2 Internet Draft Rob Weltman
6 Netscape Communications Corp.
10 The Java SASL Application Program Interface
11 <draft-weltman-java-sasl-01.txt>
16 This document is an Internet Draft. Internet Drafts are working
17 documents of the Internet Engineering Task Force (IETF), its Areas,
18 and its Working Groups. Note that other groups may also distribute
19 working documents as Internet Drafts.
21 Internet Drafts are draft documents valid for a maximum of six
22 months. Internet Drafts may be updated, replaced, or obsoleted by
23 other documents at any time. It is not appropriate to use Internet
24 Drafts as reference material or to cite them other than as a
25 "working draft" or "work in progress".
27 To learn the current status of any Internet-Draft, please check the
28 1id-abstracts.txt listing contained in the Internet-Drafts Shadow
29 Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
30 ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
32 Copyright (C) The Internet Society (1998). All Rights Reserved.
34 Please see the Copyright section near the end of this document for
41 This document defines a client-side java language interface for
42 using the Simple Authentication and Security Layer (SASL) mechanisms
43 for adding authentication support to connection-based protocols. The
44 interface promotes sharing of SASL mechanism drivers and security
45 layers between applications using different protocols. It
46 complements but does not replace [1], which defines and exemplifies
47 use of the SASL protocol in a language-independent way.
61 JAVA SASL API October 1998
65 1 Overview of the SASL classes........................................4
67 1.1 Interfaces......................................................4
69 1.2 Classes.........................................................6
71 2 Overview of SASL API Use............................................6
73 3 The java SASL classes...............................................6
75 3.1 public interface SASLClientMechanismDriver......................6
77 3.1.1 startAuthentication..........................................6
79 3.1.2 evaluateResponse.............................................8
81 3.1.3 isComplete...................................................8
83 3.1.4 getSecurityLayer.............................................8
85 3.1.5 getMechanismName.............................................8
87 3.2 public interface SASLClientCB...................................9
89 3.3 public interface SASLNamePasswordClientCB.......................9
91 3.3.1 promptNamePassword...........................................9
93 3.3.2 getID........................................................9
95 3.3.3 getPassword..................................................9
97 3.4 public interface SASLPasswordClientCB..........................10
99 3.4.1 promptPassword..............................................10
101 3.4.2 getPassword.................................................10
103 3.5 public interface SASLInfoClientCB..............................10
105 3.5.1 promptInfo..................................................11
107 3.6 public interface SASLWarningClientCB...........................11
109 3.6.1 promptWarning...............................................11
111 3.7 public interface SASLOkayCancelClientCB........................11
113 3.7.1 promptOkayCancel............................................11
115 3.8 public interface SASLGetLanguageClientCB.......................12
117 3.8.1 getLanguage.................................................12
119 3.9 public interface SASLSecurityLayer.............................12
121 3.9.1 encode......................................................12
123 3.9.2 decode......................................................13
125 3.10 public class SASLMechanismFactory..............................13
127 3.10.1 getMechanismDriver........................................13
129 3.10.2 getMechanisms.............................................13
131 3.11 public class SASLException.....................................14
133 3.11.1 Constructors..............................................14
135 4 Security Considerations............................................14
137 5 Appendix A - Sample java LDAP program using SASL...................16
151 Expires 4/99 [Page 2]
153 JAVA SASL API October 1998
158 See [1], section 3, for an introduction to and overview of the SASL
159 framework for authentication and negotiation of a security layer.
160 The following presents an outline of the concepts.
164 --------------- ------------------- -----------------
165 | Application |-----| Protocol Driver |------| MD5 |
166 --------------- ------------------- | -----------------
182 An application chooses a Protocol Driver specific to the protocol it
183 wants to use, and specifies one or more acceptable mechanisms. The
184 Protocol Driver controls the socket, and knows the format/packaging
185 of bytes sent down and received from the socket, but does not know
186 how to authenticate or to encrypt/ decrypt the bytes. It uses one of
187 the Mechanism Drivers to help it perform authentication. The
188 Protocol Driver examines each byte string received from the server
189 during the authentication in a protocol-specific way to determine if
190 the authentication process has been completed. If not, the byte
191 string is passed to the Mechanism Driver to be interpreted as a
192 server challenge; the Mechanism Driver returns an appropriate
193 response, which the Protocol Driver can encode in a protocol-
194 specific way and return to the server.
196 If the Protocol Driver concludes from the byte string received from
197 the server that authentication is complete, it may query the
198 Mechanism Driver if it considers the authentication process
199 complete, in order to thwart early completion messages inserted by
202 On completed authentication, the Protocol Driver receives from the
203 Mechanism Driver a Security Layer Driver object. From this point on,
204 the Protocol Driver passes byte arrays received from its socket to
205 the Security Layer Driver object for decoding before returning them
206 to the application, and passes application byte arrays to the
207 Security Layer Driver object for encryption before passing them down
211 Expires 4/99 [Page 3]
213 JAVA SASL API October 1998
216 A complication here is that some authentication methods may require
217 additional user/application input. That means that a Mechanism
218 Driver may need to call up to an application during the
219 authentication process.
221 In the following, a number of callback interfaces have been defined,
222 allowing an application to (if necessary) provide a user with
223 prompts and obtain additional information required to continue the
226 Additional callback interfaces may be defined in the future.
227 Typically, a client will construct an object that implements all of
230 Protocol Drivers are protocol-dependent, and may be built in to a
231 protocol package or an application. However, there should be a
232 generalized framework for registering and finding Mechanism Drivers.
233 This can be handled in a way similar to content and protocol
234 handlers in java: look for them in a predefined place in the general
235 class hierarchy, e.g. javax.security.mechanisms. So if a Protocol
236 Driver is asked to use "GSSAPI", it would attempt to instantiate
237 javax.security.mechanisms.gssapi.class. A non-standard place can
238 also be specified, e.g. "myclasses.mechanisms.GSSAPI". This
239 functionality is provided by a mechanism driver factory, which knows
240 where to find candidate classes for instantiation.
242 The Mechanism Drivers are protocol-independent, and don't deal
243 directly with network connections, just byte arrays, so they can be
244 implemented in a generalizable way for all protocols.
246 A Security Layer Driver typically inherits a State object from the
247 Mechanism Driver, where parameters and resolutions reached during
248 authentication have been stored.
250 Different Mechanism Drivers may require different parameters to
251 carry out the authentication process. This is handled in the
252 following with a java.util.Properties object.
255 1 Overview of the SASL classes
261 SASLClientMechanismDriver Interface for all SASL Mechanism
265 SASLSecurityLayer An object implementing this interface
266 translates buffers back and forth
267 during a session, after the
271 Expires 4/99 [Page 4]
273 JAVA SASL API October 1998
275 authentication process has completed, to
276 provide a security layer.
280 SASLClientCB Base interface for classes which can be
281 used by a Mechanism Driver to obtain
282 additional client information during
283 negotiation of authentication with a
287 SASLNamePasswordClientCB An interface to provide a Mechanism
288 Driver with a user name and during
289 negotiation of authentication with a
293 SASLPasswordClientCB An interface to provide a Mechanism
294 Driver with a password or other single
295 textual credential item during
296 negotiation of authentication with a
300 SASLInfoClientCB An interface that can be used by a
301 Mechanism Driver to present the user
302 with arbitrary textual information
303 during negotiation of authentication
307 SASLWarningClientCB An interface that can be used by a
308 Mechanism Driver to present the user
309 with arbitrary textual information
310 during negotiation of authentication
311 with a server, and wait for user
315 SASLOkayCancelClientCB An interface that can be used by a
316 Mechanism Driver to present the user
317 with a choice of continuing or
318 cancelling during negotiation of
319 authentication with a server.
322 SASLGetLanguageCB An interface that can be used by a
323 Mechanism Driver to query for a language
324 to use in localization of client-visible
331 Expires 4/99 [Page 5]
333 JAVA SASL API October 1998
339 SASLMechanismFactory A class capable of instantiating a
343 SASLException Exception thrown on errors and
344 failures in the authentication
348 2 Overview of SASL API Use
350 An application generally uses the SASL API as follows:
352 - Pass a list of acceptable or known Mechanism Drivers to a
353 SASLMechanismFactory. The factory returns an object
354 implementing SASLClientMechanismDriver on success.
356 - Create an object implementing the client authentication
357 callback interfaces, which can provide credentials when
358 required by the Mechanism Driver.
360 - Have the SASLClientMechanismDriver object begin the
361 authentication process by providing an initial server request.
363 - Requests/responses are exchanged with the server. If a response
364 indicates authentication has completed, the Mechanism Driver is
365 queried for validation, and a SASLSecurityLayer object is
366 obtained from it. If not, the Mechanism Driver is queried for
367 an appropriate next request to the server. This continues until
368 authentication has completed.
370 - For the rest of the session, requests to the server are encoded
371 first by the Security Layer, and responses from the server are
372 decoded by it before processing in the application.
374 The following sections describe the SASL classes in more detail.
377 3 The java SASL classes
380 3.1 public interface SASLClientMechanismDriver
382 An object implementing this interface can negotiate authentication
383 using one or more authentication methods.
386 3.1.1 startAuthentication
391 Expires 4/99 [Page 6]
393 JAVA SASL API October 1998
395 startAuthentication(String id,
398 java.util.Properties props,
402 This method prepares a byte array to use for the initial request to
403 authenticate. A SASLException is thrown if the driver cannot
404 initiate authentication with the supplied parameters. The return
405 value may be null, indicating there is no initial response to send
410 id Protocol-dependent identification, e.g. user name
411 or distinguished name.
413 protocol A protocol supported by the mechanism driver, e.g
416 serverName Fully qualified name of server to authenticate
419 props Additional configuration for the session, e.g.
421 security.policy.encryption.minimum Minimum key length;
428 security.policy.encryption.maximum Maximum key length;
431 security.policy.server_
432 authentication True if server must
437 security.ip.local For kerberos v4; no
444 security.maxbuffer Maximum size of
452 Expires 4/99 [Page 7]
454 JAVA SASL API October 1998
457 authCB An optional object which can be invoked by the
458 mechanism driver to acquire additional
459 authentication information, such as user name and
463 3.1.2 evaluateResponse
466 evaluateResponse(byte[] challenge)
469 If a challenge is received from the server during the authentication
470 process, this method is called by the Protocol Driver to prepare an
471 appropriate next request to submit to the server. A SASLException is
472 thrown if no response can be generated for the challenge.
476 challenge Received server challenge.
484 This method may be called at any time to determine if the
485 authentication process is finished. Typically, the protocol driver
486 will not do this until it has received something from the server
487 which indicates (in a protocol-specific manner) that the process has
490 3.1.4 getSecurityLayer
492 public SASLSecurityLayer
493 getSecurityLayer() throws SASLException
495 Once authentication is complete, the Protocol Driver calls this
496 method to obtain an object capable of encoding/decoding data content
497 for the rest of the session (or until there is a new round of
498 authentication). An exception is thrown if authentication is not yet
502 3.1.5 getMechanismName
507 Report the name of this driver, e.g. "GSSAPI".
512 Expires 4/99 [Page 8]
514 JAVA SASL API October 1998
516 3.2 public interface SASLClientCB
518 Base interface for objects which can be called by a Mechanism
519 Driver to provide more information for authentication.
522 3.3 public interface SASLNamePasswordClientCB
525 An object implementing this interface can be called by a Mechanism
526 Driver to provide more information for authentication. Typically
527 what is provided by the object is an ID and a password.
530 3.3.1 promptNamePassword
533 promptNamePassword (String defaultID,
538 Method to be implemented by client of the mechanism driver. It may
539 or may not pop up a UI and allow a user to enter the information. It
540 returns true unless the operation was cancelled.
544 defaultID A default which may be used in selecting
547 serverFQDN The fully qualified domain name of the host to
548 which authentication is being attempted. Used
551 protocol "IMAP", "POP", etc. Used with kerberos.
553 prompt Textual information to be provided to the client
554 for obtaining an ID and password. It may be
563 Called by a mechanism driver to retrieve the ID (e.g. user name)
564 obtained by the object during promptNamePassword.
572 Expires 4/99 [Page 9]
574 JAVA SASL API October 1998
578 Called by a mechanism driver to retrieve the password obtained by
579 the object during promptNamePassword.
582 3.4 public interface SASLPasswordClientCB
585 An object implementing this interface can be called by a Mechanism
586 Driver to provide more information for authentication. Typically
587 what is provided by the object is a password.
593 promptPassword (String defaultID,
598 Method to be implemented by client of the mechanism driver. It may
599 or may not pop up a UI and allow a user to enter the information. It
600 returns true unless the operation was cancelled.
604 defaultID A default which may be used in selecting
607 serverFQDN The fully qualified domain name of the host to
608 which authentication is being attempted. Used
611 protocol "IMAP", "POP", etc. Used with kerberos.
613 prompt Textual information to be provided to the client
614 for obtaining a password. It may be localized.
622 Called by a mechanism driver to retrieve the password obtained by
623 the object during promptPassword.
626 3.5 public interface SASLInfoClientCB
629 An object implementing this interface can be called by a Mechanism
632 Expires 4/99 [Page 10]
634 JAVA SASL API October 1998
636 Driver to present information to a user. No confirmation is
643 promptInfo (String prompt)
645 Method to be implemented by client of the mechanism driver. It
646 presents the user with the supplied textual information.
650 prompt Textual information to be provided to the client.
654 3.6 public interface SASLWarningClientCB
657 An object implementing this interface can be called by a Mechanism
658 Driver to present information to a user. The user must take some
666 promptWarning (String prompt)
668 Method to be implemented by client of the mechanism driver. It
669 presents the user with the supplied textual information and waits
670 for the user to take some action to proceed.
674 prompt Textual information to be provided to the client.
678 3.7 public interface SASLOkayCancelClientCB
681 An object implementing this interface can be called by a Mechanism
682 Driver to present information to a user and return an indication
683 that an operation is to proceed or to be cancelled.
686 3.7.1 promptOkayCancel
692 Expires 4/99 [Page 11]
694 JAVA SASL API October 1998
696 promptOkayCancel (String prompt,
700 Method to be implemented by client of the mechanism driver. It
701 presents the user with the supplied textual information. The return
702 value is true to continue operations, false to abort. This may be
703 implemented with OK and CANCEL buttons in a dialog. If okText and/or
704 cancelText are non-null and not empty, they may be used to label
709 prompt Textual information to be provided to the client. It
712 okText Optional label for OK button or selection.
714 cancelText Optional label for Cancel button or selection.
717 3.8 public interface SASLGetLanguageClientCB
720 An object implementing this interface can be called by a Mechanism
721 Driver to obtain a language to use for localization of user-visible
730 Method to be implemented by client of the mechanism driver. It
731 returns a language to use in localizing user-visible text.
734 3.9 public interface SASLSecurityLayer
736 An object implementing this interface translates buffers back and
737 forth during a session, after the authentication process has
738 completed, to provide a security layer.
744 encode(byte[] outVals) throws SASLException
746 Take a protocol-dependent byte array and encode it (encrypt, for
747 example) for sending to the server.
752 Expires 4/99 [Page 12]
754 JAVA SASL API October 1998
759 decode(byte[] inVals) throws SASLException
761 Take an encoded byte array received from the server and decode it.
765 outVals A request to be encoded before sending to the
768 inVals A response received from the server, to be
772 3.10 public class SASLMechanismFactory
774 This class can provide a SASLClientMechanismDriver, or a list of
778 3.10.1 getMechanismDriver
780 public static SASLClientMechanismDriver
781 getMechanismDriver(String mechanism,
786 public static SASLClientMechanismDriver
787 getMechanismDriver(String[] mechanisms,
791 Returns an object implementing a requested Mechanism Driver. A
792 SASLException is thrown if no corresponding Mechanism Driver can be
797 mechanism A single mechanism name, e.g. "GSSAPI".
799 mechanisms A list of acceptable mechanisms. The first one
800 for which a Mechanism Driver can be instantiated
803 packageName A package from which to instantiate the Mechanism
804 Driver, e.g. "myclasses.SASL.mechanisms". If
805 null, a system default is used.
809 public static String[]
812 Expires 4/99 [Page 13]
814 JAVA SASL API October 1998
819 public static String[]
820 getMechanisms(String packageName)
822 Returns a list of available mechanisms.
826 packageName A package from which to instantiate the Mechanism
827 Driver, e.g. "myclasses.SASL.mechanisms". If
828 null, a system default is used.
831 3.11 public class SASLException
834 Exception thrown on errors and failures in authentication.
839 public SASLException()
841 Constructs a default exception with no specific error information.
844 public SASLException(String message, int resultCode)
847 Constructs a default exception with a specified string as additional
848 information, and a result code.
853 message Additional error information.
855 resultCode The result code to return.
859 4 Security Considerations
861 When SASL authentication is performed over unsecured connections, it
862 is possible for an active attacker to spoof the server's protocol-
863 specific indication that authentication is complete. Clients should
864 protect against this attack by verifying the completion of
865 authentication with the mechanism driver by calling the driver's
868 Additional security considerations are discussed in [1].
872 Expires 4/99 [Page 14]
874 JAVA SASL API October 1998
879 [1] J. Myers, "Simple Authentication and Security Layer (SASL)",
880 Internet Draft draft-myers-auth-sasl-12.txt, September 1997
886 Netscape Communications Corp.
887 501 E. Middlefield Rd.
889 Mountain View, CA 94043-4042
891 Email: rweltman@netscape.com
894 Netscape Communications Corp.
895 501 E. Middlefield Rd.
897 Mountain View, CA 94043-4042
899 Email: jgmyers@netscape.com
902 Netscape Communications Corp.
903 501 E. Middlefield Rd.
905 Mountain View, CA 94043-4042
907 Email: prasad@netscape.com
910 Netscape Communications Corp.
911 501 E. Middlefield Rd.
913 Mountain View, CA 94043-4042
915 Email: chrisho@netscape.com
932 Expires 4/99 [Page 15]
934 JAVA SASL API October 1998
936 5 Appendix A - Sample java LDAP program using SASL
938 /****************************************************************
939 It might look like this in LDAP. The Protocol Driver is
940 implemented as part of the authenticate method of
942 ****************************************************************/
944 public class LDAPConnection {
945 public void authenticate( String dn,
949 SASLClientCB getter )
950 throws LDAPException {
951 SASLClientMechanismDriver driver;
953 // Get a mechanism driver
955 SASLMechanismFactory.getMechanismDriver( mechanism,
957 // Get the initial request to start authentication
958 byte[] outVals = driver.startAuthentication( dn,
963 getSocketOutput().writeRequest( outVals );
964 // Get the server response
965 byte[] inVals = getSocketInput().readResponse();
966 // Authentication done?
967 while ( !checkForCompletion( inVals ) ) {
968 // No, get an appropriate next request and send it off
969 outVals = driver.evaluateResponse( inVals );
970 getSocketOutput().writeRequest( outVals );
971 inVals = getSocketInput().readResponse();
973 // Make sure authentication REALLY is complete
974 if ( !driver.isComplete() ) {
975 /* Authentication session hijacked! */
976 throw new LDAPException();
978 security = driver.getSecurityLayer();
979 } catch ( SASLException e ) {
980 throw new LDAPException();
981 } catch ( IOException e ) {
982 throw new LDAPException();
986 private SASLSecurityLayer security = null;
992 Expires 4/99 [Page 16]
994 JAVA SASL API October 1998
996 /****************************************************************
997 This might be in an application
998 ****************************************************************/
1000 // Object to supply credentials when needed
1001 class RequestedInfoGetter implements SASLNamePasswordClientCB,
1002 SASLPasswordClientCB,
1004 SASLWarningClientCB,
1005 SASLGetLanguageClientCB,
1006 SASLOkayCancelClientCB {
1007 public RequestedInfoGetter() {}
1009 public boolean promptNamePassword ( String defaultID,
1013 // Put up a dialog box, get user's selected ID and password
1014 UserIDDialog dlg = new UserIDDialog();
1015 if ( dlg.doDialog( defaultID, prompt ) == OK ) {
1017 _password = dlg.getPassword();
1023 public boolean promptPassword ( String defaultID,
1027 // Put up a dialog box, get user's selected password
1028 PasswordDialog dlg = new PasswordDialog();
1029 if ( dlg.doDialog( defaultID, prompt ) == OK ) {
1030 _password = dlg.getPassword();
1036 public void promptWarning ( String prompt ) {
1037 // Put up a dialog box, wait for confirmation
1038 WarningDialog dlg = new WarningDialog();
1039 dlg.doDialog( prompt );
1041 public void promptInfo ( String prompt ) {
1042 // Put the text in the status box
1043 statusWin.addText( prompt );
1045 public boolean promptOkayCancel ( String prompt,
1046 String ok, String cancel ) {
1047 // Put up a dialog box, wait for OK or Cancel
1048 OkayCancelDialog dlg = new OkayCancelDialog();
1049 return dlg.doDialog( prompt );
1052 Expires 4/99 [Page 17]
1054 JAVA SASL API October 1998
1058 public String getLanguage () {
1059 // Get the language from the locale
1060 String lang = locale.getLanguage();
1061 if ( (locale.getCountry() != null) &&
1062 (locale.getCountry().length() > 0) ) {
1063 lang += "-" + locale.getCountry();
1064 if ( (locale.getVariant() != null) &&
1065 (locale.getVariant().length() > 0) ) {
1066 lang += "-" + locale.getVariant();
1072 public String getID() { return _id; }
1073 public String getPassword() { return _password; }
1076 private String _password;
1112 Expires 4/99 [Page 18]
1114 JAVA SASL API October 1998
1116 /***************************************************************
1117 And so the application code to do authentication
1118 ***************************************************************/
1120 // Set up all SASL parameters; some may have reasonable defaults
1121 Properties props = new Properties();
1122 props.add( "security.policy.encryption.minimum", "40");
1123 props.add( "security.policy.encryption.maximum", "128");
1124 props.add( "security.policy.server_authentication", "true");
1125 props.add( "security.maxbuffer", "4096");
1126 // The following two for kerberos v4, only
1127 //props.add( "security.ip.local", "192.68.1.10");
1128 //props.add( "security.ip.remote", "192.68.1.50");
1130 // What we want to authenticate as
1131 String dn = "cn=Directory Manager";
1133 // Create an object for possible use by the authentication
1135 RequestedInfoGetter getter = new RequestedInfoGetter();
1138 // Note: getter methods may be called during authentication
1139 // Note: "connection" includes the SASL Protocol Driver
1140 // functionality, and it will internally manage a Mechanism
1141 // Driver for GSSAPI, and then a Security Layer object for
1143 connection.authenticate( dn, "GSSAPI", props, getter );
1144 } catch ( LDAPException e ) {
1145 // Abort, return, maybe try some other authentication
1148 // Okay. From here on, everything goes through security, but the
1149 // methods have the same signatures as if we were not using SASL
1172 Expires 4/99 [Page 19]