Waffle and GSS-API

Aug 1, 2011 at 10:08 AM

I've been looking around and can't seem to find any information on how to use Waffle's credential delegation with the Java GSS-API.

What we're trying to do is use the current user's credential to check on the Active Directory certain details about the user. The application needs some more information than what's available with the IWindowsAccount and IWindowsIdentity interfaces. From the samples that we've found on how to connect to the Active Directory with Java, it somehow needs to start out with:

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://192.168.1.1:389/");
env.put(Context.SECURITY_PRINCIPAL, "theprincipal");
env.put(Context.SECURITY_CREDENTIALS, "principalpassword");
env.put(Context.SECURITY_AUTHENTICATION, "simple");

Or, if there is already a Kerberos credential (assuming that the security context has been initialised properly before this):

env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");


The problem is that, the Principal object we get from the request object isn't really usable in such a scenario (namely: WindowsPrincipal). I've seen also that there is the IWindowsIdentity.impersonate() method, but given that I need either a GSSCredential or the username and password before even trying to connect to the Active Directory, I don't know what to do next.

Is there an alternative method for making something like this with WAFFLE?

 

* I've tried and have made this work with SPNEGO, and now I want to make it work with WAFFLE before we decide on a final framework to use.

Coordinator
Aug 1, 2011 at 3:39 PM

The Windows-way of doing this is very different. You got Waffle to authenticate and you can get it to impersonate the user as well. You never have the user's password so you can't use GSSAPI. Now you're running as that user on the server - you can turn around and make a call to active directory via the Microsoft APIs (eg. ADSI) without having to supply any additional credentials, Windows will take care of everything underneath.

But maybe there's a simpler way of doing what you want - what is that other information that you need from AD?

Coordinator
Aug 1, 2011 at 3:39 PM

Btw, how did you make it work with SPNEGO?

Aug 3, 2011 at 2:47 AM
dblock wrote:

The Windows-way of doing this is very different. You got Waffle to authenticate and you can get it to impersonate the user as well. You never have the user's password so you can't use GSSAPI. Now you're running as that user on the server - you can turn around and make a call to active directory via the Microsoft APIs (eg. ADSI) without having to supply any additional credentials, Windows will take care of everything underneath.

But maybe there's a simpler way of doing what you want - what is that other information that you need from AD?

But this seems that I'm already stepping out of the bounds of Java as I would need some Windows specific wrappers to access ADSI? It's not that I have anything against accessing native functions or dlls, but the next Java guy that would manage this code might not like or understand that I'm accessing the Windows API.

Currently we only need to check for password expiry, but I'm not sure if the client would want any additional functionality in the future.

Aug 3, 2011 at 3:09 AM
dblock wrote:

Btw, how did you make it work with SPNEGO?

The SPNEGO Http Servlet filter supports credential delegation by providing a GSSCredential object. This of course would only work if your kerberos configuration allows forwardable kerberos tickets and the kerberos principal you're using is configured for delegation. It just then becomes a matter of fetching the credentials and using it on a Subject object to do an action, something like this:

GSSCredential credential = principal.getDelegatedCredential();
Subject subject = GSSUtil.createSubject(credential.getName(), credential);
subject.doAs(subject, new JNDIAction(credential.getName().toString()));

Inside the initialiser for LDAP:

Hashtable environment = new Hashtable(11);
environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL, providerUrl);
environment.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
DirContext ctx = new InitialDirContext(environment);

The only credential it uses is the ticket, thus no password is ever retrieved or used.

Looking through the WAFFLE source since it doesn't seem to use the GSS-API, I don't think or know if it's possible to get a kerberos ticket. From what I've been able to read here, there seems to be an indication that it doesn't care what authentication method is used by windows but just if it authenticates or not; that would be a problem since only Kerberos supports credential delegation not NTLM.

Coordinator
Aug 4, 2011 at 10:31 PM

It should be easy to port whatever this SPNEGO filter is doing onto Waffle I assume. Is that open-source? You might want to try...

Aug 5, 2011 at 11:53 AM
dblock wrote:

It should be easy to port whatever this SPNEGO filter is doing onto Waffle I assume. Is that open-source? You might want to try...

The problem is that if I do that, then it would completely use SPNEGO filter in the end. It would probably also have the same configuration files required by SPNEGO, which would be the reverse of the WAFFLE project, which prides itself with minimal to no configuration.

Coordinator
Aug 5, 2011 at 12:07 PM
Edited Aug 5, 2011 at 12:07 PM

Can you tell me which SPNEGO implementation you're talking about? A link would be helpful.

Aug 23, 2011 at 6:28 AM
Edited Aug 23, 2011 at 6:31 AM
dblock wrote:

Can you tell me which SPNEGO implementation you're talking about? A link would be helpful.

An external project: http://spnego.sourceforge.net/

It's the thinnest SPNEGO authenticator that I could find (besides Waffle).

After digging deeper on the SPNEGO source, it uses the Java GSS API extensively so it can produce credentials usable within Java applications. Waffle seems to have went the other direction and replicated how Windows does impersonation and handle credentials. The only real problem I could see with Waffle is when you're trying to integrate with some built-in Java functionality that also requires objects from the standard library ( ldap connection with GSS ).

Coordinator
Sep 6, 2011 at 12:28 AM

Looking forward to a proper patch :) Thx.

Jul 26, 2012 at 10:03 AM

You can have my JAAS client module if you want it...

Hi dmarsh26,

I wanted to try your JAAS client module, is that possible to get the code. Would be extremely grateful.

Thanks 

uljana12

Feb 8, 2013 at 8:03 AM
I am working on POC using Waffle for kerberos SSO with JAAS on Windows 7 with stand-alone client. Could you please share Waffle JAAS client to get kerberos ticket or guide me for the steps to be perfomed with some examples. We need to avoid registry entry allowtgtsessionkey and hence want to try Waffle.

Thanks,
Sanjay
Coordinator
Feb 8, 2013 at 1:00 PM
WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

WAFFLE HAS MOVED TO GITHUB
WAFFLE HAS MOVED TO GITHUB

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

We're going to give up the discussions here and move to THIS GOOGLE GROUP, please subscribe and stop posting questions here.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.

DONT POST HERE - GO HERE. The new home is http://dblock.github.com/waffle/.