Added impersonation support in Waffle.

Revision: 53261
Author: SND\dblock_cp
Date: 7:37:16 PM, Friday, May 28, 2010
Message:

Added impersonation support in Waffle API.

Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/jaas/WindowsLoginModule.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/MixedAuthenticator.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/NegotiateAuthenticator.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/tomcat/NegotiateSecurityFilter.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/IWindowsIdentity.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/IWindowsSecurityContext.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsAuthProviderImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsIdentityImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src/waffle/windows/auth/impl/WindowsSecurityContextImpl.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/jaas/MockWindowsIdentity.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/windows/auth/WindowsAccountTests.java
Modified : /trunk/Source/JNAWindowsAuthProvider/src-test/waffle/windows/auth/WindowsAuthProviderTests.java
Modified : /trunk/Source/ThirdParty/jna/jna.jar
Modified : /trunk/Source/ThirdParty/jna/platform.jar

Security filters still untouched - this needs some structure changes to preserve security context(s) across calls and dispose of them when the filter is shutdown.

Reply to http://stackoverflow.com/questions/339101/tomcat-authentication-using-spnego-kerberos-and-delegation when it's done.

Is there a plan to incorporate the impersonation into the security filters in the near future?

Plans remain plans. Maybe you want to contribute the code?

I would love to. If fact I added an initi param to decide on impersonation. My first attempt was to authenticate for every request if impersonation is enabled as I couldn't get hold of a WindowsIdentity for an already authenticated user. How would you serialize a WindowsIdentity similar to HttpContext in IIS. http://msdn.microsoft.com/en-us/library/ff647076.aspx. Any pointers welcome

Store the impersonation token with expiration in an expiring hash table and re-impersonate per-connection.

Please find attached patch, I've done a basic implementation on the servlet filter by:

• Storing the IWindowsIdentity into the Principal and give access to it (not sure it's a good idea ?). As the Principal gets stored in the session it's then easy on the subsequent requests to retrieve the underlying IWindowsIdentity and re-impersonate the user.
• Disposing the identity when the session expires using the HttpSessionBindingListener mechanism.
  

I'm not sure how it will behave if session support is disabled in the app server...

Patch is great, you did 90% of the work. You just need to do the rest of the 90% work to get this committed - tests, docs and what's new updates. Thanks!

Fair enough. Here is an updated version of the patch with tests and doco.

• I've also dealt with session serialization since anything we put in session should be serializable but an access token is not,
• Unfortunately I don't have the tools to build the CHM file so I hope it'll be ok,
• I've updated the Tomcat demo to display the impersonated user.
  

Please let me know if you need anything else.

@nguillaumin: good stuff. I gave you committer rights to SVN, please go ahead commit the patch and resolve the issue.

Thanks ! Just commited my patch.


** Closed by nguillaumin 1/16/2011 6:26 PM

Re-opening to resolve as fixed (close at release).