Downloaded 37 times
Uploaded byDaniel Doubrovkine
Waffle at NYCJavaSig
The document discusses authentication and authorization on Windows domains using Active Directory. It describes how to programmatically retrieve a user's group memberships by using Windows API functions to log in with a username and password, get the user token, and enumerate the groups in the token. It also introduces Waffle, an open-source Java library that provides Windows authentication functionality for application servers like Tomcat.
More Related Content
Waffle at NYCJavaSig
- 1. Daniel Doubrovkine | @ dblockdotorg
- 2. “ Most enterprisecustomers can’t login to your product.” “ What do you mean by you don’t support nested groups?”
- 3. What is mycanonical username? What local groups am I a member of? What domain groups am I a member of?
- 4. User and GroupNames Used Instead of SIDs Used Net* Functions to Enumerate Local Groups Tried to Use LDAP to Enumerate Domain Groups Failed to Support Nested Groups Failed to Resolve Domain Trusts … and much more that few people know about AD
- 5. Enterprises are Switchingto Smart Cards + PIN
- 6. 100% Java JNA http://github.com/twall/jna Win32 API Won’t work on *nix
- 7. BOOL LogonUser( LPTSTR lpszUsername , LPTSTR lpszDomain , LPTSTR lpszPassword , DWORD dwLogonType , DWORD dwLogonProvider , PHANDLE phToken ); advapi32.dll
- 8. // a userhandle HANDLEByReference phUser = new HANDLEByReference(); Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser );
- 9. // user groupmemberships WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...); Advapi32.INSTANCE.GetTokenInformation( phUser , WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups , tokenInformationLength, tokenInformationLength)); for (SID_AND_ATTRIBUTES sid : groups ) { }
- 10. // current username Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser); // impersonated user Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.RevertToSelf();
- 11. Current User SecurityIdentifier Group Memberships (a list of SIDs) Privileges Current Thread Current Process
- 12. HANDLE h = Kernel32. INSTANCE.GetCurrentThread(); HANDLEByReference phToken = new HANDLEByReference(); Advapi32. INSTANCE.OpenThreadToken( h , WinNT. TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken ) … enumerate groups with Advapi32.INSTANCE.GetTokenInformation
- 13. Since Windows 2000Multi-Master Directory Service w/ Trusts Storage Domain Data User Data User Group Data Security Data Etc. Active Directory Service Interface (ADSI)
- 14. SSP = SecuritySupport Provider Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate SSPI Proprietary Implementation of GSSAPI (IETF Standard) Integrated Distributed Security Services
- 15. Insert a SmartCard into a Reader Logon to a Server Joined to an AD Domain Navigate to a Website, No Prompts Check Permissions w/ Application Logged on as a Domain User on the Server $$$
- 16.
- 17.
- 18.
- 19. Waffle Provides WindowsAuthentication and Authorization Functions Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc. Open-Source http://waffle.codeplex.com
- 20. Waffle-jna.jar + jna.jar+ platform.jar WEB-INF\web.xml <filter> <filter-name>SecurityFilter</filter-name> <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> JSP Page <%= request.getUserPrincipal().getName() %>
- 21. GET /secure HTTP/1.1HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
- 22. IWindowsAuthProvider IWindowsAccount IWindowsComputerIWindowsDomain IWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
- 23.
Editor's Notes
- #8 The local computer is the computer from which LogonUser was called (advapi32.dll).
- #12 The security context is the user account that the system uses to enforce security when a thread attempts to access a securable object.
- #15 On Windows, this works because of the Security Support Provider Interface, aka SSPI . SSPI is a well-defined API for obtaining integrated security services for, among other things, authentication for any distributed application protocol. A client-server conversation is an example of such an application. SSPI is a Microsoft proprietary implementation of GSSAPI , an IETF standard. Security Support Provider (SSP) A dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager (Windows NT Challenge/Response (NTLM)). Negotiate: A security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.
- #17 When a client wants to authenticate to a server, it needs to supply credentials and send them to the server. The server needs to validate this, reply that the credentials were kosher and possibly continue executing code on behalf of the client. Credentials can come in a variety of forms, such as a username and password or a notarized birth certificate from City Hall. Sending those to the server needs to be secure: you don’t want to send credentials to the wrong server, the server wants to make sure you’re really who you claim to be and nobody should be able to intercept this data on the wire and reuse it. The how part of this is the job of the authentication protocol, such as, for example, NTLM or Kerberos. Because there’re many protocols, SSPI exchanges so called tokens , opaque blobs of data. the protocol can put anything in the blobs. Protocols often require several exchanges. For example, I may need to obtain the server’s public key, encrypt credentials, send them with my public key and receive an encrypted confirmation of success. Therefore both client and server maintain a so called security context during this conversation. SSPI allows you to do all this with any protocol or SSPI provider. There’s an NTLM SSPI provider, Kerberos SSPI provider, etc. SSPI describes three important calls that do all of the above.