/* 
 * @(#)GssExample.java	1.1 01/05/24
 * 
 * Copyright 2001 Microsystems, Inc. All Rights
 * Reserved.
 * 
 * Sun grants you ("Licensee") a non-exclusive, royalty free,
 * license to use, modify and redistribute this software in source and
 * binary code form, provided that i) this copyright notice and license
 * appear on all copies of the software; and ii) Licensee does not 
 * utilize the software in a manner which is disparaging to Sun.
 *
 * This software is provided "AS IS," without a warranty of any
 * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
 * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, 
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE 
 * HEREBY EXCLUDED.  SUN AND ITS LICENSORS SHALL NOT BE LIABLE 
 * FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, 
 * MODIFYING OR DISTRIBUTING THE SOFTWARE OR ITS DERIVATIVES. IN 
 * NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST 
 * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,
 * CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER 
 * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT 
 * OF THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS 
 * BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
 * 
 * This software is not designed or intended for use in on-line
 * control of aircraft, air traffic, aircraft navigation or aircraft
 * communications; or in the design, construction, operation or
 * maintenance of any nuclear facility. Licensee represents and warrants
 * that it will not use or redistribute the Software for such purposes.  
 */

import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;

import java.util.Hashtable;

/**
 * Demonstrates how to create an initial context to an LDAP server
 * using "GSSAPI" SASL authentication (Kerberos v5).
 * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
 * compliant implementation of J-GSS and a Kerberos v5 implementation.
 * Uses SampleCallbackHandler.
 *
 * usage: java 
 *    -Djava.security.auth.login.config=gssapi_jaas.conf \
 *    -Djava.security.krb5.conf=krb5.conf \
 *      GssExample [qop [dn]]
 * 
 * The first property indicates which JAAS login module the application needs
 * to use; the second property is for configuration of the Kerberos subsystem.
 *
 * 'qop' is a comma separated list of tokens, each of which is one of
 * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
 */
class GssExample {

    public static void main(String[] args) {

	// 1. Log in (to Kerberos)
	LoginContext lc = null;
	try {
	    lc = new LoginContext(GssExample.class.getName(),
		new SampleCallbackHandler());

	    // Attempt authentication
	    // You might want to do this in a "for" loop to give
	    // user more than one chance to enter correct username/password
	    lc.login();

	} catch (LoginException le) {
	    System.err.println("Authentication attempt failed" + le);
	    System.exit(-1);
	}

	// 2. Perform JNDI work as logged in subject
	Subject.doAs(lc.getSubject(), new JndiAction(args));
    }
}


/**
 * The application must supply a PrivilegedAction that is to be run
 * inside a Subject.doAs() or Subject.doAsPrivileged().
 */
class JndiAction implements java.security.PrivilegedAction {
    private String[] args;

    public JndiAction(String[] origArgs) {
	this.args = (String[])origArgs.clone();
    }

    public Object run() {
	performJndiOperation(args);
	return null;
    }

    private static void performJndiOperation(String[] args) {
	String dn;

	// Set up environment for creating initial context
	Hashtable env = new Hashtable(11);

	env.put(Context.INITIAL_CONTEXT_FACTORY, 
	    "com.sun.jndi.ldap.LdapCtxFactory");

	// Must use fully qualified hostname
	env.put(Context.PROVIDER_URL, 
	    "ldap://ldap.jnditutorial.org:389/o=JndiTutorial");
    
	// Request the use of the "GSSAPI" SASL mechanism
	// Authenticate by using already established Kerberos credentials
	env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

	// Optional first argument is comma-separated list of auth, auth-int, 
	// auth-conf
	if (args.length > 0) {
	    env.put("javax.security.sasl.qop", args[0]);
	    dn = args[1];
	} else {
	    dn = "";
	}
    
	try {
	    /* Create initial context */
	    DirContext ctx = new InitialDirContext(env);

	    System.out.println(ctx.getAttributes(dn));

	    // do something useful with ctx

	    // Close the context when we're done
	    ctx.close();
	} catch (NamingException e) {
	    e.printStackTrace();
	}
    }
}