Your SlideShare is downloading. ×
0
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
WAFFLE: Windows Authentication in Java
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WAFFLE: Windows Authentication in Java

7,552

Published on

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,552
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Daniel Doubrovkine | @dblockdotorg
  • 2. “Most enterprisecustomers can’t login toyour product.”“What do you mean byyou don’t support nestedgroups?”
  • 3. What is my canonical username?What local groups am I a member of?What domain groups am I a member of?
  • 4.  User and Group Names Used Instead of SIDs Used Net* Functions to Enumerate Local Groups Tried to Use LDAP to Enumerate Domain Groups Failed to Support Nested Groups Failed to Resolve Domain Trusts… and much more that few people know about AD
  • 5. Enterprises areSwitching to SmartCards + PIN
  • 6. 100% Java  JNA http://github.com/twall/jnaWin32 API  Won’t work on *nix
  • 7. BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
  • 8. // a user handleHANDLEByReference phUser = new HANDLEByReference();Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
  • 9. // user group membershipsWinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...);Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength));for (SID_AND_ATTRIBUTES sid : groups) {}
  • 10. // current user nameSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);// impersonated userSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.RevertToSelf();
  • 11.  Current User Security Identifier Group Memberships (a list of SIDs) Privileges Current Process Current Thread
  • 12. HANDLE h =Kernel32.INSTANCE.GetCurrentThread();HANDLEByReference phToken = newHANDLEByReference();Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken)… enumerate groups withAdvapi32.INSTANCE.GetTokenInformation
  • 13.  Since Windows 2000 Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc. Active Directory Service Interface (ADSI)
  • 14. SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), NegotiateSSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
  • 15. 1. Insert a Smart Card into a Reader2. Logon to a Server Joined to an AD Domain3. Navigate to a Website, No Prompts4. Check Permissions w/ Application5. Logged on as a Domain User on the Server6. $$$
  • 16. AcquireCredentialsHandleInitializeSecurityContextAcceptSecurityContext Secur32.dll
  • 17.  Waffle Provides Windows Authentication and Authorization Functions Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc. Open-Sourcehttp://waffle.codeplex.com
  • 18.  Waffle-jna.jar + jna.jar + platform.jar WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> JSP Page <%= request.getUserPrincipal().getName() %>
  • 19. GET /secure HTTP/1.1HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateWWW-Authenticate: NTLMGET /secure HTTP/1.1Authorization: NegotiateYIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo=HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateoRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=GET /secure HTTP/1.1Authorization: NegotiateoUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02NDEwSU5URVJORVdTHTTP/1.1 200 OKWWW-Authenticate: NegotiateoRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
  • 20. IWindowsAuthProviderIWindowsAccountIWindowsComputerIWindowsDomainIWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
  • 21. @

×