public class Sasl extends Object
This class defines the policy of how to locate, load, and instantiate SASL clients and servers.
For example, an application or library gets a SASL client by doing something like:
 SaslClient sc = Sasl.createSaslClient(mechanisms,
     authorizationId, protocol, serverName, props, callbackHandler);
Similarly, a server gets a SASL server by using code that looks as follows:
 SaslServer ss = Sasl.createSaslServer(mechanism,
     protocol, serverName, props, callbackHandler);
| Modifier and Type | Field and Description | 
|---|---|
| static String | BOUND_SERVER_NAMEThe name of a property that specifies the bound server name for
 an unbound server. | 
| static String | CREDENTIALSThe name of a property that specifies the credentials to use. | 
| static String | MAX_BUFFERThe name of a property that specifies the maximum size of the receive
 buffer in bytes of  SaslClient/SaslServer. | 
| static String | POLICY_FORWARD_SECRECYThe name of a property that specifies whether mechanisms that implement
 forward secrecy between sessions are required. | 
| static String | POLICY_NOACTIVEThe name of a property that specifies whether
 mechanisms susceptible to active (non-dictionary) attacks
 are not permitted. | 
| static String | POLICY_NOANONYMOUSThe name of a property that specifies whether mechanisms that accept
 anonymous login are not permitted. | 
| static String | POLICY_NODICTIONARYThe name of a property that specifies whether
 mechanisms susceptible to passive dictionary attacks are not permitted. | 
| static String | POLICY_NOPLAINTEXTThe name of a property that specifies
 whether mechanisms susceptible to simple plain passive attacks (e.g.,
 "PLAIN") are not permitted. | 
| static String | POLICY_PASS_CREDENTIALSThe name of a property that specifies whether
 mechanisms that pass client credentials are required. | 
| static String | QOPThe name of a property that specifies the quality-of-protection to use. | 
| static String | RAW_SEND_SIZEThe name of a property that specifies the maximum size of the raw send
 buffer in bytes of  SaslClient/SaslServer. | 
| static String | REUSEThe name of a property that specifies whether to reuse previously
 authenticated session information. | 
| static String | SERVER_AUTHThe name of a property that specifies whether the
 server must authenticate to the client. | 
| static String | STRENGTHThe name of a property that specifies the cipher strength to use. | 
| Modifier and Type | Method and Description | 
|---|---|
| static SaslClient | createSaslClient(String[] mechanisms,
                String authorizationId,
                String protocol,
                String serverName,
                Map<String,?> props,
                CallbackHandler cbh)Creates a  SaslClientusing the parameters supplied. | 
| static SaslServer | createSaslServer(String mechanism,
                String protocol,
                String serverName,
                Map<String,?> props,
                CallbackHandler cbh)Creates a  SaslServerfor the specified mechanism. | 
| static Enumeration<SaslClientFactory> | getSaslClientFactories()Gets an enumeration of known factories for producing  SaslClient. | 
| static Enumeration<SaslServerFactory> | getSaslServerFactories()Gets an enumeration of known factories for producing  SaslServer. | 
public static final String QOP
"auth" - authentication only"auth-int" - authentication plus integrity protection"auth-conf" - authentication plus integrity and confidentiality
 protection"auth".
 The value of this constant is "javax.security.sasl.qop".public static final String STRENGTH
"low""medium""high""high,medium,low".
 The value of this constant is "javax.security.sasl.strength".public static final String SERVER_AUTH
"true" if the server must
 authenticate the to client; "false" otherwise.
 The default is "false".
 "javax.security.sasl.server.authentication".public static final String BOUND_SERVER_NAME
serverName argument in createSaslServer(java.lang.String, java.lang.String, java.lang.String, java.util.Map<java.lang.String, ?>, javax.security.auth.callback.CallbackHandler) as null.
 The property contains the bound host name after the authentication
 exchange has completed. It is only available on the server side.
 "javax.security.sasl.bound.server.name".public static final String MAX_BUFFER
SaslClient/SaslServer.
 The property contains the string representation of an integer.
 "javax.security.sasl.maxbuffer".public static final String RAW_SEND_SIZE
SaslClient/SaslServer.
 The property contains the string representation of an integer.
 The value of this property is negotiated between the client and server
 during the authentication exchange.
 "javax.security.sasl.rawsendsize".public static final String REUSE
public static final String POLICY_NOPLAINTEXT
"true" if such mechanisms are not permitted;
 "false" if such mechanisms are permitted.
 The default is "false".
 "javax.security.sasl.policy.noplaintext".public static final String POLICY_NOACTIVE
"true"
 if mechanisms susceptible to active attacks
 are not permitted; "false" if such mechanisms are permitted.
 The default is "false".
 "javax.security.sasl.policy.noactive".public static final String POLICY_NODICTIONARY
"true"
 if mechanisms susceptible to dictionary attacks are not permitted;
 "false" if such mechanisms are permitted.
 The default is "false".
"javax.security.sasl.policy.nodictionary".public static final String POLICY_NOANONYMOUS
"true"
 if mechanisms that accept anonymous login are not permitted;
 "false"
 if such mechanisms are permitted. The default is "false".
"javax.security.sasl.policy.noanonymous".public static final String POLICY_FORWARD_SECRECY
"true" if mechanisms that implement forward secrecy
 between sessions are required; "false" if such mechanisms
 are not required. The default is "false".
"javax.security.sasl.policy.forward".public static final String POLICY_PASS_CREDENTIALS
"true" if mechanisms that pass
 client credentials are required; "false"
 if such mechanisms are not required. The default is "false".
"javax.security.sasl.policy.credentials".public static final String CREDENTIALS
"javax.security.sasl.credentials".public static SaslClient createSaslClient(String[] mechanisms, String authorizationId, String protocol, String serverName, Map<String,?> props, CallbackHandler cbh) throws SaslException
SaslClient using the parameters supplied.
 This method uses the
JCA Security Provider Framework, described in the
 "Java Cryptography Architecture API Specification & Reference", for
 locating and selecting a SaslClient implementation.
 First, it
 obtains an ordered list of SaslClientFactory instances from
 the registered security providers for the "SaslClientFactory" service
 and the specified SASL mechanism(s). It then invokes
 createSaslClient() on each factory instance on the list
 until one produces a non-null SaslClient instance. It returns
 the non-null SaslClient instance, or null if the search fails
 to produce a non-null SaslClient instance.
 A security provider for SaslClientFactory registers with the
 JCA Security Provider Framework keys of the form 
 SaslClientFactory.mechanism_name
 
 and values that are class names of implementations of
 javax.security.sasl.SaslClientFactory.
 For example, a provider that contains a factory class,
 com.wiz.sasl.digest.ClientFactory, that supports the
 "DIGEST-MD5" mechanism would register the following entry with the JCA:
 SaslClientFactory.DIGEST-MD5 com.wiz.sasl.digest.ClientFactory
See the "Java Cryptography Architecture API Specification & Reference" for information about how to install and configure security service providers.
 If a mechanism is listed in the jdk.sasl.disabledMechanisms
 security property, it will be ignored and won't be negotiated.
mechanisms - The non-null list of mechanism names to try. Each is the
 IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").authorizationId - The possibly null protocol-dependent
 identification to be used for authorization.
 If null or empty, the server derives an authorization
 ID from the client's authentication credentials.
 When the SASL authentication completes successfully,
 the specified entity is granted access.protocol - The non-null string name of the protocol for which
 the authentication is being performed (e.g., "ldap").serverName - The non-null fully-qualified host name of the server
 to authenticate to.props - The possibly null set of properties used to
 select the SASL mechanism and to configure the authentication
 exchange of the selected mechanism.
 For example, if props contains the
 Sasl.POLICY_NOPLAINTEXT property with the value
 "true", then the selected
 SASL mechanism must not be susceptible to simple plain passive attacks.
 In addition to the standard properties declared in this class,
 other, possibly mechanism-specific, properties can be included.
 Properties not relevant to the selected mechanism are ignored,
 including any map entries with non-String keys.cbh - The possibly null callback handler to used by the SASL
 mechanisms to get further information from the application/library
 to complete the authentication. For example, a SASL mechanism might
 require the authentication ID, password and realm from the caller.
 The authentication ID is requested by using a NameCallback.
 The password is requested by using a PasswordCallback.
 The realm is requested by using a RealmChoiceCallback if there is a list
 of realms to choose from, and by using a RealmCallback if
 the realm must be entered.SaslClient created using the parameters
 supplied. If null, cannot find a SaslClientFactory
 that will produce one.SaslException - If cannot create a SaslClient because
 of an error.public static SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String,?> props, CallbackHandler cbh) throws SaslException
SaslServer for the specified mechanism.
 This method uses the
JCA Security Provider Framework,
 described in the
 "Java Cryptography Architecture API Specification & Reference", for
 locating and selecting a SaslServer implementation.
 First, it
 obtains an ordered list of SaslServerFactory instances from
 the registered security providers for the "SaslServerFactory" service
 and the specified mechanism. It then invokes
 createSaslServer() on each factory instance on the list
 until one produces a non-null SaslServer instance. It returns
 the non-null SaslServer instance, or null if the search fails
 to produce a non-null SaslServer instance.
 A security provider for SaslServerFactory registers with the
 JCA Security Provider Framework keys of the form 
 SaslServerFactory.mechanism_name
 
 and values that are class names of implementations of
 javax.security.sasl.SaslServerFactory.
 For example, a provider that contains a factory class,
 com.wiz.sasl.digest.ServerFactory, that supports the
 "DIGEST-MD5" mechanism would register the following entry with the JCA:
 SaslServerFactory.DIGEST-MD5  com.wiz.sasl.digest.ServerFactory
See the "Java Cryptography Architecture API Specification & Reference" for information about how to install and configure security service providers.
 If mechanism is listed in the jdk.sasl.disabledMechanisms
 security property, it will be ignored and this method returns null.
mechanism - The non-null mechanism name. It must be an
 IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").protocol - The non-null string name of the protocol for which
 the authentication is being performed (e.g., "ldap").serverName - The fully qualified host name of the server, or null
 if the server is not bound to any specific host name. If the mechanism
 does not allow an unbound server, a SaslException will
 be thrown.props - The possibly null set of properties used to
 select the SASL mechanism and to configure the authentication
 exchange of the selected mechanism.
 For example, if props contains the
 Sasl.POLICY_NOPLAINTEXT property with the value
 "true", then the selected
 SASL mechanism must not be susceptible to simple plain passive attacks.
 In addition to the standard properties declared in this class,
 other, possibly mechanism-specific, properties can be included.
 Properties not relevant to the selected mechanism are ignored,
 including any map entries with non-String keys.cbh - The possibly null callback handler to used by the SASL
 mechanisms to get further information from the application/library
 to complete the authentication. For example, a SASL mechanism might
 require the authentication ID, password and realm from the caller.
 The authentication ID is requested by using a NameCallback.
 The password is requested by using a PasswordCallback.
 The realm is requested by using a RealmChoiceCallback if there is a list
 of realms to choose from, and by using a RealmCallback if
 the realm must be entered.SaslServer created using the parameters
 supplied. If null, cannot find a SaslServerFactory
 that will produce one.SaslException - If cannot create a SaslServer because
 of an error.public static Enumeration<SaslClientFactory> getSaslClientFactories()
SaslClient.
 This method uses the same algorithm for locating factories as
 createSaslClient().SaslClient.createSaslClient(java.lang.String[], java.lang.String, java.lang.String, java.lang.String, java.util.Map<java.lang.String, ?>, javax.security.auth.callback.CallbackHandler)public static Enumeration<SaslServerFactory> getSaslServerFactories()
SaslServer.
 This method uses the same algorithm for locating factories as
 createSaslServer().SaslServer.createSaslServer(java.lang.String, java.lang.String, java.lang.String, java.util.Map<java.lang.String, ?>, javax.security.auth.callback.CallbackHandler) Submit a bug or feature 
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
 Copyright © 1993, 2025, Oracle and/or its affiliates.  All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.