The scenario is this: I have a client and server talking. Here is the standard idea:
cipher.init(Cipher.DECRYPT_MODE, key, ivSpec);
byte plainText = cipher.doFinal(cipherText, 0, ctLength);
int messageLength = plainText.length - hMac.getMacLength();
hMac.update(plainText, 0, messageLength);
byte messageHash = new byte[hMac.getMacLength()];
cipherText ^= '0' ^ '9';`
First, for this kind of thing use SSL if your doing it for real. For educational purposes, this stuff is cool.
As others have said, this is an example that proves HMAC works when the cipher text is tampered with. Hence the
cipherText ^= '0' ^ '9';
In order to use HMAC, you have to verify that the message authentication tag (whats returned by hmac) you got with your cipher text matches the one you are supposed to have. To do this in this code you: 1) decrypt the message using the key you negotiated, 2) compute the hmac of that text using a different key you negotiated and then 3) compare that the two are the same.
Since you know those keys, you can decrypt the message and compute the mac. The mac length b the way, is a fixed property of the hmac function and is publicly known.
Because you must have the key to generate the valid tag, if they match, then the message is authentic.
As a note, this code is likely insecure since you need to MAC the ciphertext, not plaintext. If you don't, you end up with problems like the Padding oracle attack that broke a bunch of sites secure cookie implementations. Use SSL for these kind of things.