Passing Input to the Mechanisms

Because the Java™ SASL API is a general framework, it must be able to accommodate many different types of mechanisms. Each mechanism needs to be initialized with input and may need input to make progress. The API provides three means by which an application gives input to a mechanism.
  1. Common input parameters. The application uses predefined parameters to supply information that are defined by the SASL specification and commonly required by mechanisms. For SASL client mechanisms, the input parameters are authorization id, protocol id, and server name. For SASL server mechanisms, the common input parameters are protocol id and (its own fully qualified) server name. See Sasl.createSaslClient and Sasl.createSaslServer for more information.
  2. Properties parameter. The application uses the properties parameter, a mapping of property names to (possibly non-string) property values, to supply configuration information. The Java SASL API defines some standard properties, such as quality-of-protection (Sasl.QOP), cipher strength (Sasl.STRENGTH), and maximum buffer size (Sasl.MAX_BUFFER). The parameter can also be used to pass in non-standard properties that are specific to particular mechanisms.
  3. The application uses the callback handler parameter to supply input that cannot be predetermined or might not be common across mechanisms. When a mechanism requires input data, it uses the callback handler supplied by the application to collect the data, possibly from the end-user of the application. For example, a mechanism might require the end-user of the application to supply a name and password.

    Mechanisms can use the callbacks defined in the javax.security.auth.callback package; these are generic callbacks useful for building applications that perform authentication. Mechanisms might also need SASL-specific callbacks, such as those for collecting realm and authorization information, or even (non-standardized) mechanism-specific callbacks. The application should be able to accommodate a variety of mechanisms. Consequently, its callback handler must be able to service all of the callbacks that the mechanisms might request. This is not possible in general for arbitrary mechanisms, but is usually feasible due to the limited number of mechanisms that are typically deployed and used.

    For more information about the javax.security.auth.callback class, see the Java Authentication and Authorization Service (JAAS) section in Security API Reference for IBM SDK, Java Technology Edition.