kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/ad/AuthorizationType.java - directory-kerby - Git at Google

 /**
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
  *  under the License.
  *
  */
 package org.apache.kerby.kerberos.kerb.type.ad;

 import org.apache.kerby.asn1.EnumType;

 /**
  * The various AuthorizationType values, as defined in RFC 4120 and RFC 1510.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public enum AuthorizationType implements EnumType {
     /**
      * Constant for the "null" authorization type.
      */
     NONE(0),

     /**
      * Constant for the "if relevant" authorization type.
      *
      * RFC 4120
      *
      * AD elements encapsulated within the if-relevant element are intended for
      * interpretation only by application servers that understand the particular
      * ad-type of the embedded element. Application servers that do not
      * understand the type of an element embedded within the if-relevant element
      * may ignore the uninterpretable element. This element promotes
      * interoperability across implementations which may have local extensions
      * for authorization.
      */
     AD_IF_RELEVANT(1),

     /**
      * Constant for the "intended for server" authorization type.
      *
      * RFC 4120
      *
      * AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
      * PrincipalName elements[1] AuthorizationData }
      *
      * AD elements encapsulated within the intended-for-server element may be
      * ignored if the application server is not in the list of principal names
      * of intended servers. Further, a KDC issuing a ticket for an application
      * server can remove this element if the application server is not in the
      * list of intended servers.
      *
      * Application servers should check for their principal name in the
      * intended-server field of this element. If their principal name is not
      * found, this element should be ignored. If found, then the encapsulated
      * elements should be evaluated in the same manner as if they were present
      * in the top level authorization data field. Applications and application
      * servers that do not implement this element should reject tickets that
      * contain authorization data elements of this type.
      */
     AD_INTENDED_FOR_SERVER(2),

     /**
      * Constant for the  "intended for application class" authorization type.
      *
      * RFC 4120
      *
      * AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
      * intended-application-class[0] SEQUENCE OF GeneralString elements[1]
      * AuthorizationData } AD elements
      *
      * encapsulated within the intended-for-application-class element may be
      * ignored if the application server is not in one of the named classes of
      * application servers. Examples of application server classes include
      * "FILESYSTEM", and other kinds of servers.
      *
      * This element and the elements it encapsulates may be safely ignored by
      * applications, application servers, and KDCs that do not implement this
      * element.
      */
     AD_INTENDED_FOR_APPLICATION_CLASS(3),

     /**
      * Constant for the "kdc issued" authorization type.
      *
      * RFC 4120
      *
      * AD-KDCIssued SEQUENCE { ad-checksum[0] Checksum, i-realm[1] Realm
      * OPTIONAL, i-sname[2] PrincipalName OPTIONAL, elements[3]
      * AuthorizationData. }
      *
      * ad-checksum A checksum over the elements field using a cryptographic
      * checksum method that is identical to the checksum used to protect the
      * ticket itself (i.e. using the same hash function and the same encryption
      * algorithm used to encrypt the ticket) and using a key derived from the
      * same key used to protect the ticket. i-realm, i-sname The name of the
      * issuing principal if different from the KDC itself. This field would be
      * used when the KDC can verify the authenticity of elements signed by the
      * issuing principal and it allows this KDC to notify the application server
      * of the validity of those elements. elements A sequence of authorization
      * data elements issued by the KDC.
      *
      * The KDC-issued ad-data field is intended to provide a means for Kerberos
      * principal credentials to embed within themselves privilege attributes and
      * other mechanisms for positive authorization, amplifying the privileges of
      * the principal beyond what can be done using a credentials without such an
      * a-data element.
      *
      * This can not be provided without this element because the definition of
      * the authorization-data field allows elements to be added at will by the
      * bearer of a TGT at the time that they request service tickets and
      * elements may also be added to a delegated ticket by inclusion in the
      * authenticator.
      */
     AD_KDC_ISSUED(4),

     /**
      * Constant for the "and/or" authorization type.
      *
      * RFC 4120
      *
      * When restrictive AD elements encapsulated within the and-or element are
      * encountered, only the number specified in condition-count of the
      * encapsulated conditions must be met in order to satisfy this element.
      * This element may be used to implement an "or" operation by setting the
      * condition-count field to 1, and it may specify an "and" operation by
      * setting the condition count to the number of embedded elements.
      * Application servers that do not implement this element must reject
      * tickets that contain authorization data elements of this type.
      */
     AD_AND_OR(5),

     /**
      * Constant for the "mandatory ticket extensions" authorization type.
      *
      * RFC 4120
      *
      * AD-Mandatory-Ticket-Extensions Checksum
      *
      * An authorization data element of type mandatory-ticket-extensions
      * specifies a collision-proof checksum using the same hash algorithm used
      * to protect the integrity of the ticket itself. This checksum will be
      * calculated over the entire extensions field. If there are more than one
      * extension, all will be covered by the checksum. This restriction
      * indicates that the ticket should not be accepted if the checksum does not
      * match that calculated over the ticket extensions. Application servers
      * that do not implement this element must reject tickets that contain
      * authorization data elements of this type.
      */
     AD_MANDATORY_TICKET_EXTENSIONS(6),

     /**
      * Constant for the "in ticket extensions" authorization type.
      *
      * RFC 4120
      *
      * AD-IN-Ticket-Extensions Checksum
      *
      * An authorization data element of type in-ticket-extensions specifies a
      * collision-proof checksum using the same hash algorithm used to protect
      * the integrity of the ticket itself. This checksum is calculated over a
      * separate external AuthorizationData field carried in the ticket
      * extensions. Application servers that do not implement this element must
      * reject tickets that contain authorization data elements of this type.
      * Application servers that do implement this element will search the ticket
      * extensions for authorization data fields, calculate the specified
      * checksum over each authorization data field and look for one matching the
      * checksum in this in-ticket-extensions element. If not found, then the
      * ticket must be rejected. If found, the corresponding authorization data
      * elements will be interpreted in the same manner as if they were contained
      * in the top level authorization data field.
      */
     AD_IN_TICKET_EXTENSIONS(7),

     /**
      * Constant for the "mandatory-for-kdc" authorization type.
      *
      * RFC 4120
      *
      * AD-MANDATORY-FOR-KDC ::= AuthorizationData
      *
      * AD elements encapsulated within the mandatory-for-kdc element are to be
      * interpreted by the KDC. KDCs that do not understand the type of an
      * element embedded within the mandatory-for-kdc element MUST reject the
      * request.
      */
     AD_MANDATORY_FOR_KDC(8),

     /**
      * Constant for the "initial-verified-cas" authorization type.
      *
      * RFC 4556
      *
      * AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier --
      * Identifies the certification path with which -- the client certificate
      * was validated. -- Each ExternalPrincipalIdentifier identifies a CA -- or
      * a CA certificate (thereby its public key).
      *
      * The AD-INITIAL-VERIFIED-CAS structure identifies the certification path
      * with which the client certificate was validated. Each
      * ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
      * INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
      * (thereby its public key).
      *
      * Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization data
      * does permit empty SEQUENCEs to be encoded. Such empty sequences may only
      * be used if the KDC itself vouches for the user's certificate.
      *
      * The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
      * containers if the list of CAs satisfies the AS' realm's local policy
      * (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag [RFC4120]).
      * Furthermore, any TGS MUST copy such authorization data from tickets used
      * within a PA-TGS-REQ of the TGS-REQ into the resulting ticket. If the list
      * of CAs satisfies the local KDC's realm's policy, the TGS MAY wrap the
      * data into the AD-IF-RELEVANT container; otherwise, it MAY unwrap the
      * authorization data out of the AD-IF-RELEVANT container.
      *
      * Application servers that understand this authorization data type SHOULD
      * apply local policy to determine whether a given ticket bearing such a
      * type *not* contained within an AD-IF-RELEVANT container is acceptable.
      * (This corresponds to the AP server's checking the transited field when
      * the TRANSITED-POLICY-CHECKED flag has not been set [RFC4120].) If such a
      * data type is contained within an AD-IF- RELEVANT container, AP servers
      * MAY apply local policy to determine whether the authorization data is
      * acceptable.
      *
      * ExternalPrincipalIdentifier ::= SEQUENCE { subjectName [0] IMPLICIT OCTET
      * STRING OPTIONAL, -- Contains a PKIX type Name encoded according to --
      * [RFC3280]. -- Identifies the certificate subject by the -- distinguished
      * subject name. -- REQUIRED when there is a distinguished subject -- name
      * present in the certificate. issuerAndSerialNumber [1] IMPLICIT OCTET
      * STRING OPTIONAL, -- Contains a CMS type IssuerAndSerialNumber encoded --
      * according to [RFC3852]. -- Identifies a certificate of the subject. --
      * REQUIRED for TD-INVALID-CERTIFICATES and -- TD-TRUSTED-CERTIFIERS.
      * subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, -- Identifies
      * the subject's public key by a key -- identifier. When an X.509
      * certificate is -- referenced, this key identifier matches the X.509 --
      * subjectKeyIdentifier extension value. When other -- certificate formats
      * are referenced, the documents -- that specify the certificate format and
      * their use -- with the CMS must include details on matching the -- key
      * identifier to the appropriate certificate -- field. -- RECOMMENDED for
      * TD-TRUSTED-CERTIFIERS. ... }
      */
     AD_INITIAL_VERIFIED_CAS(9),

     /**
      * Constant for the "OSF DCE" authorization type.
      *
      * RFC 1510
      */
     OSF_DCE(64),

     /**
      * Constant for the "sesame" authorization type.
      *
      * RFC 4120
      */
     SESAME(65),

     /**
      * Constant for the "OSF-DCE pki certid" authorization type.
      *
      * RFC 4120
      */
     AD_OSF_DCE_PKI_CERTID(66),

     /**
      * Constant for the "CAM-MAC" authorization type.
      *
      * RFC 7751 for details.
      */
     AD_CAMMAC(96),

     /**
      * Constant for the "Authentication-Indicator" authorization type.
      *
      * RFC 6711 An IANA Registry for Level of Assurance (LoA) Profiles provides
      * the syntax and semantics of LoA profiles.
      *
      * RFC-8129 "Authentication Indicator in Kerberos Tickets" for details.
      */
     AD_AUTHENTICATION_INDICATOR(97),

     /**
      * Constant for the "Windows 2K Privilege Attribute Certificate (PAC)"
      * authorization type.
      *
      * RFC 4120
      *
      * See: Microsoft standard documents MS-PAC and MS-KILE.
      */
     AD_WIN2K_PAC(128),

     /**
      * Constant for the "EncType-Negotiation" authorization type.
      *
      * RFC 4537 for details.
      */
     AD_ETYPE_NEGOTIATION(129),

     /**
      * Constant for the Authorization Data Type. Note that this is not a
      * standard Type as of yet.
      *
      * See the draft spec "Token Pre-Authentication for Kerberos".
      */
     AD_TOKEN(256);

     /** The internal value */
     private final int value;

     /**
      * Create a new enum
      */
     AuthorizationType(int value) {
         this.value = value;
     }

     /**
      * {@inheritDoc}
      */
     @Override
     public int getValue() {
         return value;
     }

     /**
      * {@inheritDoc}
      */
     @Override
     public String getName() {
         return name();
     }

     /**
      * Get the AuthorizationType associated with a value.
      *
      * @param value The integer value of the AuthorizationType we are looking for
      * @return The associated AuthorizationType, or NULL if not found or if value is null
      */
     public static AuthorizationType fromValue(Integer value) {
         if (value != null) {
             for (EnumType e : values()) {
                 if (e.getValue() == value) {
                     return (AuthorizationType) e;
                 }
             }
         }

         return NONE;
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.kerby.kerberos.kerb.type.ad;

	import org.apache.kerby.asn1.EnumType;

	/**
	* The various AuthorizationType values, as defined in RFC 4120 and RFC 1510.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public enum AuthorizationType implements EnumType {
	/**
	* Constant for the "null" authorization type.
	*/
	NONE(0),

	/**
	* Constant for the "if relevant" authorization type.
	*
	* RFC 4120
	*
	* AD elements encapsulated within the if-relevant element are intended for
	* interpretation only by application servers that understand the particular
	* ad-type of the embedded element. Application servers that do not
	* understand the type of an element embedded within the if-relevant element
	* may ignore the uninterpretable element. This element promotes
	* interoperability across implementations which may have local extensions
	* for authorization.
	*/
	AD_IF_RELEVANT(1),

	/**
	* Constant for the "intended for server" authorization type.
	*
	* RFC 4120
	*
	* AD-INTENDED-FOR-SERVER SEQUENCE { intended-server[0] SEQUENCE OF
	* PrincipalName elements[1] AuthorizationData }
	*
	* AD elements encapsulated within the intended-for-server element may be
	* ignored if the application server is not in the list of principal names
	* of intended servers. Further, a KDC issuing a ticket for an application
	* server can remove this element if the application server is not in the
	* list of intended servers.
	*
	* Application servers should check for their principal name in the
	* intended-server field of this element. If their principal name is not
	* found, this element should be ignored. If found, then the encapsulated
	* elements should be evaluated in the same manner as if they were present
	* in the top level authorization data field. Applications and application
	* servers that do not implement this element should reject tickets that
	* contain authorization data elements of this type.
	*/
	AD_INTENDED_FOR_SERVER(2),

	/**
	* Constant for the "intended for application class" authorization type.
	*
	* RFC 4120
	*
	* AD-INTENDED-FOR-APPLICATION-CLASS SEQUENCE {
	* intended-application-class[0] SEQUENCE OF GeneralString elements[1]
	* AuthorizationData } AD elements
	*
	* encapsulated within the intended-for-application-class element may be
	* ignored if the application server is not in one of the named classes of
	* application servers. Examples of application server classes include
	* "FILESYSTEM", and other kinds of servers.
	*
	* This element and the elements it encapsulates may be safely ignored by
	* applications, application servers, and KDCs that do not implement this
	* element.
	*/
	AD_INTENDED_FOR_APPLICATION_CLASS(3),

	/**
	* Constant for the "kdc issued" authorization type.
	*
	* RFC 4120
	*
	* AD-KDCIssued SEQUENCE { ad-checksum[0] Checksum, i-realm[1] Realm
	* OPTIONAL, i-sname[2] PrincipalName OPTIONAL, elements[3]
	* AuthorizationData. }
	*
	* ad-checksum A checksum over the elements field using a cryptographic
	* checksum method that is identical to the checksum used to protect the
	* ticket itself (i.e. using the same hash function and the same encryption
	* algorithm used to encrypt the ticket) and using a key derived from the
	* same key used to protect the ticket. i-realm, i-sname The name of the
	* issuing principal if different from the KDC itself. This field would be
	* used when the KDC can verify the authenticity of elements signed by the
	* issuing principal and it allows this KDC to notify the application server
	* of the validity of those elements. elements A sequence of authorization
	* data elements issued by the KDC.
	*
	* The KDC-issued ad-data field is intended to provide a means for Kerberos
	* principal credentials to embed within themselves privilege attributes and
	* other mechanisms for positive authorization, amplifying the privileges of
	* the principal beyond what can be done using a credentials without such an
	* a-data element.
	*
	* This can not be provided without this element because the definition of
	* the authorization-data field allows elements to be added at will by the
	* bearer of a TGT at the time that they request service tickets and
	* elements may also be added to a delegated ticket by inclusion in the
	* authenticator.
	*/
	AD_KDC_ISSUED(4),

	/**
	* Constant for the "and/or" authorization type.
	*
	* RFC 4120
	*
	* When restrictive AD elements encapsulated within the and-or element are
	* encountered, only the number specified in condition-count of the
	* encapsulated conditions must be met in order to satisfy this element.
	* This element may be used to implement an "or" operation by setting the
	* condition-count field to 1, and it may specify an "and" operation by
	* setting the condition count to the number of embedded elements.
	* Application servers that do not implement this element must reject
	* tickets that contain authorization data elements of this type.
	*/
	AD_AND_OR(5),

	/**
	* Constant for the "mandatory ticket extensions" authorization type.
	*
	* RFC 4120
	*
	* AD-Mandatory-Ticket-Extensions Checksum
	*
	* An authorization data element of type mandatory-ticket-extensions
	* specifies a collision-proof checksum using the same hash algorithm used
	* to protect the integrity of the ticket itself. This checksum will be
	* calculated over the entire extensions field. If there are more than one
	* extension, all will be covered by the checksum. This restriction
	* indicates that the ticket should not be accepted if the checksum does not
	* match that calculated over the ticket extensions. Application servers
	* that do not implement this element must reject tickets that contain
	* authorization data elements of this type.
	*/
	AD_MANDATORY_TICKET_EXTENSIONS(6),

	/**
	* Constant for the "in ticket extensions" authorization type.
	*
	* RFC 4120
	*
	* AD-IN-Ticket-Extensions Checksum
	*
	* An authorization data element of type in-ticket-extensions specifies a
	* collision-proof checksum using the same hash algorithm used to protect
	* the integrity of the ticket itself. This checksum is calculated over a
	* separate external AuthorizationData field carried in the ticket
	* extensions. Application servers that do not implement this element must
	* reject tickets that contain authorization data elements of this type.
	* Application servers that do implement this element will search the ticket
	* extensions for authorization data fields, calculate the specified
	* checksum over each authorization data field and look for one matching the
	* checksum in this in-ticket-extensions element. If not found, then the
	* ticket must be rejected. If found, the corresponding authorization data
	* elements will be interpreted in the same manner as if they were contained
	* in the top level authorization data field.
	*/
	AD_IN_TICKET_EXTENSIONS(7),

	/**
	* Constant for the "mandatory-for-kdc" authorization type.
	*
	* RFC 4120
	*
	* AD-MANDATORY-FOR-KDC ::= AuthorizationData
	*
	* AD elements encapsulated within the mandatory-for-kdc element are to be
	* interpreted by the KDC. KDCs that do not understand the type of an
	* element embedded within the mandatory-for-kdc element MUST reject the
	* request.
	*/
	AD_MANDATORY_FOR_KDC(8),

	/**
	* Constant for the "initial-verified-cas" authorization type.
	*
	* RFC 4556
	*
	* AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier --
	* Identifies the certification path with which -- the client certificate
	* was validated. -- Each ExternalPrincipalIdentifier identifies a CA -- or
	* a CA certificate (thereby its public key).
	*
	* The AD-INITIAL-VERIFIED-CAS structure identifies the certification path
	* with which the client certificate was validated. Each
	* ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
	* INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
	* (thereby its public key).
	*
	* Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization data
	* does permit empty SEQUENCEs to be encoded. Such empty sequences may only
	* be used if the KDC itself vouches for the user's certificate.
	*
	* The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
	* containers if the list of CAs satisfies the AS' realm's local policy
	* (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag [RFC4120]).
	* Furthermore, any TGS MUST copy such authorization data from tickets used
	* within a PA-TGS-REQ of the TGS-REQ into the resulting ticket. If the list
	* of CAs satisfies the local KDC's realm's policy, the TGS MAY wrap the
	* data into the AD-IF-RELEVANT container; otherwise, it MAY unwrap the
	* authorization data out of the AD-IF-RELEVANT container.
	*
	* Application servers that understand this authorization data type SHOULD
	* apply local policy to determine whether a given ticket bearing such a
	* type not contained within an AD-IF-RELEVANT container is acceptable.
	* (This corresponds to the AP server's checking the transited field when
	* the TRANSITED-POLICY-CHECKED flag has not been set [RFC4120].) If such a
	* data type is contained within an AD-IF- RELEVANT container, AP servers
	* MAY apply local policy to determine whether the authorization data is
	* acceptable.
	*
	* ExternalPrincipalIdentifier ::= SEQUENCE { subjectName [0] IMPLICIT OCTET
	* STRING OPTIONAL, -- Contains a PKIX type Name encoded according to --
	* [RFC3280]. -- Identifies the certificate subject by the -- distinguished
	* subject name. -- REQUIRED when there is a distinguished subject -- name
	* present in the certificate. issuerAndSerialNumber [1] IMPLICIT OCTET
	* STRING OPTIONAL, -- Contains a CMS type IssuerAndSerialNumber encoded --
	* according to [RFC3852]. -- Identifies a certificate of the subject. --
	* REQUIRED for TD-INVALID-CERTIFICATES and -- TD-TRUSTED-CERTIFIERS.
	* subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, -- Identifies
	* the subject's public key by a key -- identifier. When an X.509
	* certificate is -- referenced, this key identifier matches the X.509 --
	* subjectKeyIdentifier extension value. When other -- certificate formats
	* are referenced, the documents -- that specify the certificate format and
	* their use -- with the CMS must include details on matching the -- key
	* identifier to the appropriate certificate -- field. -- RECOMMENDED for
	* TD-TRUSTED-CERTIFIERS. ... }
	*/
	AD_INITIAL_VERIFIED_CAS(9),

	/**
	* Constant for the "OSF DCE" authorization type.
	*
	* RFC 1510
	*/
	OSF_DCE(64),

	/**
	* Constant for the "sesame" authorization type.
	*
	* RFC 4120
	*/
	SESAME(65),

	/**
	* Constant for the "OSF-DCE pki certid" authorization type.
	*
	* RFC 4120
	*/
	AD_OSF_DCE_PKI_CERTID(66),

	/**
	* Constant for the "CAM-MAC" authorization type.
	*
	* RFC 7751 for details.
	*/
	AD_CAMMAC(96),

	/**
	* Constant for the "Authentication-Indicator" authorization type.
	*
	* RFC 6711 An IANA Registry for Level of Assurance (LoA) Profiles provides
	* the syntax and semantics of LoA profiles.
	*
	* RFC-8129 "Authentication Indicator in Kerberos Tickets" for details.
	*/
	AD_AUTHENTICATION_INDICATOR(97),

	/**
	* Constant for the "Windows 2K Privilege Attribute Certificate (PAC)"
	* authorization type.
	*
	* RFC 4120
	*
	* See: Microsoft standard documents MS-PAC and MS-KILE.
	*/
	AD_WIN2K_PAC(128),

	/**
	* Constant for the "EncType-Negotiation" authorization type.
	*
	* RFC 4537 for details.
	*/
	AD_ETYPE_NEGOTIATION(129),

	/**
	* Constant for the Authorization Data Type. Note that this is not a
	* standard Type as of yet.
	*
	* See the draft spec "Token Pre-Authentication for Kerberos".
	*/
	AD_TOKEN(256);

	/** The internal value */
	private final int value;

	/**
	* Create a new enum
	*/
	AuthorizationType(int value) {
	this.value = value;
	}

	/**
	* {@inheritDoc}
	*/
	@Override
	public int getValue() {
	return value;
	}

	/**
	* {@inheritDoc}
	*/
	@Override
	public String getName() {
	return name();
	}

	/**
	* Get the AuthorizationType associated with a value.
	*
	* @param value The integer value of the AuthorizationType we are looking for
	* @return The associated AuthorizationType, or NULL if not found or if value is null
	*/
	public static AuthorizationType fromValue(Integer value) {
	if (value != null) {
	for (EnumType e : values()) {
	if (e.getValue() == value) {
	return (AuthorizationType) e;
	}
	}
	}

	return NONE;
	}
	}