3

Resolved

Add support for impersonation, including up to the security filter(s)

description

Allow impersonation in security filters. Need code in JNA, Waffle and Tomcat filters. This will mimic IIS behavior.

file attachments

comments

dblock wrote May 29, 2010 at 12:14 AM

Added impersonation support in Waffle.

Revision: 53261
Author: SND\dblock_cp
Date: 7:37:16 PM, Friday, May 28, 2010
Message:

Added impersonation support in Waffle API.

Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/jaas/WindowsLoginModule.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/MixedAuthenticator.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/NegotiateAuthenticator.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/NegotiateSecurityFilter.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/IWindowsIdentity.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/IWindowsSecurityContext.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsAuthProviderImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsIdentityImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsSecurityContextImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/jaas/MockWindowsIdentity.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/windows/auth/WindowsAccountTests.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/windows/auth/WindowsAuthProviderTests.java
Modified : /trunk/Source/ThirdParty/jna/jna.jar
Modified : /trunk/Source/ThirdParty/jna/platform.jar

Security filters still untouched - this needs some structure changes to preserve security context(s) across calls and dispose of them when the filter is shutdown.

snoopydawggie wrote Nov 16, 2010 at 7:36 AM

Is there a plan to incorporate the impersonation into the security filters in the near future?

dblock wrote Nov 16, 2010 at 9:27 PM

Plans remain plans. Maybe you want to contribute the code?

snoopydawggie wrote Nov 24, 2010 at 9:27 AM

I would love to. If fact I added an initi param to decide on impersonation. My first attempt was to authenticate for every request if impersonation is enabled as I couldn't get hold of a WindowsIdentity for an already authenticated user. How would you serialize a WindowsIdentity similar to HttpContext in IIS. http://msdn.microsoft.com/en-us/library/ff647076.aspx. Any pointers welcome

dblock wrote Nov 25, 2010 at 6:44 PM

Store the impersonation token with expiration in an expiring hash table and re-impersonate per-connection.

nguillaumin wrote Jan 13, 2011 at 5:56 AM

Please find attached patch, I've done a basic implementation on the servlet filter by:
  • Storing the IWindowsIdentity into the Principal and give access to it (not sure it's a good idea ?). As the Principal gets stored in the session it's then easy on the subsequent requests to retrieve the underlying IWindowsIdentity and re-impersonate the user.
  • Disposing the identity when the session expires using the HttpSessionBindingListener mechanism.
I'm not sure how it will behave if session support is disabled in the app server...

dblock wrote Jan 14, 2011 at 4:07 AM

Patch is great, you did 90% of the work. You just need to do the rest of the 90% work to get this committed - tests, docs and what's new updates. Thanks!

nguillaumin wrote Jan 16, 2011 at 11:48 PM

Fair enough. Here is an updated version of the patch with tests and doco.
  • I've also dealt with session serialization since anything we put in session should be serializable but an access token is not,
  • Unfortunately I don't have the tools to build the CHM file so I hope it'll be ok,
  • I've updated the Tomcat demo to display the impersonated user.
Please let me know if you need anything else.

dblock wrote Jan 17, 2011 at 12:49 AM

@nguillaumin: good stuff. I gave you committer rights to SVN, please go ahead commit the patch and resolve the issue.

nguillaumin wrote Jan 17, 2011 at 2:49 AM

Thanks ! Just commited my patch.


** Closed by nguillaumin 1/16/2011 6:26 PM

dblock wrote Jan 17, 2011 at 2:49 AM

Re-opening to resolve as fixed (close at release).