Java auth provider: Use LOGON32_LOGON_NETWORK_CLEARTEXT ?

Developer
Jan 25, 2011 at 3:50 AM

Hi,

In <tt>waffle.windows.auth.impl.logonDomainUserEx()</tt> the LOGON32_LOGON_NETWORK logon type is used. This method is the one implicitly called when using a Basic authentication scheme with the Servlet Filter.

This logon type has a limitation when using the impersonation feature: It does not allow a process impersonating a user to pass along the credentials to a third remote server, for example a file share. That means that when using Basic authentication any access from the Java app server to a remote file share on behalf on the impersonated user will fail. This is the famous "double hop" problem.

It seems that it can be fixed by using the LOGON32_LOGON_NETWORK_CLEARTEXT logon type instead. The "cleartext" is a bit scary but I didn't found any useful resource about its security implications, and I think that's what IIS is doing because if you try to access a remote fileshare in a CGI run by IIS under impersonation, using Basic auth., access is granted.

What do you think of switching to this logon type in order to truly mimic IIS behaviour ?

Nicolas

Coordinator
Jan 25, 2011 at 12:34 PM

I'd like to make it configurable and let the user decide.