Your SlideShare is downloading. ×
  • Like
WAFFLE: Windows Authentication in Java
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

WAFFLE: Windows Authentication in Java


Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Daniel Doubrovkine | @dblockdotorg
  • 2. “Most enterprisecustomers can’t login toyour product.”“What do you mean byyou don’t support nestedgroups?”
  • 3. What is my canonical username?What local groups am I a member of?What domain groups am I a member of?
  • 4.  User and Group Names Used Instead of SIDs Used Net* Functions to Enumerate Local Groups Tried to Use LDAP to Enumerate Domain Groups Failed to Support Nested Groups Failed to Resolve Domain Trusts… and much more that few people know about AD
  • 5. Enterprises areSwitching to SmartCards + PIN
  • 6. 100% Java  JNA API  Won’t work on *nix
  • 7. BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
  • 8. // a user handleHANDLEByReference phUser = new HANDLEByReference();Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
  • 9. // user group membershipsWinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...);Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength));for (SID_AND_ATTRIBUTES sid : groups) {}
  • 10. // current user nameSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);// impersonated userSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.RevertToSelf();
  • 11.  Current User Security Identifier Group Memberships (a list of SIDs) Privileges Current Process Current Thread
  • 12. HANDLE h =Kernel32.INSTANCE.GetCurrentThread();HANDLEByReference phToken = newHANDLEByReference();Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken)… enumerate groups withAdvapi32.INSTANCE.GetTokenInformation
  • 13.  Since Windows 2000 Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc. Active Directory Service Interface (ADSI)
  • 14. SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), NegotiateSSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
  • 15. 1. Insert a Smart Card into a Reader2. Logon to a Server Joined to an AD Domain3. Navigate to a Website, No Prompts4. Check Permissions w/ Application5. Logged on as a Domain User on the Server6. $$$
  • 16. AcquireCredentialsHandleInitializeSecurityContextAcceptSecurityContext Secur32.dll
  • 17.  Waffle Provides Windows Authentication and Authorization Functions Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc. Open-Source
  • 18.  Waffle-jna.jar + jna.jar + platform.jar WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> JSP Page <%= request.getUserPrincipal().getName() %>
  • 19. GET /secure HTTP/1.1HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateWWW-Authenticate: NTLMGET /secure HTTP/1.1Authorization: NegotiateYIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo=HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateoRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=GET /secure HTTP/1.1Authorization: NegotiateoUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02NDEwSU5URVJORVdTHTTP/1.1 200 OKWWW-Authenticate: NegotiateoRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
  • 20. IWindowsAuthProviderIWindowsAccountIWindowsComputerIWindowsDomainIWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
  • 21. @