Examples of net.jini.io.UnsupportedConstraintException

• net.jini.io.UnsupportedConstraintException
  Typically used as the nested exception of a {@link java.rmi.ConnectIOException} if the constraints for a remote callcannot be satisfied. Such an exception can be thrown at the point a remote method is invoked for a variety of reasons, including:

  • A client requirement is not supported by the server.
  • A client or server requirement conflicts with some other client or server requirement.
  • A client or server requirement cannot be satisfied by the proxy implementation.
  • The local subject that would be used for authentication does not contain sufficient credentials to satisfy a client or server requirement.
  • For a client or server requirement, the proxy implementation does not implement any algorithm in common with the server (for example, because the proxy implementation only uses algorithms that are available in the client environment rather than downloading algorithm implementations).
  • A delegated remote call is being attempted, and the current time is either earlier than the granted delegation start time or later than the granted delegation stop time.

  @author Sun Microsystems, Inc. @since 2.0 @see net.jini.core.constraint.RemoteMethodControl

   *         determined by the requirements of the constraints.
   */
        List getConfigs() throws UnsupportedConstraintException {

      if (errorCode != NO_ERROR) {
    throw new UnsupportedConstraintException(
        detailedExceptionMsg);
      }

      KerberosTicket[] tickets =
    (KerberosTicket[]) AccessController.doPrivileged(
        new PrivilegedAction() {
          public Object run() {
        return getTickets();
          }
      });

      ArrayList configList = new ArrayList(configs.length);

      /* This illustrates how a detailed failure msg is derived:
       *
       *               |<-- stepsFromSuccess -->|
       *
       *                               TGT.forwardable
       *                      TGT.yes
       *            perm.yes           TGT.unforwardable
       *                      TGT.no
       * deleg.yes
       *            perm.no
       *
       *-------------------------------------------------------
       *
       *                      TGT.yes
       *            perm.yes
       *                      TGT.no
       * deleg.no
       *            perm.no
       *
       */
      int delegYesStepsFromSuccess = 3;
      KerberosPrincipal delegYesCp = null;

      int delegNoStepsFromSuccess = 2;
      KerberosPrincipal delegNoCp = null;

      HashMap hasPermMap = new HashMap();
      for (int i = 0; i < configs.length; i++) {
    AuthenticationPermission perm = getAuthenticationPermission(
        configs[i].clientPrincipal, configs[i].deleg);
    Boolean hasPerm = (Boolean) hasPermMap.get(perm);
    if (hasPerm == null) {
        try {
      KerberosUtil.checkAuthPermission(perm);
      hasPermMap.put(perm, Boolean.TRUE); // check succeed
        } catch (SecurityException e) {
      hasPermMap.put(perm, Boolean.FALSE); // check failed
      continue;
        }
    } else if (hasPerm == Boolean.FALSE) {
        continue;
    } // else: permission check has been done and succeeded

    if (configs[i].deleg) {
        if (delegYesStepsFromSuccess > 2) {
      delegYesStepsFromSuccess = 2; // record the 1st
      delegYesCp = configs[i].clientPrincipal;
        }
        KerberosTicket t = findTicket(
      tickets, configs[i].clientPrincipal);
        if (t != null) {
      if (delegYesStepsFromSuccess > 1) {
          delegYesStepsFromSuccess = 1; // record the 1st
          delegYesCp = configs[i].clientPrincipal;
      }
      if (t.isForwardable())
          configList.add(configs[i]);
        }
    } else {
        if (delegNoStepsFromSuccess > 1) {
      delegNoStepsFromSuccess = 1; // record the 1st
      delegNoCp = configs[i].clientPrincipal;
        }
        if (findTicket(tickets, configs[i].clientPrincipal) !=
      null)
        {
      configList.add(configs[i]);
        }
    }
      }

      if (configList.size() == 0) { // no valid config found
    if (delegNoStepsFromSuccess < delegYesStepsFromSuccess) {
        switch (delegNoStepsFromSuccess) {
        case 1:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext does not contain a valid " +
          "TGT for " + delegNoCp.getName());
        case 2:
      throw new SecurityException(
          "Caller does not have any of the following " +
          "acceptable permissions: " +
          hasPermMap.keySet());
        default:
      throw new AssertionError("should not reach here");
        }
    } else {
        switch (delegYesStepsFromSuccess) {
        case 1:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext contains a valid TGT for " +
          delegYesCp.getName() + ", but the TGT is not " +
          "forwardable.");
        case 2:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext does not contain a valid " +
          "TGT for " + delegYesCp.getName());
        default:

      "connection configuration for the request", null,
      exceptionCaught);
    }
    if (rh.errorCode == UNSUPPORTABLE_CONSTRAINT_REQUIRED)
        throw (UnsupportedConstraintException) exceptionCaught;
    UnsupportedConstraintException genericException =
        new UnsupportedConstraintException(
                        "Either there are conflicting or unsatisfiable " +
      "constraint requirements, " +
      "or the JAAS login has not been " +
      "done (Subject.getSubject(AccessController." +
      "getContext()) returns null), or no appropriate " +

  }

  Exception detailedException = null;
  if (usePrincipalInSubject) {
      if (serverSubject == null) {
    detailedException = new UnsupportedConstraintException(
        "Forgot JAAS login?  Using default " +
        "serverSubject but no subject is associated " +
        "with the current access control context.");
      } else {
    try {
        serverPrincipal = findServerPrincipal(serverSubject);
    } catch (Exception e) {
        detailedException = e;
    }
      }
  } else if (useCurrentSubject) {
      try {
                /* caller provided principal, but want to use the
                   current subject, should only proceed if caller has
                   the listen AuthenticationPermission */
    KerberosUtil.checkAuthPermission(
        serverPrincipal, null, "listen");
    if (serverSubject == null) {
        detailedException = new UnsupportedConstraintException(
      "Forgot JAAS login?  Using default " +
      "serverSubject but no subject is associated " +
      "with the current access control context.");
    }
      } catch (SecurityException e) {
    serverSubject = null;
    // will throw a SecurityException in enumerateListenEndpoints
      }
  }

  if (detailedException != null) {
      if (logger.isLoggable(Levels.FAILED)) {
    KerberosUtil.logThrow(
        logger, Levels.FAILED, this.getClass(),
        "constructor", "construction failed", null,
        detailedException);
      }
      KerberosUtil.secureThrow(
    detailedException, new UnsupportedConstraintException(
        "Either the caller has not been granted the right " +
        "AuthenticationPermission, or there is no default " +
        "server subject (<code>Subject.getSubject(" +
        "AccessController.getContext())</code> returns " +
        "<code>null</code>), or no appropriate Kerberos " +

      for (Iterator iter = constraints.requirements().iterator();
     iter.hasNext(); )
      {
    InvocationConstraint c = (InvocationConstraint)iter.next();
    if (!KerberosUtil.isSupportableConstraint(c)) {
        throw new UnsupportedConstraintException(
      "A constraint unsupportable by this endpoint " +
      "has been required: " + c);
    }
      }

      if (getKey(serverSubject, serverPrincipal) == null) {
    throw new UnsupportedConstraintException(
        "Failed to find a valid Kerberos key " +
        "corresponding to serverPrincipal (" + serverPrincipal +
        ") in serverSubject.");
      }

      // now check whether the constraints are satisfiable

      // first find all client principal candidates in constraints
      HashSet cpCandidates = new HashSet();
      for (Iterator iter = constraints.requirements().iterator();
     iter.hasNext(); )
      {
    if (!KerberosUtil.collectCpCandidates(
        (InvocationConstraint) iter.next(), cpCandidates))
    {
        throw new UnsupportedConstraintException(
      "Client principal constraint related conflicts " +
      "found in the given set of constraints: " +
      constraints);
    }
      }

      if (cpCandidates.size() == 0) {
    /* no client principal constraints is required, anyone
       will pass */
    cpCandidates.add(new KerberosPrincipal("anyone"));
      }

      // look for a satisfiable config
      boolean doable = false;
      ConfigIter citer =
    new ConfigIter(cpCandidates, serverPrincipal, true);
    outer:
      while (citer.hasNext()) {
    Config config = citer.next();
    for (Iterator iter = constraints.requirements().iterator();
         iter.hasNext(); )
    {
        InvocationConstraint c =
      (InvocationConstraint) iter.next();
        if (!KerberosUtil.isSatisfiable(config, c))
      continue outer;
    }
    doable = true;
    break;
      }

      if (!doable) {
    throw new UnsupportedConstraintException(
        "Conflicts found in the given set of constraints: " +
        constraints);
      }

      unfulfilledConstraints = InvocationConstraints.EMPTY;

        kpset.add(p);
      }
  }

  if (kpset.isEmpty()) {
      throw new UnsupportedConstraintException(
    "No KerberosPrincipal found in the serverSubject.");
  }

  boolean hasAuthPerm = false;
  for (Iterator iter = kpset.iterator(); iter.hasNext();) {
      KerberosPrincipal kp = (KerberosPrincipal) iter.next();
      try {
    if (getKey(subject, kp) != null) {
        return kp;
    } else {
        // if reach here, has auth perm, but no key
        hasAuthPerm = true;
    }
      } catch (SecurityException e) {}
  }

  // note that exceptions throw here are logged in the constructor
  if (hasAuthPerm) {
      throw new UnsupportedConstraintException(
    "Cannot find any Kerberos key in the serverSubject " +
    "corresponding to one of its principals.");
  } else {
      throw new SecurityException(
    "Caller does not have AuthenticationPermission " +

      try {
    // make sure that serverPrincipal is in serverSubject
    if (serverSubject != null &&
        !serverSubject.getPrincipals().contains(serverPrincipal))
    {
        throw new UnsupportedConstraintException(
      "Failed to find serverPrincipal " + serverPrincipal +
      "in serverSubject's principal set, cannot listen.");
    }

    // getKey checks AuthenticationPermission "listen"
    serverKey = getKey(serverSubject, serverPrincipal);

    if (serverKey == null) {
        throw new UnsupportedConstraintException(
      "No valid Kerberos key in the server subject for " +
      serverPrincipal + ", cannot listen.");
    }

    synchronized (classLock) {
        if (gssManager == null) {
      gssManager = GSSManager.getInstance();
        }
    }

    try {
        serverCred = (GSSCredential) Security.doPrivileged(
      new PrivilegedExceptionAction() {
        public Object run() throws GSSException {
            return KerberosUtil.getGSSCredential(
          serverSubject, serverPrincipal,
          gssManager, GSSCredential.ACCEPT_ONLY);
        }
          });
    } catch (PrivilegedActionException pe) {
        GSSException ge = (GSSException) pe.getException();
        throw new UnsupportedConstraintException(
      "Failed to get GSSCredential for server principal: " +
      serverPrincipal, ge);
    }
      } catch (UnsupportedConstraintException uce) {
    if (logger.isLoggable(Levels.FAILED)) {

      {
    try {
        InvocationConstraint c =
      (InvocationConstraint) iter.next();
        if (!KerberosUtil.isSupportableConstraint(c)) {
      UnsupportedConstraintException e =
          new UnsupportedConstraintException(
        "A constraint unsupportable by this " +
        "endpoint has been required: " + c);
      softCache.put(key, e);
      throw e;
        }

        if (!KerberosUtil.isSatisfiable(rh.config, c)) {
      UnsupportedConstraintException e =
          new UnsupportedConstraintException(
        "A required constraint (" + c + ") is not " +
        "satisfied by this connection: " + this);
      softCache.put(key, e);
      throw e;
        }

    throw new NullPointerException("Constraints cannot be null");
      }
      InvocationConstraints result = getUnfulfilledConstraints(
    cipherSuite, clientPrincipal, serverPrincipal, constraints);
      if (result == null) {
    UnsupportedConstraintException uce =
        new UnsupportedConstraintException(
      "Constraints are not supported: " + constraints);
    if (logger.isLoggable(Levels.FAILED)) {
        logThrow(logger, Levels.FAILED,
           SslServerConnection.class, "checkConstraints",
           "check constraints for {0}\nwith {1}\n" +

     */
    synchronized void checkAuthentication()
  throws UnsupportedConstraintException
    {
  if (clientCredential == null) {
      throw new UnsupportedConstraintException(
    "Client is not authenticated");
  } else if (clientCredential.isDestroyed()) {
      throw new UnsupportedConstraintException(
    "Private credentials are destroyed");
  } else if (System.currentTimeMillis() > credentialsValidUntil) {
      throw new UnsupportedConstraintException(
    "Certificates are no longer valid");
  }
  if (subjectIsReadOnly) {
      SecurityManager sm = System.getSecurityManager();
      if (sm != null) {
    sm.checkPermission(authenticationPermission);
      }
  } else {
      Subject subject = getSubject();
      X509Certificate cert = clientCredential.getCertificate();
      if (SubjectCredentials.getPrincipal(subject, cert) == null) {
    throw new UnsupportedConstraintException("Missing principal");
      }
      CertPath chain =
    SubjectCredentials.getCertificateChain(subject, cert);
      if (chain == null) {
    throw new UnsupportedConstraintException(
        "Missing public credentials");
      }
      X500PrivateCredential pc = getPrivateCredential(
    cert, authenticationPermission);
      if (pc == null) {
    throw new UnsupportedConstraintException(
        "Missing private credentials");
      } else if (!equalPrivateCredentials(clientCredential, pc)) {
    throw new UnsupportedConstraintException(
        "Wrong private credentials");
      }
  }
    }

      }

      if ((clientConstraints != null) &&
    !(currProxy instanceof RemoteMethodControl))
      {
    throw new UnsupportedConstraintException(
         "underlying proxy does not implement RemoteMethodControl");
      }

      /*
       * Set constraints on target proxy only if relative constraints