Comparing Names
Why is such a function useful? Consider the case where a server has received a name from a client and wants to look up that name in an Access Control List. (An Access Control List, or ACL, is a list of principals with particular access permissions.) One way to do this would be as follows:
-
Import the client name into GSS-API internal format with gss_import_name(), if it hasn't already been imported.
In some cases, the server will receive a name in internal format, so this step will not be necessary — in particular, if the server is looking up the client's own name. (During context initiation, the client's own name is passed in internal format.)
-
Import each name in the ACL with gss_import_name().
-
Compare each imported ACL name with the imported client's name, using gss_compare_name().
Figure 1–4 Comparing Names (Slow)
That procedure is fine if you only need to compare the client's name with a few names. However, it is a very slow way to check a large list! Running gss_import_name() and gss_compare_name() for every name in the ACL might require a lot of CPU cycles. This is a better way:
-
Import the client's name with gss_import_name() (if it hasn't already been imported).
As with the previous method of comparing names, in some cases the server receives a name in internal format and so this step is not necessary.
-
Use gss_canonicalize_name() to produce an MN of the client's name.
-
Use gss_export_name() to produce an “exported name,” a contiguous-string version of the client's name.
-
Compare the exported client's name with each name in the ACL by using memcmp(), which is a fast, low-overhead function.
Figure 1–5 Comparing Names (Fast)
Because gss_export_name() expects a Mechanism Name (MN), you must run gss_canonicalize_name() on the client's name first.
See the gss_canonicalize_name(3GSS), gss_export_name(3GSS), and gss_import_name(3GSS) man pages for more information.
- © 2010, Oracle Corporation and/or its affiliates