespace of the name supplied324* in the byte array. <code>null</code> can be used to specify that a325* mechanism specific default syntax should be assumed by each mechanism326* that examines the byte array.327* @param mech Oid specifying the mechanism for which the name should be328* canonicalized329* @return a GSSName representing the indicated principal330*331* @see GSSName#canonicalize(Oid)332* @see GSSName#NT_EXPORT_NAME333*334* @throws GSSException containing the following335* major error codes:336* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},337* {@link GSSException#BAD_NAME GSSException.BAD_NAME},338* {@link GSSException#BAD_MECH GSSException.BAD_MECH},339* {@link GSSException#FAILURE GSSException.FAILURE}340*/341public abstract GSSName createName(byte name[], Oid nameType, Oid mech)342throws GSSException;343344/**345* Factory method for acquiring default credentials. This will cause346* the GSS-API to use system specific defaults for the set of mechanisms,347* name, and lifetime.<p>348*349* GSS-API mechanism providers must impose a local access-control350* policy on callers to prevent unauthorized callers from acquiring351* credentials to which they are not entitled. The kinds of permissions352* needed by different mechanism providers will be documented on a353* per-mechanism basis. A failed permission check might cause a {@link354* java.lang.SecurityException SecurityException} to be thrown from355* this method.356*357* @param usage The intended usage for this credential object. The value358* of this parameter must be one of:359* {@link GSSCredential#INITIATE_AND_ACCEPT360* GSSCredential.INITIATE_AND_ACCEPT},361* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and362* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.363* @return a GSSCredential of the requested type.364*365* @see GSSCredential366*367* @throws GSSException containing the following368* major error codes:369* {@link GSSException#BAD_MECH GSSException.BAD_MECH},370* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},371* {@link GSSException#BAD_NAME GSSException.BAD_NAME},372* {@link GSSException#CREDENTIALS_EXPIRED373* GSSException.CREDENTIALS_EXPIRED},374* {@link GSSException#NO_CRED GSSException.NO_CRED},375* {@link GSSException#FAILURE GSSException.FAILURE}376*/377public abstract GSSCredential createCredential (int usage)378throws GSSException;379380/**381* Factory method for acquiring a single mechanism credential.<p>382*383* GSS-API mechanism providers must impose a local access-control384* policy on callers to prevent unauthorized callers from acquiring385* credentials to which they are not entitled. The kinds of permissions386* needed by different mechanism providers will be documented on a387* per-mechanism basis. A failed permission check might cause a {@link388* java.lang.SecurityException SecurityException} to be thrown from389* this method. <p>390*391* Non-default values for lifetime cannot always be honored by the392* underlying mechanisms, thus applications should be prepared to call393* {@link GSSCredential#getRemainingLifetime() getRemainingLifetime}394* on the returned credential.395*396* @param name the name of the principal for whom this credential is to be397* acquired. Use <code>null</code> to specify the default principal.398* @param lifetime The number of seconds that credentials should remain399* valid. Use {@link GSSCredential#INDEFINITE_LIFETIME400* GSSCredential.INDEFINITE_LIFETIME} to request that the credentials401* have the maximum permitted lifetime. Use {@link402* GSSCredential#DEFAULT_LIFETIME GSSCredential.DEFAULT_LIFETIME} to403* request default credential lifetime.404* @param mech the Oid of the desired mechanism. Use <code>(Oid) null405* </code> to request the default mechanism.406* @param usage The intended usage for this credential object. The value407* of this parameter must be one of:408* {@link GSSCredential#INITIATE_AND_ACCEPT409* GSSCredential.INITIATE_AND_ACCEPT},410* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and411* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.412* @return a GSSCredential of the requested type.413*414* @see GSSCredential415*416* @throws GSSException containing the following417* major error codes:418* {@link GSSException#BAD_MECH GSSException.BAD_MECH},419* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},420* {@link GSSException#BAD_NAME GSSException.BAD_NAME},421* {@link GSSException#CREDENTIALS_EXPIRED422* GSSException.CREDENTIALS_EXPIRED},423* {@link GSSException#NO_CRED GSSException.NO_CRED},424* {@link GSSException#FAILURE GSSException.FAILURE}425*/426public abstract GSSCredential createCredential (GSSName name,427int lifetime, Oid mech, int usage)428throws GSSException;429430/**431* Factory method for acquiring credentials over a set of432* mechanisms. This method attempts to acquire credentials for433* each of the mechanisms specified in the array called mechs. To434* determine the list of mechanisms for which the acquisition of435* credentials succeeded, the caller should use the {@link436* GSSCredential#getMechs() GSSCredential.getMechs} method.<p>437*438* GSS-API mechanism providers must impose a local access-control439* policy on callers to prevent unauthorized callers from acquiring440* credentials to which they are not entitled. The kinds of permissions441* needed by different mechanism providers will be documented on a442* per-mechanism basis. A failed permission check might cause a {@link443* java.lang.SecurityException SecurityException} to be thrown from444* this method.<p>445*446* Non-default values for lifetime cannot always be honored by the447* underlying mechanisms, thus applications should be prepared to call448* {@link GSSCredential#getRemainingLifetime() getRemainingLifetime}449* on the returned credential.450*451* @param name the name of the principal for whom this credential is to452* be acquired. Use <code>null</code> to specify the default453* principal.454* @param lifetime The number of seconds that credentials should remain455* valid. Use {@link GSSCredential#INDEFINITE_LIFETIME456* GSSCredential.INDEFINITE_LIFETIME} to request that the credentials457* have the maximum permitted lifetime. Use {@link458* GSSCredential#DEFAULT_LIFETIME GSSCredential.DEFAULT_LIFETIME} to459* request default credential lifetime.460* @param mechs an array of Oid's indicating the mechanisms over which461* the credential is to be acquired. Use <code>(Oid[]) null</code> for462* requesting a system specific default set of mechanisms.463* @param usage The intended usage for this credential object. The value464* of this parameter must be one of:465* {@link GSSCredential#INITIATE_AND_ACCEPT466* GSSCredential.INITIATE_AND_ACCEPT},467* {@link GSSCredential#ACCEPT_ONLY GSSCredential.ACCEPT_ONLY}, and468* {@link GSSCredential#INITIATE_ONLY GSSCredential.INITIATE_ONLY}.469* @return a GSSCredential of the requested type.470*471* @see GSSCredential472*473* @throws GSSException containing the following474* major error codes:475* {@link GSSException#BAD_MECH GSSException.BAD_MECH},476* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE},477* {@link GSSException#BAD_NAME GSSException.BAD_NAME},478* {@link GSSException#CREDENTIALS_EXPIRED479* GSSException.CREDENTIALS_EXPIRED},480* {@link GSSException#NO_CRED GSSException.NO_CRED},481* {@link GSSException#FAILURE GSSException.FAILURE}482*/483public abstract GSSCredential createCredential(GSSName name,484int lifetime, Oid mechs[], int usage)485throws GSSException;486487/**488* Factory method for creating a context on the initiator's489* side.490*491* Some mechanism providers might require that the caller be granted492* permission to initiate a security context. A failed permission check493* might cause a {@link java.lang.SecurityException SecurityException}494* to be thrown from this method.<p>495*496* Non-default values for lifetime cannot always be honored by the497* underlying mechanism, thus applications should be prepared to call498* {@link GSSContext#getLifetime() getLifetime} on the returned499* context.500*501* @param peer the name of the target peer.502* @param mech the Oid of the desired mechanism. Use <code>null</code>503* to request the default mechanism.504* @param myCred the credentials of the initiator. Use505* <code>null</code> to act as the default initiator principal.506* @param lifetime the lifetime, in seconds, requested for the507* context. Use {@link GSSContext#INDEFINITE_LIFETIME508* GSSContext.INDEFINITE_LIFETIME} to request that the context have the509* maximum permitted lifetime. Use {@link GSSContext#DEFAULT_LIFETIME510* GSSContext.DEFAULT_LIFETIME} to request a default lifetime for the511* context.512* @return an unestablished GSSContext513*514* @see GSSContext515*516* @throws GSSException containing the following517* major error codes:518* {@link GSSException#NO_CRED GSSException.NO_CRED}519* {@link GSSException#CREDENTIALS_EXPIRED520* GSSException.CREDENTIALS_EXPIRED}521* {@link GSSException#BAD_NAMETYPE GSSException.BAD_NAMETYPE}522* {@link GSSException#BAD_MECH GSSException.BAD_MECH}523* {@link GSSException#FAILURE GSSException.FAILURE}524*/525public abstract GSSContext createContext(GSSName peer, Oid mech,526GSSCredential myCred, int lifetime)527throws GSSException;528529/**530* Factory method for creating a context on the acceptor' side. The531* context's properties will be determined from the input token supplied532* to the accept method.533*534* Some mechanism providers might require that the caller be granted535* permission to accept a security context. A failed permission check536* might cause a {@link java.lang.SecurityException SecurityException}537* to be thrown from this method.538*539* @param myCred the credentials for the acceptor. Use540* <code>null</code> to act as a default acceptor principal.541* @return an unestablished GSSContext542*543* @see GSSContext544*545* @throws GSSException containing the following546* major error codes:547* {@link GSSException#NO_CRED GSSException.NO_CRED}548* {@link GSSException#CREDENTIALS_EXPIRED549* GSSException.CREDENTIALS_EXPIRED}550* {@link GSSException#BAD_MECH GSSException.BAD_MECH}551* {@link GSSException#FAILURE GSSException.FAILURE}552*/553public abstract GSSContext createContext(GSSCredential myCred)554throws GSSException;555556/**557* Factory method for creating a previously exported context. The558* context properties will be determined from the input token and559* cannot be modified through the set methods.<p>560*561* Implementations are not required to support the inter-process562* transfer of security contexts. Before exporting a context, calling563* the {@link GSSContext#isTransferable() GSSContext.isTransferable}564* will indicate if the context is transferable. Calling this method in565* an implementation that does not support it will result in a566* <code>GSSException</code> with the error567* code {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE}.568*569* Some mechanism providers might require that the caller be granted570* permission to initiate or accept a security context. A failed571* permission check might cause a {@link java.lang.SecurityException572* SecurityException} to be thrown from this method.573*574* @param interProcessToken the token previously emitted from the575* export method.576* @return the previously established GSSContext577*578* @see GSSContext579*580* @throws GSSException containing the following581* major error codes:582* {@link GSSException#NO_CONTEXT GSSException.NO_CONTEXT},583* {@link GSSException#DEFECTIVE_TOKEN GSSException.DEFECTIVE_TOKEN},584* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},585* {@link GSSException#UNAUTHORIZED GSSException.UNAUTHORIZED},586* {@link GSSException#FAILURE GSSException.FAILURE}587*/588public abstract GSSContext createContext(byte [] interProcessToken)589throws GSSException;590591/**592* This method is used to indicate to the GSSManager that the593* application would like a particular provider to be used ahead of all594* others when support is desired for the given mechanism. When a value595* of null is used instead of an <code>Oid</code> for the mechanism,596* the GSSManager must use the indicated provider ahead of all others597* no matter what the mechanism is. Only when the indicated provider598* does not support the needed mechanism should the GSSManager move on599* to a different provider.<p>600*601* Calling this method repeatedly preserves the older settings but602* lowers them in preference thus forming an ordered list of provider603* and <code>Oid</code> pairs that grows at the top.<p>604*605* Calling addProviderAtFront with a null <code>Oid</code> will remove606* all previous preferences that were set for this provider in the607* GSSManager instance. Calling addProviderAtFront with a non-null608* <code>Oid</code> will remove any previous preference that was set609* using this mechanism and this provider together.<p>610*611* If the GSSManager implementation does not support an SPI with a612* pluggable provider architecture it should throw a GSSException with613* the status code GSSException.UNAVAILABLE to indicate that the614* operation is unavailable.<p>615*616* Suppose an application desired that the provider A always be checked617* first when any mechanism is needed, it would call:618* <pre>619* GSSManager mgr = GSSManager.getInstance();620* // mgr may at this point have its own pre-configured list621* // of provider preferences. The following will prepend to622* // any such list:623*624* mgr.addProviderAtFront(A, null);625* </pre>626* Now if it also desired that the mechanism of Oid m1 always be627* obtained from the provider B before the previously set A was checked,628* it would call:629* <pre>630* mgr.addProviderAtFront(B, m1);631* </pre>632* The GSSManager would then first check with B if m1 was needed. In633* case B did not provide support for m1, the GSSManager would continue634* on to check with A. If any mechanism m2 is needed where m2 is635* different from m1 then the GSSManager would skip B and check with A636* directly.<p>637*638* Suppose at a later time the following call is made to the same639* GSSManager instance:640* <pre>641* mgr.addProviderAtFront(B, null)642* </pre>643* then the previous setting with the pair (B, m1) is subsumed by this644* and should be removed. Effectively the list of preferences now645* becomes {(B, null), (A, null),646* ... //followed by the pre-configured list.<p>647*648* Please note, however, that the following call:649* <pre>650* mgr.addProviderAtFront(A, m3)651* </pre>652* does not subsume the previous setting of (A, null) and the list will653* effectively become {(A, m3), (B, null), (A, null), ...}654*655* @param p the provider instance that should be used whenever support656* is needed for mech.657* @param mech the mechanism for which the provider is being set658*659* @throws GSSException containing the following660* major error codes:661* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},662* {@link GSSException#FAILURE GSSException.FAILURE}663*/664public abstract void addProviderAtFront(Provider p, Oid mech)665throws GSSException;666667/**668* This method is used to indicate to the GSSManager that the669* application would like a particular provider to be used if no other670* provider can be found that supports the given mechanism. When a value671* of null is used instead of an Oid for the mechanism, the GSSManager672* must use the indicated provider for any mechanism.<p>673*674* Calling this method repeatedly preserves the older settings but675* raises them above newer ones in preference thus forming an ordered676* list of providers and Oid pairs that grows at the bottom. Thus the677* older provider settings will be utilized first before this one is.<p>678*679* If there are any previously existing preferences that conflict with680* the preference being set here, then the GSSManager should ignore this681* request.<p>682*683* If the GSSManager implementation does not support an SPI with a684* pluggable provider architecture it should throw a GSSException with685* the status code GSSException.UNAVAILABLE to indicate that the686* operation is unavailable.<p>687*688* Suppose an application desired that when a mechanism of Oid m1 is689* needed the system default providers always be checked first, and only690* when they do not support m1 should a provider A be checked. It would691* then make the call:692* <pre>693* GSSManager mgr = GSSManager.getInstance();694* mgr.addProviderAtEnd(A, m1);695* </pre>696* Now, if it also desired that for all mechanisms the provider B be697* checked after all configured providers have been checked, it would698* then call:699* <pre>700* mgr.addProviderAtEnd(B, null);701* </pre>702* Effectively the list of preferences now becomes {..., (A, m1), (B,703* null)}.<p>704*705* Suppose at a later time the following call is made to the same706* GSSManager instance:707* <pre>708* mgr.addProviderAtEnd(B, m2)709* </pre>710* then the previous setting with the pair (B, null) subsumes this and711* therefore this request should be ignored. The same would happen if a712* request is made for the already existing pairs of (A, m1) or (B,713* null).<p>714*715* Please note, however, that the following call:716* <pre>717* mgr.addProviderAtEnd(A, null)718* </pre>719* is not subsumed by the previous setting of (A, m1) and the list will720* effectively become {..., (A, m1), (B, null), (A, null)}721*722* @param p the provider instance that should be used whenever support723* is needed for mech.724* @param mech the mechanism for which the provider is being set725*726* @throws GSSException containing the following727* major error codes:728* {@link GSSException#UNAVAILABLE GSSException.UNAVAILABLE},729* {@link GSSException#FAILURE GSSException.FAILURE}730*/731public abstract void addProviderAtEnd(Provider p, Oid mech)732throws GSSException;733}734735736