- java.lang.Object
-
- javax.security.auth.kerberos.KeyTab
-
public final class KeyTab extends Object
This class encapsulates a keytab file.A Kerberos JAAS login module that obtains long term secret keys from a keytab file should use this class. The login module will store an instance of this class in the private credential set of a
Subjectduring the commit phase of the authentication process.If a
KeyTabobject is obtained fromgetUnboundInstance()orgetUnboundInstance(java.io.File), it is unbound and thus can be used by any service principal. Otherwise, if it's obtained fromgetInstance(KerberosPrincipal)orgetInstance(KerberosPrincipal, java.io.File), it is bound to the specific service principal and can only be used by it.Please note the constructors
getInstance()andgetInstance(java.io.File)were created when there was no support for unbound keytabs. These methods should not be used anymore. An object created with either of these methods are considered to be bound to an unknown principal, which means, itsisBound()returns true andgetPrincipal()returns null.It might be necessary for the application to be granted a
PrivateCredentialPermissionif it needs to access theKeyTabinstance from aSubject. This permission is not needed when the application depends on the default JGSS Kerberos mechanism to access theKeyTab. In that case, however, the application will need an appropriateServicePermission.The keytab file format is described at http://www.ioplex.com/utilities/keytab.txt.
- Since:
- 1.7
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanequals(Object other)Compares the specified object with thisKeyTabfor equality.booleanexists()Checks if the keytab file exists.static KeyTabgetInstance()Returns the defaultKeyTabinstance that is bound to an unknown service principal.static KeyTabgetInstance(File file)Returns aKeyTabinstance from aFileobject that is bound to an unknown service principal.static KeyTabgetInstance(KerberosPrincipal princ)Returns the defaultKeyTabinstance that is bound to the specified service principal.static KeyTabgetInstance(KerberosPrincipal princ, File file)Returns aKeyTabinstance from aFileobject that is bound to the specified service principal.KerberosKey[]getKeys(KerberosPrincipal principal)Returns fresh keys for the given Kerberos principal.KerberosPrincipalgetPrincipal()Returns the service principal thisKeyTabobject is bound to.static KeyTabgetUnboundInstance()Returns the default unboundKeyTabinstance.static KeyTabgetUnboundInstance(File file)Returns an unboundKeyTabinstance from aFileobject.inthashCode()Returns a hash code for thisKeyTab.booleanisBound()Returns if the keytab is bound to a principalStringtoString()Returns an informative textual representation of thisKeyTab.
-
-
-
Method Detail
-
getInstance
public static KeyTab getInstance(File file)
Returns aKeyTabinstance from aFileobject that is bound to an unknown service principal.The result of this method is never null. This method only associates the returned
KeyTabobject with the file and does not read it.Developers should call
getInstance(KerberosPrincipal,File)when the bound service principal is known.- Parameters:
file- the keytabFileobject, must not be null- Returns:
- the keytab instance
- Throws:
NullPointerException- if thefileargument is null
-
getUnboundInstance
public static KeyTab getUnboundInstance(File file)
Returns an unboundKeyTabinstance from aFileobject.The result of this method is never null. This method only associates the returned
KeyTabobject with the file and does not read it.- Parameters:
file- the keytabFileobject, must not be null- Returns:
- the keytab instance
- Throws:
NullPointerException- if the file argument is null- Since:
- 1.8
-
getInstance
public static KeyTab getInstance(KerberosPrincipal princ, File file)
Returns aKeyTabinstance from aFileobject that is bound to the specified service principal.The result of this method is never null. This method only associates the returned
KeyTabobject with the file and does not read it.- Parameters:
princ- the bound service principal, must not be nullfile- the keytabFileobject, must not be null- Returns:
- the keytab instance
- Throws:
NullPointerException- if either of the arguments is null- Since:
- 1.8
-
getInstance
public static KeyTab getInstance()
Returns the defaultKeyTabinstance that is bound to an unknown service principal.The result of this method is never null. This method only associates the returned
KeyTabobject with the default keytab file and does not read it.Developers should call
getInstance(KerberosPrincipal)when the bound service principal is known.- Returns:
- the default keytab instance.
-
getUnboundInstance
public static KeyTab getUnboundInstance()
Returns the default unboundKeyTabinstance.The result of this method is never null. This method only associates the returned
KeyTabobject with the default keytab file and does not read it.- Returns:
- the default keytab instance
- Since:
- 1.8
-
getInstance
public static KeyTab getInstance(KerberosPrincipal princ)
Returns the defaultKeyTabinstance that is bound to the specified service principal.The result of this method is never null. This method only associates the returned
KeyTabobject with the default keytab file and does not read it.- Parameters:
princ- the bound service principal, must not be null- Returns:
- the default keytab instance
- Throws:
NullPointerException- ifprincis null- Since:
- 1.8
-
getKeys
public KerberosKey[] getKeys(KerberosPrincipal principal)
Returns fresh keys for the given Kerberos principal.Implementation of this method should make sure the returned keys match the latest content of the keytab file. The result is a newly created copy that can be modified by the caller without modifying the keytab object. The caller should
destroythe result keys after they are used.Please note that the keytab file can be created after the
KeyTabobject is instantiated and its content may change over time. Therefore, an application should call this method only when it needs to use the keys. Any previous result from an earlier invocation could potentially be expired.If there is any error (say, I/O error or format error) during the reading process of the keytab file, a saved result should be returned. If there is no saved result (say, this is the first time this method is called, or, all previous read attempts failed), an empty array should be returned. This can make sure the result is not drastically changed during the (probably slow) update of the keytab file.
Each time this method is called and the reading of the file succeeds with no exception (say, I/O error or file format error), the result should be saved for
principal. The implementation can also save keys for other principals having keys in the same keytab object if convenient.Any unsupported key read from the keytab is ignored and not included in the result.
If this keytab is bound to a specific principal, calling this method on another principal will return an empty array.
- Parameters:
principal- the Kerberos principal, must not be null.- Returns:
- the keys (never null, may be empty)
- Throws:
NullPointerException- if theprincipalargument is nullSecurityException- if a security manager exists and the read access to the keytab file is not permitted
-
exists
public boolean exists()
Checks if the keytab file exists. Implementation of this method should make sure that the result matches the latest status of the keytab file.The caller can use the result to determine if it should fallback to another mechanism to read the keys.
- Returns:
- true if the keytab file exists; false otherwise.
- Throws:
SecurityException- if a security manager exists and the read access to the keytab file is not permitted
-
toString
public String toString()
Returns an informative textual representation of thisKeyTab.
-
hashCode
public int hashCode()
Returns a hash code for thisKeyTab.- Overrides:
hashCodein classObject- Returns:
- a hash code for this
KeyTab. - See Also:
Object.equals(java.lang.Object)
-
equals
public boolean equals(Object other)
Compares the specified object with thisKeyTabfor equality. Returns true if the given object is also aKeyTaband the twoKeyTabinstances are equivalent.- Overrides:
equalsin classObject- Parameters:
other- the object to compare to- Returns:
- true if the specified object is equal to this
KeyTab - See Also:
Object.hashCode()
-
getPrincipal
public KerberosPrincipal getPrincipal()
Returns the service principal thisKeyTabobject is bound to. Returnsnullif it's not bound.Please note the deprecated constructors create a
KeyTabobject bound for some unknown principal. In this case, this method also returns null. User can callisBound()to verify this case.- Returns:
- the service principal
- Since:
- 1.8
-
isBound
public boolean isBound()
Returns if the keytab is bound to a principal- Returns:
- if the keytab is bound to a principal
- Since:
- 1.8
-
-