Editing Generic Security Services Application Programming Interface (section)

== Operation ==
The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI ''implementations'' - usually in the form of [[Library (computer science)|libraries]] installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the [[Standardization|vendor-independent]] GSSAPI.
If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages (''tokens'') which hide the implementation detail from the higher-level application.
The client and server sides of the application are written to convey the tokens given to them by
their respective GSSAPI implementations.
GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security.
After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a ''security context'' is established.

Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server.
Typical protections guaranteed by GSSAPI wrapping include [[confidentiality]] (secrecy) and [[Data integrity|integrity]] (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.

The GSSAPI describes about 45 procedure calls. Significant ones include:
; GSS_Acquire_cred: Obtains the user's identity proof, often a secret cryptographic key
; GSS_Import_name: Converts a username or hostname into a form that identifies a security entity
; GSS_Init_sec_context: Generates a client token to send to the server, usually a challenge
; GSS_Accept_sec_context: Processes a token from '''GSS_Init_sec_context''' and can generate a response token to return
; GSS_Wrap: Converts application data into a secure message token (typically encrypted)
; GSS_Unwrap: Converts a secure message token back into application data

The GSSAPI is standardized for the [[C (programming language)|C]] (RFC 2744) language. [[Java (programming language)|Java]] implements the GSSAPI<ref>{{cite web
| url=https://jcp.org/aboutJava/communityprocess/review/jsr072/index.html
| title=JSR-000072 Generic Security Services API Specification 0.1
| date=2001-06-15
| access-date=2015-10-07}}</ref>
as JGSS,<ref>{{cite book
| last1                 = Schönefeld
| first1                = Marc
| title                 = Refactoring of Security Antipatterns in Distributed Java Components
| url                   = https://books.google.com/books?id=cUWFz3oZLyAC
| series                = Schriften aus der Fakultät Wirtschaftsinformatik und Angewandte Informatik der Otto-Friedrich-Universität Bamberg
| volume                = 5 
| publisher             = University of Bamberg Press
| date      = 2010
| page                  = 179 
| access-date            = 2015-10-07
| quote                 = JGSS is the JAVA implementation of the GSSAPI.
| isbn                  = 9783923507689}}</ref>
the Java Generic Security Services Application Program Interface.<ref>{{cite book
| last1                 = Fisher
| first1                = Marina
| last2                 = Sharma
| first2                = Sonu 
| last3                 = Lai
| first3                = Ray
| last4                 = Moroney
| first4                = Laurence
| title                 = Java EE and .NET Interoperability: Integration Strategies, Patterns, and Best Practices
| url                   = https://books.google.com/books?id=CXnCJhrB3g4C
| publisher             = Prentice Hall Professional
| date      = 2006
| access-date            = 2015-10-07
| quote                 = Java Generic Security Services Application Program Interface (JGSS) API for uniform access to security services atop a variety of underlying security mechanism, including Kerberos, which are building blocks for single sign-on and data encryption.
| isbn                  = 9780132715706}}</ref>
<!-- A standard for [[C Sharp|C#]] is forthcoming.  C# work appears to have perished -->

Some limitations of GSSAPI are:
# standardizing only [[authentication]], rather not [[authorization]] too;
# assuming a [[client–server]] architecture.

Anticipating new security mechanisms, the GSSAPI includes a negotiating ''pseudo mechanism'', [[SPNEGO]], that can discover and use new mechanisms not present when the original application was built.