This class encapsulates a long term secret key for a Kerberos principal.
A KerberosKey
object includes an EncryptionKey, a KerberosPrincipal
as its owner, and the version number of the key.
An EncryptionKey is defined in Section 4.2.9 of the Kerberos Protocol Specification (RFC 4120 ) as:
EncryptionKey ::= SEQUENCE {
keytype [0] Int32 -- actually encryption type --,
keyvalue [1] OCTET STRING
}
The key material of a
KerberosKey
is defined as the value of the
keyValue
above.
All Kerberos JAAS login modules that obtain a principal's password and generate the secret key from it should use this class. Sometimes, such as when authenticating a server in the absence of user-to-user authentication, the login module will store an instance of this class in the private credential set of a Subject
during the commit phase of the authentication process.
A Kerberos service using a keytab to read secret keys should use the KeyTab
class, where latest keys can be read when needed.
It might be necessary for the application to be granted a PrivateCredentialPermission
if it needs to access the KerberosKey
instance from a Subject. This permission is not needed when the application depends on the default JGSS Kerberos mechanism to access the KerberosKey
. In that case, however, the application will need an appropriate ServicePermission
.
When creating a KerberosKey
using the KerberosKey(KerberosPrincipal, char[], String)
constructor, an implementation may accept non-IANA algorithm names (For example, "ArcFourMac" for "rc4-hmac"), but the getAlgorithm()
method must always return the IANA algorithm name.