Examples of net.jini.io.UnsupportedConstraintException

• net.jini.io.UnsupportedConstraintException
  Typically used as the nested exception of a {@link java.rmi.ConnectIOException} if the constraints for a remote callcannot be satisfied. Such an exception can be thrown at the point a remote method is invoked for a variety of reasons, including:

  • A client requirement is not supported by the server.
  • A client or server requirement conflicts with some other client or server requirement.
  • A client or server requirement cannot be satisfied by the proxy implementation.
  • The local subject that would be used for authentication does not contain sufficient credentials to satisfy a client or server requirement.
  • For a client or server requirement, the proxy implementation does not implement any algorithm in common with the server (for example, because the proxy implementation only uses algorithms that are available in the client environment rather than downloading algorithm implementations).
  • A delegated remote call is being attempted, and the current time is either earlier than the granted delegation start time or later than the granted delegation stop time.

  @author Sun Microsystems, Inc. @since 2.0 @see net.jini.core.constraint.RemoteMethodControl

  public void checkConstraints() throws IOException {
      try {
    X500Constraints cons = X500Constraints.process(constraints,
                     false);
    if (cons.checkServerPrincipal(p) < 0) {
        throw new UnsupportedConstraintException(
      "principal not allowed: " + p);
    }
    Certificate cert = getCertificate(p);
    if (cert == null) {
        throw new DiscoveryProtocolException(

      {
    InvocationConstraint c = (InvocationConstraint) i.next();
    if (c instanceof ServerMinPrincipal) {
        Set s = ((ServerMinPrincipal) c).elements();
        if (s.size() > 1) {
      throw new UnsupportedConstraintException(
          "multiple server principals");
        }
        Principal p = (Principal) s.iterator().next();
        if (!(p instanceof KerberosPrincipal)) {
      throw new UnsupportedConstraintException(
          "non-kerberos server principal");
        }
        if (principal == null) {
      principal = (KerberosPrincipal) p;
        } else if (!principal.equals(p)) {
      throw new UnsupportedConstraintException(
          "multiple server principals");
        }
    }
    // NYI: support ConstraintAlternatives with ServerMinPrincipals
      }
      if (principal != null) {
    return principal;
      }
      for (Iterator i = constraints.preferences().iterator(); i.hasNext(); )
      {
    InvocationConstraint c = (InvocationConstraint) i.next();
    if (c instanceof ServerMinPrincipal) {
        Set s = ((ServerMinPrincipal) c).elements();
        for (Iterator j = s.iterator(); j.hasNext(); ) {
      Principal p = (Principal) j.next();
      if (p instanceof KerberosPrincipal) {
          return (KerberosPrincipal) p;
      }
        }
    }
    // NYI: support ConstraintAlternatives with ServerMinPrincipals
      }
      throw new UnsupportedConstraintException("no kerberos principal");
  }

   *         determined by the requirements of the constraints.
   */
        List getConfigs() throws UnsupportedConstraintException {

      if (errorCode != NO_ERROR) {
    throw new UnsupportedConstraintException(
        detailedExceptionMsg);
      }

      KerberosTicket[] tickets =
    (KerberosTicket[]) AccessController.doPrivileged(
        new PrivilegedAction() {
          public Object run() {
        return getTickets();
          }
      });

      ArrayList configList = new ArrayList(configs.length);

      /* This illustrates how a detailed failure msg is derived:
       *
       *               |<-- stepsFromSuccess -->|
       *
       *                               TGT.forwardable
       *                      TGT.yes
       *            perm.yes           TGT.unforwardable
       *                      TGT.no
       * deleg.yes
       *            perm.no
       *
       *-------------------------------------------------------
       *
       *                      TGT.yes
       *            perm.yes
       *                      TGT.no
       * deleg.no
       *            perm.no
       *
       */
      int delegYesStepsFromSuccess = 3;
      KerberosPrincipal delegYesCp = null;

      int delegNoStepsFromSuccess = 2;
      KerberosPrincipal delegNoCp = null;

      HashMap hasPermMap = new HashMap();
      for (int i = 0; i < configs.length; i++) {
    AuthenticationPermission perm = getAuthenticationPermission(
        configs[i].clientPrincipal, configs[i].deleg);
    Boolean hasPerm = (Boolean) hasPermMap.get(perm);
    if (hasPerm == null) {
        try {
      KerberosUtil.checkAuthPermission(perm);
      hasPermMap.put(perm, Boolean.TRUE); // check succeed
        } catch (SecurityException e) {
      hasPermMap.put(perm, Boolean.FALSE); // check failed
      continue;
        }
    } else if (hasPerm == Boolean.FALSE) {
        continue;
    } // else: permission check has been done and succeeded

    if (configs[i].deleg) {
        if (delegYesStepsFromSuccess > 2) {
      delegYesStepsFromSuccess = 2; // record the 1st
      delegYesCp = configs[i].clientPrincipal;
        }
        KerberosTicket t = findTicket(
      tickets, configs[i].clientPrincipal);
        if (t != null) {
      if (delegYesStepsFromSuccess > 1) {
          delegYesStepsFromSuccess = 1; // record the 1st
          delegYesCp = configs[i].clientPrincipal;
      }
      if (t.isForwardable())
          configList.add(configs[i]);
        }
    } else {
        if (delegNoStepsFromSuccess > 1) {
      delegNoStepsFromSuccess = 1; // record the 1st
      delegNoCp = configs[i].clientPrincipal;
        }
        if (findTicket(tickets, configs[i].clientPrincipal) !=
      null)
        {
      configList.add(configs[i]);
        }
    }
      }

      if (configList.size() == 0) { // no valid config found
    if (delegNoStepsFromSuccess < delegYesStepsFromSuccess) {
        switch (delegNoStepsFromSuccess) {
        case 1:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext does not contain a valid " +
          "TGT for " + delegNoCp.getName());
        case 2:
      throw new SecurityException(
          "Caller does not have any of the following " +
          "acceptable permissions: " +
          hasPermMap.keySet());
        default:
      throw new AssertionError("should not reach here");
        }
    } else {
        switch (delegYesStepsFromSuccess) {
        case 1:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext contains a valid TGT for " +
          delegYesCp.getName() + ", but the TGT is not " +
          "forwardable.");
        case 2:
      throw new UnsupportedConstraintException(
          "JAAS login has not been done properly, the " +
          "subject associated with the current " +
          "AccessControlContext does not contain a valid " +
          "TGT for " + delegYesCp.getName());
        default:

        }
    }
    if (credExcept instanceof SecurityException) {
        exception = (SecurityException) credExcept;
    } else {
        exception = new UnsupportedConstraintException(
      "Client not authenticated", credExcept);
    }
      } else {
    if (logger.isLoggable(Level.FINE)) {
        logger.log(Level.FINE,
             "new connection for {0}\ncreates {1}",
             new Object[] { callContext, this });
    }
    return;
      }
  } catch (SSLProtocolException e) {
      /*
       * Don't throw an UnsupportedConstraintException -- this is a
       * problem within the SSL implementation.
       */
      exception = e;
  } catch (SSLException e) {
      exception = new UnsupportedConstraintException(e.getMessage(), e);
  } catch (IOException e) {
      exception = e;
  } catch (SecurityException e) {
      exception = e;
  }

        }
        return result;
    }
      }
  }
  UnsupportedConstraintException unsupported = null;
  if (contexts.isEmpty()) {
      unsupported = new UnsupportedConstraintException(
    "Constraints not supported: " + constraints);
  } else {
      boolean checkSubject;
      if (constrainedServer) {
    checkSubject = true;

      }
  }
  if (!contexts.isEmpty()) {
      return contexts;
  } else {
      throw new UnsupportedConstraintException(
    "Constraints not supported: " + constraints + ";" +
    (missingPublic.isEmpty() ? ""
     : ("\nmissing principals or public credentials: " +
        missingPublic)) +
    (missingPrivate.isEmpty() ? ""

        Collection<InvocationConstraint> required = new ArrayList<InvocationConstraint>(4);
        InvocationConstraint clientAuth = ClientAuthentication.YES;
        required.add(clientAuth);
        Collection preferred = null;
        InvocationConstraints constraints = new InvocationConstraints(required, preferred);
        UnsupportedConstraintException ex = null;
        try {
            instance.checkUnicastDiscoveryConstraints(constraints);
        } catch (UnsupportedConstraintException e) {
            ex = e;
        }

  protocolVersions = cr.reduce(
      new InvocationConstraints(constraints.requirements(), null));
  if (!protocolVersions.isEmpty() &&
      intersect(protocolVersions, supportedProtocols).isEmpty())
  {
      throw new UnsupportedConstraintException(
    "no supported protocols: " + protocolVersions);
  }
  preferredProtocolVersion = chooseProtocolVersion(
      protocolVersions, cr.reduce(constraints), unfulfilled);

    {
  if (!(protocolVersions.isEmpty() ||
        protocolVersions.contains(
      DiscoveryProtocolVersion.getInstance(version))))
  {
      throw new UnsupportedConstraintException(
    "disallowed protocol: " + version);
  }
    }

    if (!toReduce.isEmpty()) {
        Set s = reduce0(reduced, toReduce);
        if (!s.isEmpty()) {
      reduced = s;
        } else if (required) {
      throw new UnsupportedConstraintException(
          "constraints conflict: " + constraints);
        }
    }
      }
      return reduced;