001/* 002 * Copyright 2011-2014 UnboundID Corp. 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright (C) 2011-2014 UnboundID Corp. 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021package com.unboundid.ldap.sdk; 022 023 024 025import java.io.Serializable; 026import java.util.ArrayList; 027import java.util.Arrays; 028import java.util.Collection; 029import java.util.Collections; 030import java.util.Iterator; 031import java.util.LinkedHashSet; 032import java.util.List; 033import java.util.Set; 034 035import com.unboundid.asn1.ASN1OctetString; 036import com.unboundid.util.Mutable; 037import com.unboundid.util.StaticUtils; 038import com.unboundid.util.ThreadSafety; 039import com.unboundid.util.ThreadSafetyLevel; 040import com.unboundid.util.Validator; 041 042 043 044/** 045 * This class provides a data structure that may be used to hold a number of 046 * properties that may be used during processing for a SASL GSSAPI bind 047 * operation. 048 */ 049@Mutable() 050@ThreadSafety(level=ThreadSafetyLevel.NOT_THREADSAFE) 051public final class GSSAPIBindRequestProperties 052 implements Serializable 053{ 054 /** 055 * The serial version UID for this serializable class. 056 */ 057 private static final long serialVersionUID = 6872295509330315713L; 058 059 060 061 // The password for the GSSAPI bind request. 062 private ASN1OctetString password; 063 064 // Indicates whether to enable JVM-level debugging for GSSAPI processing. 065 private boolean enableGSSAPIDebugging; 066 067 // Indicates whether to attempt to renew the client's existing ticket-granting 068 // ticket if authentication uses an existing Kerberos session. 069 private boolean renewTGT; 070 071 // Indicates whether to require that the credentials be obtained from the 072 // ticket cache such that authentication will fail if the client does not have 073 // an existing Kerberos session. 074 private boolean requireCachedCredentials; 075 076 // Indicates whether to allow the client to use credentials that are outside 077 // of the current subject. 078 private boolean useSubjectCredentialsOnly; 079 080 // Indicates whether to enable the use of a ticket cache. 081 private boolean useTicketCache; 082 083 // The SASL quality of protection value(s) allowed for the DIGEST-MD5 bind 084 // request. 085 private List<SASLQualityOfProtection> allowedQoP; 086 087 // The names of any system properties that should not be altered by GSSAPI 088 // processing. 089 private Set<String> suppressedSystemProperties; 090 091 // The authentication ID string for the GSSAPI bind request. 092 private String authenticationID; 093 094 // The authorization ID string for the GSSAPI bind request, if available. 095 private String authorizationID; 096 097 // The path to the JAAS configuration file to use for bind processing. 098 private String configFilePath; 099 100 // The name that will be used to identify this client in the JAAS framework. 101 private String jaasClientName; 102 103 // The KDC address for the GSSAPI bind request, if available. 104 private String kdcAddress; 105 106 // The realm for the GSSAPI bind request, if available. 107 private String realm; 108 109 // The server name to use when creating the SASL client. 110 private String saslClientServerName; 111 112 // The protocol that should be used in the Kerberos service principal for 113 // the server system. 114 private String servicePrincipalProtocol; 115 116 // The path to the Kerberos ticket cache to use. 117 private String ticketCachePath; 118 119 120 121 /** 122 * Creates a new set of GSSAPI bind request properties with the provided 123 * information. 124 * 125 * @param authenticationID The authentication ID for the GSSAPI bind 126 * request. It may be {@code null} if an existing 127 * Kerberos session should be used. 128 * @param password The password for the GSSAPI bind request. It may 129 * be {@code null} if an existing Kerberos session 130 * should be used. 131 */ 132 public GSSAPIBindRequestProperties(final String authenticationID, 133 final String password) 134 { 135 this(authenticationID, null, 136 (password == null ? null : new ASN1OctetString(password)), null, null, 137 null); 138 } 139 140 141 142 /** 143 * Creates a new set of GSSAPI bind request properties with the provided 144 * information. 145 * 146 * @param authenticationID The authentication ID for the GSSAPI bind 147 * request. It may be {@code null} if an existing 148 * Kerberos session should be used. 149 * @param password The password for the GSSAPI bind request. It may 150 * be {@code null} if an existing Kerberos session 151 * should be used. 152 */ 153 public GSSAPIBindRequestProperties(final String authenticationID, 154 final byte[] password) 155 { 156 this(authenticationID, null, 157 (password == null ? null : new ASN1OctetString(password)), null, null, 158 null); 159 } 160 161 162 163 /** 164 * Creates a new set of GSSAPI bind request properties with the provided 165 * information. 166 * 167 * @param authenticationID The authentication ID for the GSSAPI bind 168 * request. It may be {@code null} if an existing 169 * Kerberos session should be used. 170 * @param authorizationID The authorization ID for the GSSAPI bind request. 171 * It may be {@code null} if the authorization ID 172 * should be the same as the authentication ID. 173 * @param password The password for the GSSAPI bind request. It may 174 * be {@code null} if an existing Kerberos session 175 * should be used. 176 * @param realm The realm to use for the authentication. It may 177 * be {@code null} to attempt to use the default 178 * realm from the system configuration. 179 * @param kdcAddress The address of the Kerberos key distribution 180 * center. It may be {@code null} to attempt to use 181 * the default KDC from the system configuration. 182 * @param configFilePath The path to the JAAS configuration file to use 183 * for the authentication processing. It may be 184 * {@code null} to use the default JAAS 185 * configuration. 186 */ 187 GSSAPIBindRequestProperties(final String authenticationID, 188 final String authorizationID, 189 final ASN1OctetString password, 190 final String realm, 191 final String kdcAddress, 192 final String configFilePath) 193 { 194 this.authenticationID = authenticationID; 195 this.authorizationID = authorizationID; 196 this.password = password; 197 this.realm = realm; 198 this.kdcAddress = kdcAddress; 199 this.configFilePath = configFilePath; 200 201 servicePrincipalProtocol = "ldap"; 202 enableGSSAPIDebugging = false; 203 jaasClientName = "GSSAPIBindRequest"; 204 renewTGT = false; 205 useSubjectCredentialsOnly = true; 206 useTicketCache = true; 207 requireCachedCredentials = false; 208 saslClientServerName = null; 209 ticketCachePath = null; 210 suppressedSystemProperties = Collections.emptySet(); 211 allowedQoP = Collections.unmodifiableList(Arrays.asList( 212 SASLQualityOfProtection.AUTH)); 213 } 214 215 216 217 /** 218 * Retrieves the authentication ID for the GSSAPI bind request, if defined. 219 * 220 * @return The authentication ID for the GSSAPI bind request, or {@code null} 221 * if an existing Kerberos session should be used. 222 */ 223 public String getAuthenticationID() 224 { 225 return authenticationID; 226 } 227 228 229 230 /** 231 * Sets the authentication ID for the GSSAPI bind request. 232 * 233 * @param authenticationID The authentication ID for the GSSAPI bind 234 * request. It may be {@code null} if an existing 235 * Kerberos session should be used. 236 */ 237 public void setAuthenticationID(final String authenticationID) 238 { 239 this.authenticationID = authenticationID; 240 } 241 242 243 244 /** 245 * Retrieves the authorization ID for the GSSAPI bind request, if defined. 246 * 247 * @return The authorizationID for the GSSAPI bind request, or {@code null} 248 * if the authorization ID should be the same as the authentication 249 * ID. 250 */ 251 public String getAuthorizationID() 252 { 253 return authorizationID; 254 } 255 256 257 258 /** 259 * Specifies the authorization ID for the GSSAPI bind request. 260 * 261 * @param authorizationID The authorization ID for the GSSAPI bind request. 262 * It may be {@code null} if the authorization ID 263 * should be the same as the authentication ID. 264 */ 265 public void setAuthorizationID(final String authorizationID) 266 { 267 this.authorizationID = authorizationID; 268 } 269 270 271 272 /** 273 * Retrieves the password that should be used for the GSSAPI bind request, if 274 * defined. 275 * 276 * @return The password that should be used for the GSSAPI bind request, or 277 * {@code null} if an existing Kerberos session should be used. 278 */ 279 public ASN1OctetString getPassword() 280 { 281 return password; 282 } 283 284 285 286 /** 287 * Specifies the password that should be used for the GSSAPI bind request. 288 * 289 * @param password The password that should be used for the GSSAPI bind 290 * request. It may be {@code null} if an existing 291 * Kerberos session should be used. 292 */ 293 public void setPassword(final String password) 294 { 295 if (password == null) 296 { 297 this.password = null; 298 } 299 else 300 { 301 this.password = new ASN1OctetString(password); 302 } 303 } 304 305 306 307 /** 308 * Specifies the password that should be used for the GSSAPI bind request. 309 * 310 * @param password The password that should be used for the GSSAPI bind 311 * request. It may be {@code null} if an existing 312 * Kerberos session should be used. 313 */ 314 public void setPassword(final byte[] password) 315 { 316 if (password == null) 317 { 318 this.password = null; 319 } 320 else 321 { 322 this.password = new ASN1OctetString(password); 323 } 324 } 325 326 327 328 /** 329 * Specifies the password that should be used for the GSSAPI bind request. 330 * 331 * @param password The password that should be used for the GSSAPI bind 332 * request. It may be {@code null} if an existing 333 * Kerberos session should be used. 334 */ 335 public void setPassword(final ASN1OctetString password) 336 { 337 this.password = password; 338 } 339 340 341 342 /** 343 * Retrieves the realm to use for the GSSAPI bind request, if defined. 344 * 345 * @return The realm to use for the GSSAPI bind request, or {@code null} if 346 * the request should attempt to use the default realm from the 347 * system configuration. 348 */ 349 public String getRealm() 350 { 351 return realm; 352 } 353 354 355 356 /** 357 * Specifies the realm to use for the GSSAPI bind request. 358 * 359 * @param realm The realm to use for the GSSAPI bind request. It may be 360 * {@code null} if the request should attempt to use the 361 * default realm from the system configuration. 362 */ 363 public void setRealm(final String realm) 364 { 365 this.realm = realm; 366 } 367 368 369 370 /** 371 * Retrieves the list of allowed qualities of protection that may be used for 372 * communication that occurs on the connection after the authentication has 373 * completed, in order from most preferred to least preferred. 374 * 375 * @return The list of allowed qualities of protection that may be used for 376 * communication that occurs on the connection after the 377 * authentication has completed, in order from most preferred to 378 * least preferred. 379 */ 380 public List<SASLQualityOfProtection> getAllowedQoP() 381 { 382 return allowedQoP; 383 } 384 385 386 387 /** 388 * Specifies the list of allowed qualities of protection that may be used for 389 * communication that occurs on the connection after the authentication has 390 * completed, in order from most preferred to least preferred. 391 * 392 * @param allowedQoP The list of allowed qualities of protection that may be 393 * used for communication that occurs on the connection 394 * after the authentication has completed, in order from 395 * most preferred to least preferred. If this is 396 * {@code null} or empty, then a list containing only the 397 * {@link SASLQualityOfProtection#AUTH} quality of 398 * protection value will be used. 399 */ 400 public void setAllowedQoP(final List<SASLQualityOfProtection> allowedQoP) 401 { 402 if ((allowedQoP == null) || allowedQoP.isEmpty()) 403 { 404 this.allowedQoP = Collections.unmodifiableList(Arrays.asList( 405 SASLQualityOfProtection.AUTH)); 406 } 407 else 408 { 409 this.allowedQoP = Collections.unmodifiableList( 410 new ArrayList<SASLQualityOfProtection>(allowedQoP)); 411 } 412 } 413 414 415 416 /** 417 * Specifies the list of allowed qualities of protection that may be used for 418 * communication that occurs on the connection after the authentication has 419 * completed, in order from most preferred to least preferred. 420 * 421 * @param allowedQoP The list of allowed qualities of protection that may be 422 * used for communication that occurs on the connection 423 * after the authentication has completed, in order from 424 * most preferred to least preferred. If this is 425 * {@code null} or empty, then a list containing only the 426 * {@link SASLQualityOfProtection#AUTH} quality of 427 * protection value will be used. 428 */ 429 public void setAllowedQoP(final SASLQualityOfProtection... allowedQoP) 430 { 431 setAllowedQoP(StaticUtils.toList(allowedQoP)); 432 } 433 434 435 436 /** 437 * Retrieves the address to use for the Kerberos key distribution center, 438 * if defined. 439 * 440 * @return The address to use for the Kerberos key distribution center, or 441 * {@code null} if request should attempt to determine the KDC 442 * address from the system configuration. 443 */ 444 public String getKDCAddress() 445 { 446 return kdcAddress; 447 } 448 449 450 451 /** 452 * Specifies the address to use for the Kerberos key distribution center. 453 * 454 * @param kdcAddress The address to use for the Kerberos key distribution 455 * center. It may be {@code null} if the request should 456 * attempt to determine the KDC address from the system 457 * configuration. 458 */ 459 public void setKDCAddress(final String kdcAddress) 460 { 461 this.kdcAddress = kdcAddress; 462 } 463 464 465 466 /** 467 * Retrieves the name that will be used to identify this client in the JAAS 468 * framework. 469 * 470 * @return The name that will be used to identify this client in the JAAS 471 * framework. 472 */ 473 public String getJAASClientName() 474 { 475 return jaasClientName; 476 } 477 478 479 480 /** 481 * Specifies the name that will be used to identify this client in the JAAS 482 * framework. 483 * 484 * @param jaasClientName The name that will be used to identify this client 485 * in the JAAS framework. It must not be 486 * {@code null} or empty. 487 */ 488 public void setJAASClientName(final String jaasClientName) 489 { 490 Validator.ensureNotNull(jaasClientName); 491 492 this.jaasClientName = jaasClientName; 493 } 494 495 496 497 /** 498 * Retrieves the path to a JAAS configuration file that should be used when 499 * processing the GSSAPI bind request, if defined. 500 * 501 * @return The path to a JAAS configuration file that should be used when 502 * processing the GSSAPI bind request, or {@code null} if a JAAS 503 * configuration file should be automatically constructed for the 504 * bind request. 505 */ 506 public String getConfigFilePath() 507 { 508 return configFilePath; 509 } 510 511 512 513 /** 514 * Specifies the path to a JAAS configuration file that should be used when 515 * processing the GSSAPI bind request. 516 * 517 * @param configFilePath The path to a JAAS configuration file that should 518 * be used when processing the GSSAPI bind request. 519 * It may be {@code null} if a configuration file 520 * should be automatically constructed for the bind 521 * request. 522 */ 523 public void setConfigFilePath(final String configFilePath) 524 { 525 this.configFilePath = configFilePath; 526 } 527 528 529 530 /** 531 * Retrieves the server name that should be used when creating the Java 532 * {@code SaslClient}, if one is defined. 533 * 534 * @return The server name that should be used when creating the Java 535 * {@code SaslClient}, or {@code null} if none is defined and the 536 * {@code SaslClient} should use the address specified when 537 * establishing the connection. 538 */ 539 public String getSASLClientServerName() 540 { 541 return saslClientServerName; 542 } 543 544 545 546 /** 547 * Specifies the server name that should be used when creating the Java 548 * {@code SaslClient}. 549 * 550 * @param saslClientServerName The server name that should be used when 551 * creating the Java {@code SaslClient}. It may 552 * be {@code null} to indicate that the 553 * {@code SaslClient} should be created with the 554 * 555 */ 556 public void setSASLClientServerName(final String saslClientServerName) 557 { 558 this.saslClientServerName = saslClientServerName; 559 } 560 561 562 563 /** 564 * Retrieves the protocol specified in the service principal that the 565 * directory server uses for its communication with the KDC. The service 566 * principal is usually something like "ldap/directory.example.com", where 567 * "ldap" is the protocol and "directory.example.com" is the fully-qualified 568 * address of the directory server system, but some servers may allow 569 * authentication with a service principal with a protocol other than "ldap". 570 * 571 * @return The protocol specified in the service principal that the directory 572 * server uses for its communication with the KDC. 573 */ 574 public String getServicePrincipalProtocol() 575 { 576 return servicePrincipalProtocol; 577 } 578 579 580 581 /** 582 * Specifies the protocol specified in the service principal that the 583 * directory server uses for its communication with the KDC. This should 584 * generally be "ldap", but some servers may allow a service principal with a 585 * protocol other than "ldap". 586 * 587 * @param servicePrincipalProtocol The protocol specified in the service 588 * principal that the directory server uses 589 * for its communication with the KDC. 590 */ 591 public void setServicePrincipalProtocol(final String servicePrincipalProtocol) 592 { 593 Validator.ensureNotNull(servicePrincipalProtocol); 594 595 this.servicePrincipalProtocol = servicePrincipalProtocol; 596 } 597 598 599 600 /** 601 * Indicates whether to allow the client to use credentials that are outside 602 * of the current subject, obtained via some system-specific mechanism. 603 * 604 * @return {@code true} if the client will only be allowed to use credentials 605 * that are within the current subject, or {@code false} if the 606 * client will be allowed to use credentials outside the current 607 * subject. 608 */ 609 public boolean useSubjectCredentialsOnly() 610 { 611 return useSubjectCredentialsOnly; 612 } 613 614 615 616 /** 617 * Specifies whether to allow the client to use credentials that are outside 618 * the current subject. If this is {@code false}, then a system-specific 619 * mechanism may be used in an attempt to obtain credentials from an 620 * existing session. 621 * 622 * @param useSubjectCredentialsOnly Indicates whether to allow the client to 623 * use credentials that are outside of the 624 * current subject. 625 */ 626 public void setUseSubjectCredentialsOnly( 627 final boolean useSubjectCredentialsOnly) 628 { 629 this.useSubjectCredentialsOnly = useSubjectCredentialsOnly; 630 } 631 632 633 634 /** 635 * Indicates whether to enable the use of a ticket cache to to avoid the need 636 * to supply credentials if the client already has an existing Kerberos 637 * session. 638 * 639 * @return {@code true} if a ticket cache may be used to take advantage of an 640 * existing Kerberos session, or {@code false} if Kerberos 641 * credentials should always be provided. 642 */ 643 public boolean useTicketCache() 644 { 645 return useTicketCache; 646 } 647 648 649 650 /** 651 * Specifies whether to enable the use of a ticket cache to to avoid the need 652 * to supply credentials if the client already has an existing Kerberos 653 * session. 654 * 655 * @param useTicketCache Indicates whether to enable the use of a ticket 656 * cache to to avoid the need to supply credentials if 657 * the client already has an existing Kerberos 658 * session. 659 */ 660 public void setUseTicketCache(final boolean useTicketCache) 661 { 662 this.useTicketCache = useTicketCache; 663 } 664 665 666 667 /** 668 * Indicates whether GSSAPI authentication should only occur using an existing 669 * Kerberos session. 670 * 671 * @return {@code true} if GSSAPI authentication should only use an existing 672 * Kerberos session and should fail if the client does not have an 673 * existing session, or {@code false} if the client will be allowed 674 * to create a new session if one does not already exist. 675 */ 676 public boolean requireCachedCredentials() 677 { 678 return requireCachedCredentials; 679 } 680 681 682 683 /** 684 * Specifies whether an GSSAPI authentication should only occur using an 685 * existing Kerberos session. 686 * 687 * @param requireCachedCredentials Indicates whether an existing Kerberos 688 * session will be required for 689 * authentication. If {@code true}, then 690 * authentication will fail if the client 691 * does not already have an existing 692 * Kerberos session. This will be ignored 693 * if {@code useTicketCache} is false. 694 */ 695 public void setRequireCachedCredentials( 696 final boolean requireCachedCredentials) 697 { 698 this.requireCachedCredentials = requireCachedCredentials; 699 } 700 701 702 703 /** 704 * Retrieves the path to the Kerberos ticket cache file that should be used 705 * during authentication, if defined. 706 * 707 * @return The path to the Kerberos ticket cache file that should be used 708 * during authentication, or {@code null} if the default ticket cache 709 * file should be used. 710 */ 711 public String getTicketCachePath() 712 { 713 return ticketCachePath; 714 } 715 716 717 718 /** 719 * Specifies the path to the Kerberos ticket cache file that should be used 720 * during authentication. 721 * 722 * @param ticketCachePath The path to the Kerberos ticket cache file that 723 * should be used during authentication. It may be 724 * {@code null} if the default ticket cache file 725 * should be used. 726 */ 727 public void setTicketCachePath(final String ticketCachePath) 728 { 729 this.ticketCachePath = ticketCachePath; 730 } 731 732 733 734 /** 735 * Indicates whether to attempt to renew the client's ticket-granting ticket 736 * (TGT) if an existing Kerberos session is used to authenticate. 737 * 738 * @return {@code true} if the client should attempt to renew its 739 * ticket-granting ticket if the authentication is processed using an 740 * existing Kerberos session, or {@code false} if not. 741 */ 742 public boolean renewTGT() 743 { 744 return renewTGT; 745 } 746 747 748 749 /** 750 * Specifies whether to attempt to renew the client's ticket-granting ticket 751 * (TGT) if an existing Kerberos session is used to authenticate. 752 * 753 * @param renewTGT Indicates whether to attempt to renew the client's 754 * ticket-granting ticket if an existing Kerberos session is 755 * used to authenticate. 756 */ 757 public void setRenewTGT(final boolean renewTGT) 758 { 759 this.renewTGT = renewTGT; 760 } 761 762 763 764 /** 765 * Retrieves a set of system properties that will not be altered by GSSAPI 766 * processing. 767 * 768 * @return A set of system properties that will not be altered by GSSAPI 769 * processing. 770 */ 771 public Set<String> getSuppressedSystemProperties() 772 { 773 return suppressedSystemProperties; 774 } 775 776 777 778 /** 779 * Specifies a set of system properties that will not be altered by GSSAPI 780 * processing. This should generally only be used in cases in which the 781 * specified system properties are known to already be set correctly for the 782 * desired authentication processing. 783 * 784 * @param suppressedSystemProperties A set of system properties that will 785 * not be altered by GSSAPI processing. 786 * It may be {@code null} or empty to 787 * indicate that no properties should be 788 * suppressed. 789 */ 790 public void setSuppressedSystemProperties( 791 final Collection<String> suppressedSystemProperties) 792 { 793 if (suppressedSystemProperties == null) 794 { 795 this.suppressedSystemProperties = Collections.emptySet(); 796 } 797 else 798 { 799 this.suppressedSystemProperties = Collections.unmodifiableSet( 800 new LinkedHashSet<String>(suppressedSystemProperties)); 801 } 802 } 803 804 805 806 /** 807 * Indicates whether JVM-level debugging should be enabled for GSSAPI bind 808 * processing. If this is enabled, then debug information may be written to 809 * standard error when performing GSSAPI processing that could be useful for 810 * debugging authentication problems. 811 * 812 * @return {@code true} if JVM-level debugging should be enabled for GSSAPI 813 * bind processing, or {@code false} if not. 814 */ 815 public boolean enableGSSAPIDebugging() 816 { 817 return enableGSSAPIDebugging; 818 } 819 820 821 822 /** 823 * Specifies whether JVM-level debugging should be enabled for GSSAPI bind 824 * processing. If this is enabled, then debug information may be written to 825 * standard error when performing GSSAPI processing that could be useful for 826 * debugging authentication problems. 827 * 828 * @param enableGSSAPIDebugging Specifies whether JVM-level debugging should 829 * be enabled for GSSAPI bind processing. 830 */ 831 public void setEnableGSSAPIDebugging(final boolean enableGSSAPIDebugging) 832 { 833 this.enableGSSAPIDebugging = enableGSSAPIDebugging; 834 } 835 836 837 838 /** 839 * Retrieves a string representation of the GSSAPI bind request properties. 840 * 841 * @return A string representation of the GSSAPI bind request properties. 842 */ 843 @Override() 844 public String toString() 845 { 846 final StringBuilder buffer = new StringBuilder(); 847 toString(buffer); 848 return buffer.toString(); 849 } 850 851 852 853 /** 854 * Appends a string representation of the GSSAPI bind request properties to 855 * the provided buffer. 856 * 857 * @param buffer The buffer to which the information should be appended. 858 */ 859 public void toString(final StringBuilder buffer) 860 { 861 buffer.append("GSSAPIBindRequestProperties("); 862 if (authenticationID != null) 863 { 864 buffer.append("authenticationID='"); 865 buffer.append(authenticationID); 866 buffer.append("', "); 867 } 868 869 if (authorizationID != null) 870 { 871 buffer.append("authorizationID='"); 872 buffer.append(authorizationID); 873 buffer.append("', "); 874 } 875 876 if (realm != null) 877 { 878 buffer.append("realm='"); 879 buffer.append(realm); 880 buffer.append("', "); 881 } 882 883 buffer.append("qop='"); 884 buffer.append(SASLQualityOfProtection.toString(allowedQoP)); 885 buffer.append("', "); 886 887 if (kdcAddress != null) 888 { 889 buffer.append("kdcAddress='"); 890 buffer.append(kdcAddress); 891 buffer.append("', "); 892 } 893 894 buffer.append("useSubjectCredentialsOnly="); 895 buffer.append(useSubjectCredentialsOnly); 896 buffer.append(", "); 897 898 if (useTicketCache) 899 { 900 buffer.append("useTicketCache=true, requireCachedCredentials="); 901 buffer.append(requireCachedCredentials); 902 buffer.append(", renewTGT="); 903 buffer.append(renewTGT); 904 buffer.append(", "); 905 906 if (ticketCachePath != null) 907 { 908 buffer.append("ticketCachePath='"); 909 buffer.append(ticketCachePath); 910 buffer.append("', "); 911 } 912 } 913 else 914 { 915 buffer.append("useTicketCache=false, "); 916 } 917 918 buffer.append("jaasClientName='"); 919 buffer.append(jaasClientName); 920 buffer.append("', "); 921 922 if (configFilePath != null) 923 { 924 buffer.append("configFilePath='"); 925 buffer.append(configFilePath); 926 buffer.append("', "); 927 } 928 929 if (saslClientServerName != null) 930 { 931 buffer.append("saslClientServerName='"); 932 buffer.append(saslClientServerName); 933 buffer.append("', "); 934 } 935 936 buffer.append("servicePrincipalProtocol='"); 937 buffer.append(servicePrincipalProtocol); 938 buffer.append("', suppressedSystemProperties={"); 939 940 final Iterator<String> propIterator = suppressedSystemProperties.iterator(); 941 while (propIterator.hasNext()) 942 { 943 buffer.append('\''); 944 buffer.append(propIterator.next()); 945 buffer.append('\''); 946 947 if (propIterator.hasNext()) 948 { 949 buffer.append(", "); 950 } 951 } 952 953 buffer.append("}, enableGSSAPIDebugging="); 954 buffer.append(enableGSSAPIDebugging); 955 buffer.append(')'); 956 } 957}