Using the Negotiated Security Layer

Some SASL mechanisms support only authentication while others support use of a negotiated security layer after authentication. The security layer feature is often not used when the application uses some other means, such as SSL/TLS, to communicate securely with the peer.

When a security layer has been negotiated, all subsequent communication with the peer must take place using the security layer. To determine whether a security layer has been negotiated, get the negotiated quality-of-protection (QOP) from the mechanism. Here is an example of how to determine whether a security layer has been negotiated.

 String qop = (String) sc.getNegotiatedProperty(Sasl.QOP);
 boolean hasSecurityLayer = (qop != null && (qop.equals("auth-int") || qop.equals("auth-conf")));

A security layer has been negotiated if the Sasl.QOP property indicates that either integrity and/or confidentiality has been negotiated.

To communicate with the peer using the negotiated layer, the application first uses the wrap method to encode the data to be sent to the peer to produce a wrapped buffer. It then transfers a length field representing the number of octets in the wrapped buffer followed by the contents of the wrapped buffer to the peer. The peer receiving the stream of octets passes the buffer (without the length field) to unwrap (by using the unwrap method) to obtain the decoded bytes sent by the peer. Details of this protocol are described in RFC 2222. Here is an example of how a client application sends and receives application data using a security layer.

    // Send outgoing application data to peer
    byte[] outgoing = ...;
    byte[] netOut = sc.wrap(outgoing, 0, outgoing.length);

    send(netOut.length, netOut);   // send to peer
    // Receive incoming application data from peer
    byte[] netIn = receive();      // read length and ensuing bytes from peer
    byte[] incoming = sc.unwrap(netIn, 0, netIn.length);