WAFFLE: Windows Authentication in Java

9,770 views
9,172 views

Published on

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,770
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
38
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

WAFFLE: Windows Authentication in Java

  1. 1. Daniel Doubrovkine | @dblockdotorg
  2. 2. “Most enterprisecustomers can’t login toyour product.”“What do you mean byyou don’t support nestedgroups?”
  3. 3. What is my canonical username?What local groups am I a member of?What domain groups am I a member of?
  4. 4.  User and Group Names Used Instead of SIDs Used Net* Functions to Enumerate Local Groups Tried to Use LDAP to Enumerate Domain Groups Failed to Support Nested Groups Failed to Resolve Domain Trusts… and much more that few people know about AD
  5. 5. Enterprises areSwitching to SmartCards + PIN
  6. 6. 100% Java  JNA http://github.com/twall/jnaWin32 API  Won’t work on *nix
  7. 7. BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
  8. 8. // a user handleHANDLEByReference phUser = new HANDLEByReference();Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
  9. 9. // user group membershipsWinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...);Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength));for (SID_AND_ATTRIBUTES sid : groups) {}
  10. 10. // current user nameSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);// impersonated userSecur32.INSTANCE.GetUserNameEx(format, ...)Advapi32.INSTANCE.RevertToSelf();
  11. 11.  Current User Security Identifier Group Memberships (a list of SIDs) Privileges Current Process Current Thread
  12. 12. HANDLE h =Kernel32.INSTANCE.GetCurrentThread();HANDLEByReference phToken = newHANDLEByReference();Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken)… enumerate groups withAdvapi32.INSTANCE.GetTokenInformation
  13. 13.  Since Windows 2000 Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc. Active Directory Service Interface (ADSI)
  14. 14. SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), NegotiateSSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
  15. 15. 1. Insert a Smart Card into a Reader2. Logon to a Server Joined to an AD Domain3. Navigate to a Website, No Prompts4. Check Permissions w/ Application5. Logged on as a Domain User on the Server6. $$$
  16. 16. AcquireCredentialsHandleInitializeSecurityContextAcceptSecurityContext Secur32.dll
  17. 17.  Waffle Provides Windows Authentication and Authorization Functions Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc. Open-Sourcehttp://waffle.codeplex.com
  18. 18.  Waffle-jna.jar + jna.jar + platform.jar WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> JSP Page <%= request.getUserPrincipal().getName() %>
  19. 19. GET /secure HTTP/1.1HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateWWW-Authenticate: NTLMGET /secure HTTP/1.1Authorization: NegotiateYIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo=HTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateoRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=GET /secure HTTP/1.1Authorization: NegotiateoUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02NDEwSU5URVJORVdTHTTP/1.1 200 OKWWW-Authenticate: NegotiateoRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
  20. 20. IWindowsAuthProviderIWindowsAccountIWindowsComputerIWindowsDomainIWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
  21. 21. @

×