public abstract class GSSManager extends Object
GSSName, GSSCredential, and GSSContext. It also has methods to query for the list
 of available mechanisms and the nametypes that each mechanism
 supports.
 An instance of the default GSSManager subclass
 may be obtained through the static method getInstance, but applications are free to instantiate other subclasses
 of GSSManager. The default GSSManager instance
 will support the Kerberos v5 GSS-API mechanism in addition to any
 others. This mechanism is identified by the Oid "1.2.840.113554.1.2.2"
 and is defined in RFC 1964.
 A subclass extending the GSSManager abstract class may be
 implemented  as a modular provider based layer that utilizes some well
 known  service provider specification. The GSSManager API
 allows the application to set provider preferences on
 such an implementation. These methods also allow the implementation to
 throw a well-defined exception in case provider based configuration is
 not supported. Applications that expect to be portable should be aware
 of this and recover cleanly by catching the exception.
It is envisioned that there will be three most common ways in which providers will be used:
 The GSSManager class has two methods that enable these modes of
 usage:  addProviderAtFront and
 addProviderAtEnd. These methods
 have the effect of creating an ordered list of <provider,
 oid> pairs  where each pair indicates a preference of provider
 for a given oid.
 It is important to note that there are certain interactions
 between the different GSS-API objects that are created by a
 GSSManager, where the provider that is used for a particular mechanism
 might need to be consistent across all objects. For instance, if a
 GSSCredential contains elements from a provider p for a mechanism
 m, it should generally be passed in to a GSSContext that will use
 provider p for the mechanism m. A simple rule of thumb
 that will maximize portability is that objects created from different
 GSSManager's should not be mixed, and if possible, a different
 GSSManager instance should be created if the application wants to invoke
 the addProviderAtFront method on a GSSManager that has
 already created an object.
Here is some sample code showing how the GSSManager might be used:
     GSSManager manager = GSSManager.getInstance();
     Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
     Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
     // Identify who the client wishes to be
     GSSName userName = manager.createName("duke", GSSName.NT_USER_NAME);
     // Identify the name of the server. This uses a Kerberos specific
     // name format.
     GSSName serverName = manager.createName("nfs/foo.sun.com",
                                             krb5PrincipalNameType);
     // Acquire credentials for the user
     GSSCredential userCreds = manager.createCredential(userName,
                                             GSSCredential.DEFAULT_LIFETIME,
                                             krb5Mechanism,
                                             GSSCredential.INITIATE_ONLY);
     // Instantiate and initialize a security context that will be
     // established with the server
     GSSContext context = manager.createContext(serverName,
                                                krb5Mechanism,
                                                userCreds,
                                                GSSContext.DEFAULT_LIFETIME);
 The server side might use the following variation of this source:
     // Acquire credentials for the server
     GSSCredential serverCreds = manager.createCredential(serverName,
                                             GSSCredential.DEFAULT_LIFETIME,
                                             krb5Mechanism,
                                             GSSCredential.ACCEPT_ONLY);
     // Instantiate and initialize a security context that will
     // wait for an establishment request token from the client
     GSSContext context = manager.createContext(serverCreds);
 GSSName, 
GSSCredential, 
GSSContext| Constructor and Description | 
|---|
| GSSManager() | 
| Modifier and Type | Method and Description | 
|---|---|
| abstract void | addProviderAtEnd(Provider p,
                Oid mech)This method is used to indicate to the GSSManager that the
 application would like a particular provider to be used if no other
 provider can be found that supports the given mechanism. | 
| abstract void | addProviderAtFront(Provider p,
                  Oid mech)This method is used to indicate to the GSSManager that the
 application would like a particular provider to be used ahead of all
 others when support is desired for the given mechanism. | 
| abstract GSSContext | createContext(byte[] interProcessToken)Factory method for creating a previously exported context. | 
| abstract GSSContext | createContext(GSSCredential myCred)Factory method for creating a context on the acceptor' side. | 
| abstract GSSContext | createContext(GSSName peer,
             Oid mech,
             GSSCredential myCred,
             int lifetime)Factory method for creating a context on the initiator's
 side. | 
| abstract GSSCredential | createCredential(GSSName name,
                int lifetime,
                Oid[] mechs,
                int usage)Factory method for acquiring credentials over a set of
 mechanisms. | 
| abstract GSSCredential | createCredential(GSSName name,
                int lifetime,
                Oid mech,
                int usage)Factory method for acquiring a single mechanism credential. | 
| abstract GSSCredential | createCredential(int usage)Factory method for acquiring default credentials. | 
| abstract GSSName | createName(byte[] name,
          Oid nameType)Factory method to convert a byte array containing a
 name from the specified namespace to a GSSName object. | 
| abstract GSSName | createName(byte[] name,
          Oid nameType,
          Oid mech)Factory method to convert a byte array containing a
 name from the specified namespace to a GSSName object and canonicalize
 it at the same time for a mechanism. | 
| abstract GSSName | createName(String nameStr,
          Oid nameType)Factory method to convert a string name from the
 specified namespace to a GSSName object. | 
| abstract GSSName | createName(String nameStr,
          Oid nameType,
          Oid mech)Factory method to convert a string name from the
 specified namespace to a GSSName object and canonicalize it at the
 same time for a mechanism. | 
| static GSSManager | getInstance()Returns the default GSSManager implementation. | 
| abstract Oid[] | getMechs()Returns a list of mechanisms that are available to GSS-API callers
 through this GSSManager. | 
| abstract Oid[] | getMechsForName(Oid nameType)Returns a list of mechanisms that support the indicated name type. | 
| abstract Oid[] | getNamesForMech(Oid mech)Returns then name types supported by the indicated mechanism. | 
public static GSSManager getInstance()
public abstract Oid[] getMechs()
getInstance() method includes the Oid
 "1.2.840.113554.1.2.2" in its list. This Oid identifies the Kerberos
 v5 GSS-API mechanism that is defined in RFC 1964.null value is returned when no
 mechanism are available (an example of this would be when mechanism
 are dynamically configured, and currently no mechanisms are
 installed).public abstract Oid[] getNamesForMech(Oid mech) throws GSSException
 The default GSSManager instance includes support for the Kerberos v5
 mechanism. When this mechanism ("1.2.840.113554.1.2.2") is indicated,
 the returned list will contain at least the following nametypes:
 GSSName.NT_HOSTBASED_SERVICE,
 GSSName.NT_EXPORT_NAME, and the
 Kerberos v5 specific Oid "1.2.840.113554.1.2.2.1". The namespace for
 the Oid "1.2.840.113554.1.2.2.1" is defined in RFC 1964.
mech - the Oid of the mechanism to queryGSSException - containing the following
 major error codes:
    GSSException.BAD_MECH
    GSSException.FAILUREgetMechsForName(Oid)public abstract Oid[] getMechsForName(Oid nameType)
 The Kerberos v5 mechanism ("1.2.840.113554.1.2.2") will always be
 returned in this list when the indicated nametype is one of
 GSSName.NT_HOSTBASED_SERVICE,
 GSSName.NT_EXPORT_NAME, or
 "1.2.840.113554.1.2.2.1".
nameType - the Oid of the name type to look fornull is returned when no
 mechanisms are found to support the specified name type.getNamesForMech(Oid)public abstract GSSName createName(String nameStr, Oid nameType) throws GSSException
GSSName object created  will contain multiple
 representations of the name, one for each mechanism that is
 supported; two examples that are exceptions to this are when
 the namespace type parameter indicates NT_EXPORT_NAME or when the
 GSS-API implementation is not multi-mechanism. It is
 not recommended to use this method with a NT_EXPORT_NAME type because
 representing a previously exported name consisting of arbitrary bytes
 as a String might cause problems with character encoding schemes. In
 such cases it is recommended that the bytes be passed in directly to
 the overloaded form of this method createName.nameStr - the string representing a printable form of the name to
 create.nameType - the Oid specifying the namespace of the printable name
 supplied. null can be used to specify
 that a mechanism specific default printable syntax should
 be assumed by each mechanism that examines nameStr.
 It is not advisable to use the nametype NT_EXPORT_NAME with this
 method.GSSException - containing the following
 major error codes:
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.BAD_MECH,
    GSSException.FAILUREGSSName, 
GSSName.NT_EXPORT_NAMEpublic abstract GSSName createName(byte[] name, Oid nameType) throws GSSException
GSSName object created  will contain multiple
 representations of the name, one for each mechanism that is
 supported; two examples that are exceptions to this are when the
 namespace type parameter indicates NT_EXPORT_NAME or when the
 GSS-API implementation is not multi-mechanism. The bytes that are
 passed in are interpreted by each underlying mechanism according to
 some encoding scheme of its choice for the given nametype.name - the byte array containing the name to createnameType - the Oid specifying the namespace of the name supplied
 in the byte array. null can be used to specify that a
 mechanism specific default syntax should be assumed by each mechanism
 that examines the byte array.GSSException - containing the following
 major error codes:
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.BAD_MECH,
    GSSException.FAILUREGSSName, 
GSSName.NT_EXPORT_NAMEpublic abstract GSSName createName(String nameStr, Oid nameType, Oid mech) throws GSSException
createName and then also the GSSName.canonicalize.nameStr - the string representing a printable form of the name to
 create.nameType - the Oid specifying the namespace of the printable name
 supplied. null can be used to specify
 that a mechanism specific default printable syntax should
 be assumed by each mechanism that examines nameStr.
 It is not advisable to use the nametype NT_EXPORT_NAME with this
 method.mech - Oid specifying the mechanism for which the name should be
 canonicalizedGSSException - containing the following
 major error codes:
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.BAD_MECH,
    GSSException.FAILUREGSSName.canonicalize(Oid), 
GSSName.NT_EXPORT_NAMEpublic abstract GSSName createName(byte[] name, Oid nameType, Oid mech) throws GSSException
createName and then also GSSName.canonicalize.name - the byte array containing the name to createnameType - the Oid specifying the namespace of the name supplied
 in the byte array. null can be used to specify that a
 mechanism specific default syntax should be assumed by each mechanism
 that examines the byte array.mech - Oid specifying the mechanism for which the name should be
 canonicalizedGSSException - containing the following
 major error codes:
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.BAD_MECH,
    GSSException.FAILUREGSSName.canonicalize(Oid), 
GSSName.NT_EXPORT_NAMEpublic abstract GSSCredential createCredential(int usage) throws GSSException
 GSS-API mechanism providers must impose a local access-control
 policy on callers to prevent unauthorized callers from acquiring
 credentials to which they are not entitled. The kinds of permissions
 needed by different mechanism providers will be documented on a
 per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from
 this method.
usage - The intended usage for this credential object. The value
 of this parameter must be one of:
 GSSCredential.INITIATE_AND_ACCEPT,
 GSSCredential.ACCEPT_ONLY, and
 GSSCredential.INITIATE_ONLY.GSSException - containing the following
 major error codes:
    GSSException.BAD_MECH,
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.CREDENTIALS_EXPIRED,
    GSSException.NO_CRED,
    GSSException.FAILUREGSSCredentialpublic abstract GSSCredential createCredential(GSSName name, int lifetime, Oid mech, int usage) throws GSSException
 GSS-API mechanism providers must impose a local access-control
 policy on callers to prevent unauthorized callers from acquiring
 credentials to which they are not entitled. The kinds of permissions
 needed by different mechanism providers will be documented on a
 per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from
 this method. 
 Non-default values for lifetime cannot always be honored by the
 underlying mechanisms, thus applications should be prepared to call
 getRemainingLifetime
 on the returned credential.
name - the name of the principal for whom this credential is to be
 acquired.  Use null to specify the default principal.lifetime - The number of seconds that credentials should remain
 valid.  Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials
 have the maximum permitted lifetime.  Use GSSCredential.DEFAULT_LIFETIME to
 request default credential lifetime.mech - the Oid of the desired mechanism.  Use (Oid) null
  to request the default mechanism.usage - The intended usage for this credential object. The value
 of this parameter must be one of:
 GSSCredential.INITIATE_AND_ACCEPT,
 GSSCredential.ACCEPT_ONLY, and
 GSSCredential.INITIATE_ONLY.GSSException - containing the following
 major error codes:
    GSSException.BAD_MECH,
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.CREDENTIALS_EXPIRED,
    GSSException.NO_CRED,
    GSSException.FAILUREGSSCredentialpublic abstract GSSCredential createCredential(GSSName name, int lifetime, Oid[] mechs, int usage) throws GSSException
GSSCredential.getMechs method.
 GSS-API mechanism providers must impose a local access-control
 policy on callers to prevent unauthorized callers from acquiring
 credentials to which they are not entitled. The kinds of permissions
 needed by different mechanism providers will be documented on a
 per-mechanism basis. A failed permission check might cause a SecurityException to be thrown from
 this method.
 Non-default values for lifetime cannot always be honored by the
 underlying mechanisms, thus applications should be prepared to call
 getRemainingLifetime
 on the returned credential.
name - the name of the principal for whom this credential is to
 be acquired.  Use null to specify the default
 principal.lifetime - The number of seconds that credentials should remain
 valid.  Use GSSCredential.INDEFINITE_LIFETIME to request that the credentials
 have the maximum permitted lifetime.  Use GSSCredential.DEFAULT_LIFETIME to
 request default credential lifetime.mechs - an array of Oid's indicating the mechanisms over which
 the credential is to be acquired.  Use (Oid[]) null for
 requesting a system specific default set of mechanisms.usage - The intended usage for this credential object. The value
 of this parameter must be one of:
 GSSCredential.INITIATE_AND_ACCEPT,
 GSSCredential.ACCEPT_ONLY, and
 GSSCredential.INITIATE_ONLY.GSSException - containing the following
 major error codes:
    GSSException.BAD_MECH,
    GSSException.BAD_NAMETYPE,
    GSSException.BAD_NAME,
    GSSException.CREDENTIALS_EXPIRED,
    GSSException.NO_CRED,
    GSSException.FAILUREGSSCredentialpublic abstract GSSContext createContext(GSSName peer, Oid mech, GSSCredential myCred, int lifetime) throws GSSException
SecurityException
 to be thrown from this method.
 Non-default values for lifetime cannot always be honored by the
 underlying mechanism, thus applications should be prepared to call
 getLifetime on the returned
 context.
peer - the name of the target peer.mech - the Oid of the desired mechanism.  Use null
 to request the default mechanism.myCred - the credentials of the initiator.  Use
 null to act as the default initiator principal.lifetime - the lifetime, in seconds, requested for the
 context. Use GSSContext.INDEFINITE_LIFETIME to request that the context have the
 maximum permitted lifetime. Use GSSContext.DEFAULT_LIFETIME to request a default lifetime for the
 context.GSSException - containing the following
 major error codes:
    GSSException.NO_CRED
    GSSException.CREDENTIALS_EXPIRED
    GSSException.BAD_NAMETYPE
    GSSException.BAD_MECH
    GSSException.FAILUREGSSContextpublic abstract GSSContext createContext(GSSCredential myCred) throws GSSException
SecurityException
 to be thrown from this method.myCred - the credentials for the acceptor.  Use
 null to act as a default acceptor principal.GSSException - containing the following
 major error codes:
    GSSException.NO_CRED
    GSSException.CREDENTIALS_EXPIRED
    GSSException.BAD_MECH
    GSSException.FAILUREGSSContextpublic abstract GSSContext createContext(byte[] interProcessToken) throws GSSException
 Implementations are not required to support the inter-process
 transfer of security contexts.  Before exporting a context, calling
 the GSSContext.isTransferable
 will indicate if the context is transferable. Calling this method in
 an implementation that does not support it will result in a
 GSSException with the error
 code GSSException.UNAVAILABLE.
 Some mechanism providers might require that the caller be granted
 permission to initiate or accept a security context. A failed
 permission check might cause a SecurityException to be thrown from this method.
interProcessToken - the token previously emitted from the
 export method.GSSException - containing the following
 major error codes:
    GSSException.NO_CONTEXT,
    GSSException.DEFECTIVE_TOKEN,
    GSSException.UNAVAILABLE,
    GSSException.UNAUTHORIZED,
    GSSException.FAILUREGSSContextpublic abstract void addProviderAtFront(Provider p, Oid mech) throws GSSException
Oid for the mechanism,
 the GSSManager must use the indicated provider ahead of all others
 no matter what the mechanism is. Only when the indicated provider
 does not support the needed mechanism should the GSSManager move on
 to a different provider.
 Calling this method repeatedly preserves the older settings but
 lowers them in preference thus forming an ordered list of provider
 and Oid pairs that grows at the top.
 Calling addProviderAtFront with a null Oid will remove
 all previous preferences that were set for this provider in the
 GSSManager instance. Calling addProviderAtFront with a non-null
 Oid will remove any previous preference that was set
 using this mechanism and this provider together.
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
Suppose an application desired that the provider A always be checked first when any mechanism is needed, it would call:
         GSSManager mgr = GSSManager.getInstance();
         // mgr may at this point have its own pre-configured list
         // of provider preferences. The following will prepend to
         // any such list:
         mgr.addProviderAtFront(A, null);
 
 Now if it also desired that the mechanism of Oid m1 always be
 obtained from the provider B before the previously set A was checked,
 it would call:
         mgr.addProviderAtFront(B, m1);
 
 The GSSManager would then first check with B if m1 was needed. In
 case B did not provide support for m1, the GSSManager would continue
 on to check with A.  If any mechanism m2 is needed where m2 is
 different from m1 then the GSSManager would skip B and check with A
 directly.Suppose at a later time the following call is made to the same GSSManager instance:
         mgr.addProviderAtFront(B, null)
 
 then the previous setting with the pair (B, m1) is subsumed by this
 and should be removed. Effectively the list of preferences now
 becomes {(B, null), (A, null),
         ... //followed by the pre-configured list.Please note, however, that the following call:
         mgr.addProviderAtFront(A, m3)
 
 does not subsume the previous setting of (A, null) and the list will
 effectively become {(A, m3), (B, null), (A, null), ...}p - the provider instance that should be used whenever support
 is needed for mech.mech - the mechanism for which the provider is being setGSSException - containing the following
 major error codes:
    GSSException.UNAVAILABLE,
    GSSException.FAILUREpublic abstract void addProviderAtEnd(Provider p, Oid mech) throws GSSException
Calling this method repeatedly preserves the older settings but raises them above newer ones in preference thus forming an ordered list of providers and Oid pairs that grows at the bottom. Thus the older provider settings will be utilized first before this one is.
If there are any previously existing preferences that conflict with the preference being set here, then the GSSManager should ignore this request.
If the GSSManager implementation does not support an SPI with a pluggable provider architecture it should throw a GSSException with the status code GSSException.UNAVAILABLE to indicate that the operation is unavailable.
Suppose an application desired that when a mechanism of Oid m1 is needed the system default providers always be checked first, and only when they do not support m1 should a provider A be checked. It would then make the call:
         GSSManager mgr = GSSManager.getInstance();
         mgr.addProviderAtEnd(A, m1);
 
 Now, if it also desired that for all mechanisms the provider B be
 checked after all configured providers have been checked, it would
 then call:
         mgr.addProviderAtEnd(B, null);
 
 Effectively the list of preferences now becomes {..., (A, m1), (B,
 null)}.Suppose at a later time the following call is made to the same GSSManager instance:
         mgr.addProviderAtEnd(B, m2)
 
 then the previous setting with the pair (B, null) subsumes this and
 therefore this request should be ignored. The same would happen if a
 request is made for the already existing pairs of (A, m1) or (B,
 null).Please note, however, that the following call:
         mgr.addProviderAtEnd(A, null)
 
 is not subsumed by the previous setting of (A, m1) and the list will
 effectively become {..., (A, m1), (B, null), (A, null)}p - the provider instance that should be used whenever support
 is needed for mech.mech - the mechanism for which the provider is being setGSSException - containing the following
 major error codes:
    GSSException.UNAVAILABLE,
    GSSException.FAILURE Submit a bug or feature 
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
 Copyright © 1993, 2025, Oracle and/or its affiliates.  All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.