ws-security-common/src/main/java/org/apache/wss4j/common/spnego/SpnegoTokenContext.java - ws-wss4j - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.wss4j.common.spnego;

 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.util.Set;

 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;

 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.ext.WSSecurityException.ErrorCode;
 import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
 import org.apache.wss4j.common.kerberos.KerberosContext;
 import org.apache.wss4j.common.kerberos.KerberosServiceContext;
 import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.MessageProp;

 /**
  * This class wraps a GSSContext and provides some functionality to obtain and validate spnego tokens.
  */
 public class SpnegoTokenContext {

     private static final org.slf4j.Logger LOG =
         org.slf4j.LoggerFactory.getLogger(SpnegoTokenContext.class);

     private GSSContext secContext;
     private byte[] token;
     private boolean mutualAuth;
     private SpnegoClientAction clientAction;
     private SpnegoServiceAction serviceAction;
     private GSSCredential delegationCredential;
     private Principal spnegoPrincipal;

     /**
      * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
      * BinarySecurityToken.
      * @param jaasLoginModuleName the JAAS Login Module name to use
      * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
      * @param serviceName the desired Kerberized service
      * @throws WSSecurityException
      */
     public void retrieveServiceTicket(
         String jaasLoginModuleName,
         CallbackHandler callbackHandler,
         String serviceName
     ) throws WSSecurityException {
         retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false);
     }


     /**
      * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
      * BinarySecurityToken.
      * @param jaasLoginModuleName the JAAS Login Module name to use
      * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
      * @param serviceName the desired Kerberized service
      * @param isUsernameServiceNameForm
      * @throws WSSecurityException
      */
     public void retrieveServiceTicket(
         String jaasLoginModuleName,
         CallbackHandler callbackHandler,
         String serviceName,
         boolean isUsernameServiceNameForm
     ) throws WSSecurityException {
         retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName,
                               isUsernameServiceNameForm, false, null);
     }

     /**
      * Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
      * BinarySecurityToken.
      * @param jaasLoginModuleName the JAAS Login Module name to use
      * @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
      * @param serviceName the desired Kerberized service
      * @param isUsernameServiceNameForm
      * @param requestCredDeleg Whether to request credential delegation or not
      * @param delegationCredential The delegation credential to use
      * @throws WSSecurityException
      */
     public void retrieveServiceTicket(
         String jaasLoginModuleName,
         CallbackHandler callbackHandler,
         String serviceName,
         boolean isUsernameServiceNameForm,
         boolean requestCredDeleg,
         GSSCredential delegationCredential
     ) throws WSSecurityException {

         // Get a TGT from the KDC using JAAS
         LoginContext loginContext = null;
         try {
             if (callbackHandler == null) {
                 loginContext = new LoginContext(jaasLoginModuleName);
             } else {
                 loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
             }
             loginContext.login();
         } catch (LoginException ex) {
             LOG.debug(ex.getMessage(), ex);
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
                 new Object[] {ex.getMessage()});
         }
         LOG.debug("Successfully authenticated to the TGT");

         Subject clientSubject = loginContext.getSubject();
         Set<Principal> clientPrincipals = clientSubject.getPrincipals();
         if (clientPrincipals.isEmpty()) {
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE,
                 "kerberosLoginError",
                 new Object[] {"No Client principals found after login"});
         }

         // Get the service ticket
         if (clientAction != null) {
             clientAction.setServiceName(serviceName);
             clientAction.setMutualAuth(mutualAuth);
             clientAction.setUserNameServiceForm(isUsernameServiceNameForm);
             token = Subject.doAs(clientSubject, clientAction);
             if (token == null) {
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                 );
             }

             secContext = clientAction.getContext();
         } else {
             KerberosClientExceptionAction action =
                 new KerberosClientExceptionAction(null, serviceName,
                                                   isUsernameServiceNameForm,
                                                   requestCredDeleg,
                                                   delegationCredential,
                                                   true,
                                                   mutualAuth);
             KerberosContext krbCtx = null;
             try {
                 krbCtx = (KerberosContext) Subject.doAs(clientSubject, action);

                 token = krbCtx.getKerberosToken();
                 if (token == null) {
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                     );
                 }

                 secContext = krbCtx.getGssContext();
             } catch (PrivilegedActionException e) {
                 Throwable cause = e.getCause();
                 if (cause instanceof WSSecurityException) {
                     throw (WSSecurityException) cause;
                 } else {
                     throw new WSSecurityException(
                          ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
                     );
                 }
             }
         }

         LOG.debug("Successfully retrieved a service ticket");
     }

     /**
      * Validate a service ticket.
      * @param jaasLoginModuleName
      * @param callbackHandler
      * @param serviceName
      * @param ticket
      * @throws WSSecurityException
      */
     public void validateServiceTicket(
         String jaasLoginModuleName,
         CallbackHandler callbackHandler,
         String serviceName,
         byte[] ticket
     ) throws WSSecurityException {
         validateServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false, ticket);
      }

     /**
      * Validate a service ticket.
      * @param jaasLoginModuleName
      * @param callbackHandler
      * @param serviceName
      * @param ticket
      * @throws WSSecurityException
      */
     public void validateServiceTicket(
         String jaasLoginModuleName,
         CallbackHandler callbackHandler,
         String serviceName,
         boolean isUsernameServiceNameForm,
         byte[] ticket
     ) throws WSSecurityException {
         // Get a TGT from the KDC using JAAS
         LoginContext loginContext = null;
         try {
             if (callbackHandler == null) {
                 loginContext = new LoginContext(jaasLoginModuleName);
             } else {
                 loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
             }
             loginContext.login();
         } catch (LoginException ex) {
             LOG.debug(ex.getMessage(), ex);
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
                 new Object[] {ex.getMessage()});
         }
         LOG.debug("Successfully authenticated to the TGT");

         // Get the service name to use - fall back on the principal
         Subject subject = loginContext.getSubject();
         String service = serviceName;
         if (service == null) {
             Set<Principal> principals = subject.getPrincipals();
             if (principals.isEmpty()) {
                 throw new WSSecurityException(
                     WSSecurityException.ErrorCode.FAILURE,
                     "kerberosLoginError",
                     new Object[] {"No Client principals found after login"});
             }
             service = principals.iterator().next().getName();
         }

         // Validate the ticket
         if (serviceAction != null) {
             serviceAction.setTicket(ticket);
             serviceAction.setServiceName(service);
             serviceAction.setUsernameServiceNameForm(isUsernameServiceNameForm);
             token = Subject.doAs(subject, serviceAction);
             secContext = serviceAction.getContext();
         } else {
             KerberosServiceExceptionAction action =
                 new KerberosServiceExceptionAction(ticket, service,
                                                    isUsernameServiceNameForm, true);
             KerberosServiceContext krbCtx = null;
             try {
                 krbCtx = (KerberosServiceContext) Subject.doAs(subject, action);

                 token = krbCtx.getKerberosToken();
                 if (token == null) {
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
                     );
                 }

                 secContext = krbCtx.getGssContext();
                 delegationCredential = krbCtx.getDelegationCredential();
                 spnegoPrincipal = krbCtx.getPrincipal();
             } catch (PrivilegedActionException e) {
                 Throwable cause = e.getCause();
                 if (cause instanceof WSSecurityException) {
                     throw (WSSecurityException) cause;
                 } else {
                     throw new WSSecurityException(
                          ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
                     );
                 }
             }
         }

         LOG.debug("Successfully validated a service ticket");
     }

     /**
      * Whether to enable mutual authentication or not. This only applies to retrieve service ticket.
      */
     public void setMutualAuth(boolean mutualAuthentication) {
         mutualAuth = mutualAuthentication;
     }

     /**
      * Get the SPNEGO token that was created.
      */
     public byte[] getToken() {
         return token;
     }

     /**
      * Whether a connection has been established (at the service side)
      */
     public boolean isEstablished() {
         if (secContext == null) {
             return false;
         }
         return secContext.isEstablished();
     }

     /**
      * Unwrap a key
      */
     public byte[] unwrapKey(byte[] secret) throws WSSecurityException {
         MessageProp mProp = new MessageProp(0, true);
         try {
             return secContext.unwrap(secret, 0, secret.length, mProp);
         } catch (GSSException e) {
             LOG.debug("Error in cleaning up a GSS context", e);
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
             );
         }
     }

     /**
      * Wrap a key
      */
     public byte[] wrapKey(byte[] secret) throws WSSecurityException {
         MessageProp mProp = new MessageProp(0, true);
         try {
             return secContext.wrap(secret, 0, secret.length, mProp);
         } catch (GSSException e) {
             LOG.debug("Error in cleaning up a GSS context", e);
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
             );
         }
     }

     /**
      * Set a custom SpnegoClientAction implementation to use
      */
     public void setSpnegoClientAction(SpnegoClientAction spnegoClientAction) {
         this.clientAction = spnegoClientAction;
     }

     /**
      * Set a custom SpnegoServiceAction implementation to use
      */
     public void setSpnegoServiceAction(SpnegoServiceAction spnegoServiceAction) {
         this.serviceAction = spnegoServiceAction;
     }

     public void clear() {
         token = null;
         mutualAuth = false;
         delegationCredential = null;
         spnegoPrincipal = null;
         try {
             secContext.dispose();
         } catch (GSSException e) {
             LOG.debug("Error in cleaning up a GSS context", e);
         }
     }

     public GSSCredential getDelegationCredential() {
         return delegationCredential;
     }

     public Principal getSpnegoPrincipal() {
         return spnegoPrincipal;
     }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.wss4j.common.spnego;

	import java.security.Principal;
	import java.security.PrivilegedActionException;
	import java.util.Set;

	import javax.security.auth.Subject;
	import javax.security.auth.callback.CallbackHandler;
	import javax.security.auth.login.LoginContext;
	import javax.security.auth.login.LoginException;

	import org.apache.wss4j.common.ext.WSSecurityException;
	import org.apache.wss4j.common.ext.WSSecurityException.ErrorCode;
	import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
	import org.apache.wss4j.common.kerberos.KerberosContext;
	import org.apache.wss4j.common.kerberos.KerberosServiceContext;
	import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
	import org.ietf.jgss.GSSContext;
	import org.ietf.jgss.GSSCredential;
	import org.ietf.jgss.GSSException;
	import org.ietf.jgss.MessageProp;

	/**
	* This class wraps a GSSContext and provides some functionality to obtain and validate spnego tokens.
	*/
	public class SpnegoTokenContext {

	private static final org.slf4j.Logger LOG =
	org.slf4j.LoggerFactory.getLogger(SpnegoTokenContext.class);

	private GSSContext secContext;
	private byte[] token;
	private boolean mutualAuth;
	private SpnegoClientAction clientAction;
	private SpnegoServiceAction serviceAction;
	private GSSCredential delegationCredential;
	private Principal spnegoPrincipal;

	/**
	* Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
	* BinarySecurityToken.
	* @param jaasLoginModuleName the JAAS Login Module name to use
	* @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
	* @param serviceName the desired Kerberized service
	* @throws WSSecurityException
	*/
	public void retrieveServiceTicket(
	String jaasLoginModuleName,
	CallbackHandler callbackHandler,
	String serviceName
	) throws WSSecurityException {
	retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false);
	}


	/**
	* Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
	* BinarySecurityToken.
	* @param jaasLoginModuleName the JAAS Login Module name to use
	* @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
	* @param serviceName the desired Kerberized service
	* @param isUsernameServiceNameForm
	* @throws WSSecurityException
	*/
	public void retrieveServiceTicket(
	String jaasLoginModuleName,
	CallbackHandler callbackHandler,
	String serviceName,
	boolean isUsernameServiceNameForm
	) throws WSSecurityException {
	retrieveServiceTicket(jaasLoginModuleName, callbackHandler, serviceName,
	isUsernameServiceNameForm, false, null);
	}

	/**
	* Retrieve a service ticket from a KDC using the Kerberos JAAS module, and set it in this
	* BinarySecurityToken.
	* @param jaasLoginModuleName the JAAS Login Module name to use
	* @param callbackHandler a CallbackHandler instance to retrieve a password (optional)
	* @param serviceName the desired Kerberized service
	* @param isUsernameServiceNameForm
	* @param requestCredDeleg Whether to request credential delegation or not
	* @param delegationCredential The delegation credential to use
	* @throws WSSecurityException
	*/
	public void retrieveServiceTicket(
	String jaasLoginModuleName,
	CallbackHandler callbackHandler,
	String serviceName,
	boolean isUsernameServiceNameForm,
	boolean requestCredDeleg,
	GSSCredential delegationCredential
	) throws WSSecurityException {

	// Get a TGT from the KDC using JAAS
	LoginContext loginContext = null;
	try {
	if (callbackHandler == null) {
	loginContext = new LoginContext(jaasLoginModuleName);
	} else {
	loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
	}
	loginContext.login();
	} catch (LoginException ex) {
	LOG.debug(ex.getMessage(), ex);
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
	new Object[] {ex.getMessage()});
	}
	LOG.debug("Successfully authenticated to the TGT");

	Subject clientSubject = loginContext.getSubject();
	Set<Principal> clientPrincipals = clientSubject.getPrincipals();
	if (clientPrincipals.isEmpty()) {
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE,
	"kerberosLoginError",
	new Object[] {"No Client principals found after login"});
	}

	// Get the service ticket
	if (clientAction != null) {
	clientAction.setServiceName(serviceName);
	clientAction.setMutualAuth(mutualAuth);
	clientAction.setUserNameServiceForm(isUsernameServiceNameForm);
	token = Subject.doAs(clientSubject, clientAction);
	if (token == null) {
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
	);
	}

	secContext = clientAction.getContext();
	} else {
	KerberosClientExceptionAction action =
	new KerberosClientExceptionAction(null, serviceName,
	isUsernameServiceNameForm,
	requestCredDeleg,
	delegationCredential,
	true,
	mutualAuth);
	KerberosContext krbCtx = null;
	try {
	krbCtx = (KerberosContext) Subject.doAs(clientSubject, action);

	token = krbCtx.getKerberosToken();
	if (token == null) {
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
	);
	}

	secContext = krbCtx.getGssContext();
	} catch (PrivilegedActionException e) {
	Throwable cause = e.getCause();
	if (cause instanceof WSSecurityException) {
	throw (WSSecurityException) cause;
	} else {
	throw new WSSecurityException(
	ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
	);
	}
	}
	}

	LOG.debug("Successfully retrieved a service ticket");
	}

	/**
	* Validate a service ticket.
	* @param jaasLoginModuleName
	* @param callbackHandler
	* @param serviceName
	* @param ticket
	* @throws WSSecurityException
	*/
	public void validateServiceTicket(
	String jaasLoginModuleName,
	CallbackHandler callbackHandler,
	String serviceName,
	byte[] ticket
	) throws WSSecurityException {
	validateServiceTicket(jaasLoginModuleName, callbackHandler, serviceName, false, ticket);
	}

	/**
	* Validate a service ticket.
	* @param jaasLoginModuleName
	* @param callbackHandler
	* @param serviceName
	* @param ticket
	* @throws WSSecurityException
	*/
	public void validateServiceTicket(
	String jaasLoginModuleName,
	CallbackHandler callbackHandler,
	String serviceName,
	boolean isUsernameServiceNameForm,
	byte[] ticket
	) throws WSSecurityException {
	// Get a TGT from the KDC using JAAS
	LoginContext loginContext = null;
	try {
	if (callbackHandler == null) {
	loginContext = new LoginContext(jaasLoginModuleName);
	} else {
	loginContext = new LoginContext(jaasLoginModuleName, callbackHandler);
	}
	loginContext.login();
	} catch (LoginException ex) {
	LOG.debug(ex.getMessage(), ex);
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, ex, "kerberosLoginError",
	new Object[] {ex.getMessage()});
	}
	LOG.debug("Successfully authenticated to the TGT");

	// Get the service name to use - fall back on the principal
	Subject subject = loginContext.getSubject();
	String service = serviceName;
	if (service == null) {
	Set<Principal> principals = subject.getPrincipals();
	if (principals.isEmpty()) {
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE,
	"kerberosLoginError",
	new Object[] {"No Client principals found after login"});
	}
	service = principals.iterator().next().getName();
	}

	// Validate the ticket
	if (serviceAction != null) {
	serviceAction.setTicket(ticket);
	serviceAction.setServiceName(service);
	serviceAction.setUsernameServiceNameForm(isUsernameServiceNameForm);
	token = Subject.doAs(subject, serviceAction);
	secContext = serviceAction.getContext();
	} else {
	KerberosServiceExceptionAction action =
	new KerberosServiceExceptionAction(ticket, service,
	isUsernameServiceNameForm, true);
	KerberosServiceContext krbCtx = null;
	try {
	krbCtx = (KerberosServiceContext) Subject.doAs(subject, action);

	token = krbCtx.getKerberosToken();
	if (token == null) {
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError"
	);
	}

	secContext = krbCtx.getGssContext();
	delegationCredential = krbCtx.getDelegationCredential();
	spnegoPrincipal = krbCtx.getPrincipal();
	} catch (PrivilegedActionException e) {
	Throwable cause = e.getCause();
	if (cause instanceof WSSecurityException) {
	throw (WSSecurityException) cause;
	} else {
	throw new WSSecurityException(
	ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError"
	);
	}
	}
	}

	LOG.debug("Successfully validated a service ticket");
	}

	/**
	* Whether to enable mutual authentication or not. This only applies to retrieve service ticket.
	*/
	public void setMutualAuth(boolean mutualAuthentication) {
	mutualAuth = mutualAuthentication;
	}

	/**
	* Get the SPNEGO token that was created.
	*/
	public byte[] getToken() {
	return token;
	}

	/**
	* Whether a connection has been established (at the service side)
	*/
	public boolean isEstablished() {
	if (secContext == null) {
	return false;
	}
	return secContext.isEstablished();
	}

	/**
	* Unwrap a key
	*/
	public byte[] unwrapKey(byte[] secret) throws WSSecurityException {
	MessageProp mProp = new MessageProp(0, true);
	try {
	return secContext.unwrap(secret, 0, secret.length, mProp);
	} catch (GSSException e) {
	LOG.debug("Error in cleaning up a GSS context", e);
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
	);
	}
	}

	/**
	* Wrap a key
	*/
	public byte[] wrapKey(byte[] secret) throws WSSecurityException {
	MessageProp mProp = new MessageProp(0, true);
	try {
	return secContext.wrap(secret, 0, secret.length, mProp);
	} catch (GSSException e) {
	LOG.debug("Error in cleaning up a GSS context", e);
	throw new WSSecurityException(
	WSSecurityException.ErrorCode.FAILURE, e, "spnegoKeyError"
	);
	}
	}

	/**
	* Set a custom SpnegoClientAction implementation to use
	*/
	public void setSpnegoClientAction(SpnegoClientAction spnegoClientAction) {
	this.clientAction = spnegoClientAction;
	}

	/**
	* Set a custom SpnegoServiceAction implementation to use
	*/
	public void setSpnegoServiceAction(SpnegoServiceAction spnegoServiceAction) {
	this.serviceAction = spnegoServiceAction;
	}

	public void clear() {
	token = null;
	mutualAuth = false;
	delegationCredential = null;
	spnegoPrincipal = null;
	try {
	secContext.dispose();
	} catch (GSSException e) {
	LOG.debug("Error in cleaning up a GSS context", e);
	}
	}

	public GSSCredential getDelegationCredential() {
	return delegationCredential;
	}

	public Principal getSpnegoPrincipal() {
	return spnegoPrincipal;
	}

	}