JGSS concepts

JGSS operations consist of four distinct stages, as standardized by the Generic Security Service Application Programming Interface (GSS-API).

The stages are as follows:

1. Gathering of credentials for principals.
2. Creating and establishing a security context between the communicating peer principals.
3. Exchanging secure messages between the peers.
4. Cleaning up and releasing resources.

Additionally, JGSS leverages the Java™ Cryptographic Architecture to offer seamless pluggability of different security mechanisms.

Use the following links to read high-level descriptions of these important JGSS concepts.

• Principals and credentials
• Context establishment
• Message protection and exchange
• Resource cleanup and release
• Security mechanisms

• Principals and credentials
  The identity under which an application engages in JGSS secure communication with a peer is called a principal. A principal may be a real user or an unattended service. A principal acquires security mechanism-specific credentials as proof of identity under that mechanism.
• Context establishment
  Having acquired security credentials, the two communicating peers establish a security context using their credentials. Although the peers establish a single joint context, each peer maintains its own local copy of the context. Context establishment involves the initiating peer authenticating itself to the accepting peer. The initiator optionally may request mutual authentication, in which case the acceptor authenticates itself to the initiator.
• Message protection and exchange
  Following context establishment, the two peers are ready to engage in secure message exchanges. The originator of the message calls on its local GSS-API implementation to encode the message, which ensures message integrity and, optionally, message confidentiality. The application then transports the resulting token to the peer.
• Resource cleanup and release
  In order to free up resources, a JGSS application deletes a context that is no longer needed. Although a JGSS application can access a deleted context, any attempt to use it for message exchange results in an exception.
• Security mechanisms
  The GSS-API consists of an abstract framework over one or more underlying security mechanisms. How the framework interacts with the underlying security mechanisms is implementation specific.